What if three disgruntled employees left your organization and took top secret information to a competing company?
What repercussions would follow and how would it impact your business?
In many cases, there would be a lawsuit. In this case, there was federal prosecution and a cybersecurity threat.
The Department of Justice (DOJ) released a shocking statement, which explains the scenario at the federal level. Three men, who formerly worked for the U.S. intelligence community and military, offered hacking services to a company based in the United Arab Emirates (UAE).
Information provided was highly sensitive, and the release paints a picture of three "hackers-for-hire" conspiring to offer their insights to another country. The employees apparently decided to pursue their illegal activities for a significant pay raise.
Prosecutors say, "despite being informed on several occasions" that the defendants' work required a license to be issued, they pressed on anyway.
Acting Assistant Attorney General Mark J. Lesko describes the case where insiders left to become criminal hackers:
"This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.
Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct."
The three men, Marc Baier, Ryan Adams, and Daniel Gericke, provided direction to the foreign companies in teaching hacking techniques, some of which could be used to attack the U.S.
Most unsophisticated cyberattacks rely on a click factor, where targets must click on something to initiate the attack. However, there have been a rising number of stories about "zero-click" exploits in use. SecureWorld News reported on the patch Apple released for an attack of this kind that targeted iPhones.
The DOJ says the defendants created this type of "zero-click" technology for the company located in the UAE.
While the company we're discussing was not named in the court documents, Law360 found evidence that the company in question may be DarkMatter Group.
"These services included the provision of support, direction, and supervision in the creation of sophisticated 'zero-click' computer hacking and intelligence gathering systems—i.e., one that could compromise a device without any action by the target.
U.A.E. CO [company] employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States."
In simple words, the hackers used their clearance and access to private information from U.S. agencies to attack targets, including some in the United States.
The three men charged in this hacker-for-hire case agreed to repay more than $1.68 million in lieu of prison time.
Bryan Vorndran, Assistant Director of the FBI's Cyber Division, condemned the crimes and warned others in similar roles about moving forward with illegal actions like these.
"This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company—there is a risk, and there will be consequences," Vorndran said.
But will those consequences ever include jail time?
Some commenters online believed the punishment was too lenient and questioned whether or not this would hinder insider threats like this in the future.
"The only 'message' the @FBI/@TheJustice Dept sends with this is: 'If you charge enough for your services, you can get off with a simple fine if we catch you.'"
Do you believe this approach is enough to prevent repeats in the future? Is this a scenario that is becoming more prevalent because of the demand for cybersecurity talent?
Malicious actors are malicious actors, but some don't leave your company or organization, they attack from within it. Sometimes on accident.
I recently attended a presentation by Chrysa Freeman, Senior Program Manager at Code42, at the Women in Cybersecurity (WiCyS) annual conference.
In her discussion, she talked about the traditional "militaristic" style cybersecurity takes on and explained how the majority of breaches—80%, in fact—are accidents, where insiders simply make mistakes.
To mitigate the risk from all types of insider threats, Freeman says cybersecurity should partner with people while keeping a mindful eye on those who could have bad intentions.
"We proactively protect data in this new world.... I think we should consider an approach that actively engages our users. How do we get them as partners with us instead of just saying, 'don't do this, do that'?
We need to move from policing to partnering because when people are afraid of the security team, they're not going to come to us," Freeman said.
And sometimes, those on the inside are the best at spotting someone else who is an insider threat—either the accidental type or the malicious type.
RESOURCES:
Register to attend the upcoming SecureWorld webinar, 5 Must-Haves in Developing an Insider Threat Program that Protects Sensitive Data.
Listen to the SecureWorld Sessions podcast episode, Season of Cybercrime: The Insider Threat.