When Spies Go Remote: The Rise of Planted Insiders in the Digital Age

Back in my government days, I used to worry a fair bit about the risk that hostile states might find way to plant insiders into our midst. Historical memories of Philby, Burgess and Maclean had not yet been laid to rest in government, and the exposure by the FBI in 2010 of glamorous Russian spy Anna Chapman and the Russian illegals programme brought the risk to the forefront of our minds once more. Nor were hostile states our only concern. What if terrorists or extremists were to find their way into sensitive parts of government or the national infrastructure? Such fears were not fanciful. Both the aviation and the nuclear energy industry have been victims of serious insider-mediated attacks over recent years.

But while we took this threat seriously, we knew that our primary risk came not from people who had joined government departments with the intention of causing harm, but from existing employees who – for whatever reason – had ‘gone bad’. And since turning my attention to insider risk in the corporate sector, I have continued to work on the basis that ‘planted’ insiders are a rarity. ?Yes, from time to time, we see examples of organised crime gangs trying to place people into financial organisations in order to bypass internal controls, but fraud and other hostile acts by disaffected existing employees is more common and more serious.

But a couple of recent stories have made me wonder whether planted insiders are on the rise. A few weeks back, UK cybersecurity company KnowBe4 publicly admitted having hired an engineer into their internal IT AI team who turned out to be a North Korean hacker using a stolen US identity to try and penetrate their systems. To their credit, they seem to have detected him quite quickly and have subsequently shared helpful tips for avoiding and detecting such errors (link to tips here). ???(https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us)? And last week, there was news that another, unidentified company had inadvertently hired a North Korean cybercriminal to work for them remotely. https://www.bbc.co.uk/news/articles/ce8vedz4yk7o).? In both cases, the cybercriminals concerned will have been working under the sponsorship and direction of the North Korean government. ??

So how are such breaches possible when you can check someone out on LinkedIn in an instant, reverse-image-check their CV photo and contact referees at their university or previous place of work? My colleague Susanna Berry, who did her PhD in online and offline identity deception will tell you that in an age of ubiquitous data capture, it is nigh on impossible to pretend to be someone you are not. Creating and sustaining a false persona with all the necessary real time and historical digital attributes is a full-time job. And inhabiting another person’s identity without slipping up and without them becoming aware of it is equally challenging. But the thing is, it’s only hard if anyone is actually checking. What these recent cases confirm is that the checks carried out by employers or screening agencies are often pretty basic and easy to fool if you know how. And the North Korean intelligence agencies clearly did.

A couple of anecdotes do not of course prove that this kind of insider attack is on the rise. But there are plausible reasons to think that they might be. First, the increase in remote working means that employers may not meet their prospective employees in the flesh before hiring them, making it hard to verify the existence of a physical identity. Second, remote working has meant the loss of many of those basic ‘human gut’ checks that take place when people are working physically working side by side. Third, the sorts of technical checks that could determine whether someone is working out of Pyongyang as opposed to Portland Oregon are not usually ones that are carried out by HR departments. And finally, the drive by most companies to get on top of their cyber vulnerabilities has meant that threat actors are turning more and more to this comparatively low risk approach to achieving their goals. ??

For a long time now, we have urged companies not to over-rely on screening as a means to combat insider threat. I still stand by that line. But if these cases turn out to be part of a larger trend, those companies most at risk would do well to look more closely at their screening processes and check that they are not unwittingly inviting their enemies into the fold.

About the author

Malcolm Sparkes is a senior security consultant at Blacksmiths Group where he works alongside experts in information and technical security and behavioural scientists in order to provide a genuinely convergent approach to security challenges.