There’s almost certainly a spy in your office - it could even be you

(Image credit: Shutterstock / rogistok)

It has long been understood that employees represent one of the greatest cybersecurity threats, whether malicious or simply negligent. However, fewer businesses might imagine their employees are being puppeteered by a foreign state.

A recent paper from the US Senate suggests advanced actors now regularly plant individuals in large organizations, with a view to stealing data and research that can be used for economic, scientific or military gain.

China, for example, is said to operate more than 200 different recruitment programs, the most elaborate of which is the Thousand Talents Plan, which is estimated to have recruited 7,000 operatives or more. And China is by no means the only country to engage in these behaviors.

According to security company Mandiant, businesses need to take the threat of espionage more seriously, in the same way they would any other kind of cyberthreat, and improve their ability to detect the warning signs early.

“Access rules the landscape,” explained Johnny Collins, who heads up the insider threat division at Mandiant. “Every insider has it and every attacker wants it.” 

“Over the years, I’ve worked with every kind of organization you can imagine, from casinos to government entities. There is always [espionage] activity; if you haven’t found it, it’s there.”


The goal of these nation state campaigns is effectively to cut in line, says Collins; it’s both faster and cheaper to steal somebody else’s research and intellectual property than to build a competitive product or medicine from scratch.

The methods used to access the information they are looking for vary, but the reality of spying is much less glamorous than pop culture might suggest. In many cases, the spy doesn’t even know they are spying.

“A lot of people don’t understand that most employees are victims in this equation. They don’t know they are doing something wrong, because they are tricked into thinking they are doing something for the greater good,” Collins explained.

A common strategy among recruiters is to invite the target to attend an industry event, where they are approached and asked to moonlight as an adjunct professor, or endorse a certain initiative; in short, to enter into an arrangement. The beauty of this in-person approach is that there is no paper trail to alert the business to a potential threat.

secret files

(Image credit: Shutterstock / Fer Gregory)

Nation state recruiters have also been known to approach staff in broad daylight, via their corporate inbox, social media accounts or over the phone. But by the time the business has realized there is a problem, tens or even hundreds of emails may have passed back and forth.

At any one time, Collins told us, recruiters are likely targeting tens of different employees at any given company, using a scattergun approach to improve the likelihood of success, not dissimilar to phishing.

“Researchers and administrators are hot targets, folks with privileged access, but [recruitment] happens across the gamut. It just depends on the type of information the threat actor is after, and how quickly they intend to extract it,” he said.

In rare instances, when recruiters fail to gain access to an employee, they have been known to train up an individual specifically for the task. Known as “embeds”, these imposters are much closer to traditional spies and have a full understanding of the ambitions of their handlers.

“Sometimes, these embeds are quiet for a long time, even years. Then all of a sudden they gain access to the information they were recruited to hunt down, before disappearing into thin air. There is another level of tradecraft on display here.”

Setting up a defense

Mandiant research suggests insiders will be responsible for more than a third of security incidents in 2021, up from roughly 20% in previous years.

One of the main problems for security teams, though, is that differentiating between an insider incident versus an attack from a malicious third party can be extremely difficult.

For example, many companies were convinced the now infamous SolarWinds attack was the work of an insider. How else would someone know so much about their environment, they asked.

However, advanced actors are often able to “live off the land”; to use the tools already built into the system as opposed to bringing in their own, so as not to trip any alarms.

Like an insider, these actors know how to move around the network stealthily, perhaps suppressing security alerts or removing keywords from data they intend to exfiltrate so as not to trigger data loss prevention solutions.

To diagnose insider attacks effectively, businesses need to combine technology with vigilance and a commitment to educating employees about the dangers nation state recruiters can pose, Collins claims.

From a technology perspective, it’s about having the ability to identify activity on the network (e.g. file transfers or data duplication) that is outside the norm. And when this activity is discovered, to be able to either explain it or shut it down.

“You’ve got to ensure you have technology that allows you to collect certain information. One of the most common issues we encounter is employees creating inbox rules to forward email to their personal address, but detections should be in place to keep tabs on this kind of activity,” said Collins.

“It’s about having the insight to be able to say: that doesn’t make sense. Many businesses can recognize traditional ‘badness’ but fail to distinguish between activity that could be both legitimate or illegitimate, depending on context.”

Equally important, however, is training employees to recognize an unusual interaction with a third-party and establishing a simple mechanism for reporting suspicious encounters. A common mistake is for businesses to focus on one of these factors, but not the other, rendering the system ineffective.

Ultimately, says Collins, businesses are bound to encounter insider threat as a result of nation state recruitment, in the same way as cyberattacks are considered inevitable. The ability to defend appropriately depends on the energy they dedicate to raising awareness and putting protections in place.

“We like to say that the juice is worth the squeeze; whatever effort you put into addressing insider threat, you’re always going to get an equivalent return on investment.”

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.