By Tyler Lalicker, Principal Detection Engineer, Data Science
In this post, the second in our Insider Threat Profile Case Study blog series, we will focus on sabotage committed by an employee of an intelligence service who was tasked with creating offensive security and hacking tools and is charged with leaking these hacking tools to WikiLeaks.
As a refresher, this series focuses on breaking down the observable behaviors from real life insider threats and this particular case focuses on sabotage. Studies from CMU’s Insider Threat Center and PERSEREC note the following common indicators of Insider Sabotage:
- 84% say the cause of their actions were motivated by revenge, 12% did it for personal advancement.
- 90% tried to obfuscate their actions.
- 80% of the cases involved people who had rule or policy violations or interpersonal conflicts before their attacks.
- The majority of attacks occurred outside of normal working hours and used remote access.
Threat Profile: Misaligned saboteur
Impact Area: IT sabotage
Description: Insider in a technical role who becomes misaligned with their organization and decides to retaliate by sabotaging resources in a way that impacts confidentiality, integrity, or availability with respect to the organizational mission.
Published literature on insider threat actors identify specific observable behaviors for threat actors who commit sabotage, which have been summarized here into what we are calling the misaligned saboteur profile. The term misaligned comes from the individual falling out of step with organizational priorities, social norms, or rules and regulations. This profile does not focus on those who commit sabotage for personal advancement or unintentional insider threats.
Early work in studying insider saboteurs identified patterns of organizational over-reliance on the insider threat actor, introversion, computer dependency, ethical flexibility, entitlement, reduced loyalty, lack of empathy, and social and personal frustrations. Additional literature extends these findings, including having a troubled personal history, history of computer misuse, security violations, sensitivity to slights or being a “high-maintenance” individual, interpersonal conflicts, expressions of anger towards organizational sanctions, and a lack of inhibition for retaliation or revenge.
The misaligned saboteur in this case was an engineer who was working on a team for an intelligence agency that created offensive security tools supporting national security objectives all over the globe. During his tenure, there were many incidents of interpersonal conflicts and rule violations that escalated to a point where he threatened to go to the media about his perceived mistreatment by the victim organization. The victim organization responded to the misaligned saboteur’s behavior with both security controls and attempts to re-align him to the organizational mission. However, before leaving the organization, he stole highly confidential information and leaked it. The leak did significant damage to the victim organization’s mission and could have potentially endangered the lives of personnel working intelligence missions abroad. Further reinforcing the perception of a lack of ethical standards, when law enforcement investigated the malicious insider, they were also found to be involved in criminal sex offenses outside of work. This troubling case offers a look into the behavioral and technical indicators for insider sabotage and a glimpse into a complicated relationship between organizational and individual responses from an escalating insider threat.
In this case study, the victim organization had evidence of multiple instances of violations and interpersonal conflicts. This is consistent with patterns of IT sabotage indicators seen in formal studies, and indicates a need for insider risk teams to have access to reporting on interpersonal conduct violations. This sensitive information can be shared while maintaining individual privacy and organizational protection simultaneously. Experts in the field have devised methods for doing this by identifying high-risk individuals (either from internal reports of behavior or by seeking data on specific individuals with high levels of access) and only collecting data on these individuals, as opposed to broadly monitoring information across all individuals in the organization.
The observables will be categorized into the stages of the Critical Pathway to Insider Risk and relevant stages of the attack.
The misaligned saboteur exhibited behaviors that cover a large number of personal predispositions, which can be broken down into distinct sub-categories.
Social network risks
An individual being involved in “the internet underground” is generally a higher risk for misalignment with an organization. During the investigation it was also revealed that the individual had social ties to criminal groups sharing illegal media.
Personality or social skills issues
The misaligned saboteur had a history of conflict with others in school, for example drawing swastikas in multiple places including a Jewish student’s yearbook and numerous accounts of inappropriate behavior towards his peers. He had an acute sensitivity to perceived slights and reacted quickly and harshly. He was given the nickname “Nuclear Option” because he responded disproportionately to attacks. While in school, he inappropriately touched a female classmate sleeping on a bus during a field trip. After she reported the incident, he sent a virus to her over an online messaging service which destroyed her machine. He had difficulty accepting responsibility for his own actions and instead blamed others. After a heated conflict with a colleague, the pair were relocated to different offices. He said that he felt he was being “demoted” for reporting the issue to leadership. This behavior escalated to the point where he claimed he was going to publicize the story before ultimately resigning from his job. He was also a champion of individual privacy. Contrarily, this individual publicly stated that they believed Snowden and Manning were traitors who should be executed. This contradiction in his life shows some signs of compartmentalization.
The misaligned saboteur was also antagonistic toward perceived adversaries, including his manager. He would use condescending nicknames for people he saw as enemies, putting down his manager and declaring employees who were aligned with her as “pawn(s).” Finally, he showed signs of moral flexibility stating that he believed that leakers are traitors who should be executed, but went on to leak a massive trove of data when it served his interests.
Conditions that impact judgment
The misaligned saboteur had possession of a web server that hosted explicit child abuse materials. His online chat logs and internet search history revealed similar material. He also has many reports of sexual harassment and abuse he had committed over the years, including one case with a roommate. While these were discovered after the fact, they are signs of potential sex addiction which is a significant risk factor for insider threat.
Behavioral risk indicators: signs of narcissism; signs of general disgruntlement; law-breaking; ties to the internet underground; signs of sex addiction; history of interpersonal conflict
The misaligned saboteur likely faced significant pressure at work due to the mission-critical nature of his job. He worked with a group of talented individuals with similar interests. The team showed resilience to stress by being able to effectively use multiple outlets for stressors that they were experiencing. They would play with nerf guns and prank each other for fun; it was all part of their office culture. However, these positive social interactions stopped for him when a feud with a team member escalated out of control. The misaligned saboteur and his adversarial co-worker weren’t just pranking each other or throwing light jabs, their relationship became toxic. The two began making comments about the other’s appearance such as the misaligned saboteur’s baldness or his enemy’s weight. The misaligned saboteur claims that he was being threatened with comments such as “I wish you were dead…” or “wish you would die in a fiery car crash.” When management intervened, they ultimately decided to separate the two causing the misaligned saboteur to feel that he was being demoted.
Social relationships with his peers were strained as a result of this feud. Where he once had been able to fit into a group of individuals with an aligned mission, the misaligned saboteur eventually found himself an outcast as a result of his own actions. The stress grew over time as he continued to lash out at others around him, further destroying his interpersonal relations.
Behavioral risk indicators: interpersonal conflicts; role change
The misaligned saboteur had a history of violating social norms and interpersonal conflicts, but he did something surprising with the employee he had a rivalry with. After being told to move offices, he filed a restraining order against the employee which led to the organization separating the two further. The decision to move the misaligned saboteur to another floor was seen as retaliation and he threatened to take his story to the media. This pattern of escalation foreshadowed the leak that occurred shortly after.
Like other insider threats, his search history revealed multiple relevant artifacts. Aside from the aforementioned searching for illegal and explicit materials, ‘he had conducted thirty-nine searches related to WikiLeaks. In the hours after WikiLeaks posted Vault 7, he searched for “F.B.I.” and read articles with such titles as “F.B.I. Joins C.I.A. in Hunt for Leaker.’
Behavioral risk indicators: social norm violations; interpersonal conflict; security violations; signs of obsessiveness; expressions of hostility or resistance towards the organization or a policy; expressions of retaliation
In the referenced article, the victim organization responded to the alarming behavior with a combination of efforts to alleviate pressure. This office had a distinct culture that seemed to enable the team to deliver great results under stress. They combined actions like separating the warring teammates with reinforcing messages from leadership intended to realign him with the organizational mission.
After he was placed on another team, the misaligned saboteur saw that his permissions had been removed from a project. He went on to re-assign himself to the project, which was against protocol. The organization then removed his access as a system administrator and also made him sign documents that ensured his understanding of the wrongdoing.
There were a couple gaps in the organizational response, however. After removing his privileges as system administrator, he retained a way to access the system where the leaked information was located. Additionally, after he left it was discovered he had retained access to his special passport granted by the victim organization.
Technical indicators: documented policy violations; target risk reduction; information security controls; management intervention
After the series of incidents, the misaligned saboteur showed no signs of remorse for what he had done. Instead, he escalated the situation and continued to place himself as a victim. “I just want to confirm this punishment of removal from my current branch is for reporting to security an incident in which my life was threatened.”
He found new employment with another organization, which was successful. He eventually left in November of the same year of this escalating incident.
In this situation, it would have been prudent to continuously monitor the employee given the risks. Monitoring for risk mitigations could have included:
Professional decisions: Seeking a new role, professional training, or counseling/mediation
Management actions: Seeking support from HR/EAP, reports on social/professional re-engagement
Personal decisions: Seeking psychiatric counseling/treatment, improving social connections and support within or outside the organization, or developing healthy stress reduction techniques
Technical indicators: resignation; negative response to organizational action; threats to organization
This employee was a system administrator of sensitive systems, giving him high levels of access to critical resources.
Technical indicators: privileged access to sensitive data; system administrator of sensitive systems
The misaligned saboteur reviewed audit logs to identify who had revoked access to his project which he saw as retribution against him. Logically, it was not necessary for him to retain access after moving departments. However, the administrators didn’t delete all access to the server, so he got back in and explored what he had access to.
Technical indicators: rare file access; rare authentication; data access enumeration
He tried to social engineer the current administrator by saying that another person had approved adding back his administrator privileges to the system. When met with resistance, he mentioned that he would get it back one way or another. After a formal rejection via an email chain, he escalated his own privileges without approval, an action that was detected by the other administrator.
Technical indicators: user added to unapproved group; policy violation
After his access was removed from his primary account, the misaligned saboteur retained access through another key. He used this access to enter the system and collect the backups which were ultimately leaked to WikiLeaks.
Technical indicators: dormant account used to access sensitive system
The misaligned saboteur deleted logs during his unauthorized access to the system which contained the stolen data. The month following his major conflict, he downloaded Tails to his home network. Tails is an operating system that WikiLeaks recommends for submitting data to the organization. After monitoring to ensure that the data had been uploaded completely he searched for tips on how to wipe a device of its contents.
Technical indicators: audit log deletion; hacking software installed
Collection and staging
Evidence of the actual collection and staging process are not available. Most of the digital footprints in the case are not shared, however it was publicized that logs showed that the misaligned saboteur accessed the system that housed the data from the leak and specifically accessed a system backup from several weeks prior – and the data in that backup was identical to the data that was leaked.
Technical indicators: N/A
The massive leak is considered to be incredibly damaging. It contained techniques to hack cell phones, televisions, and even to break encryption used by secure messaging services such as WhatsApp. The documents leaked also pose a serious threat to operatives and employees of the organization in addition to reputation damage.
Technical indicators: sensitive data leaked publicly
The misaligned saboteur showed a continuing pattern of interpersonal conflicts and rule violations. When under high stress he attacked others and chose victimization over taking responsibility for his actions, both of which are common responses to shame. Instead of feeling any sense of responsibility for his actions, he claimed that the victim organization was punishing him for reporting the conflict with his colleague and while imprisoned ‘filed more than sixty official challenges to the conditions of his confinement.’
Thrill-seeking behavior is also tied to the avoidance of internal shame. He may have successfully coped with these feelings by taking on high-significance tasks such as building out a shared server to exchange media with others or working on mission-critical hacking software with a team of elite engineers. When he was in prison he engineered a system to charge contraband cell phones that many inmates used. Each of these instances placed him at the center of positive social reinforcement networks based on his technical capabilities. When the victim organization restricted his access to systems and moved him to another department, this interrupted his positive support system and the result was an escalating pattern of avoidance and attacking others. He showed signs of being in crisis, defined as ‘a state of feeling; an internal experience of confusion and anxiety to the degree that formerly successful coping mechanisms fail us and ineffective decisions and behaviors take their place.’
While this individual may be difficult to sympathize with, the case shows that organizational response needs to pair security controls with a focus on enabling employee success. Mitigating insider risk requires a strong partnership between management, human resources, employee assistance, and security in order to detect the malicious activity and respond to it effectively. The right balance between enforcement which establishes boundaries while simultaneously focusing on enabling employees is highlighted in work on positive deterrence to reduce risk.
Leadership at the victim organization struck a balance between enforcement and enablement by both implementing strict technical controls and working to realign the misaligned saboteur with the organizational mission and the importance of his work. This focus on his significance to help realign him with organizational norms could have helped him overcome the alienation he was experiencing.
For the misaligned saboteur profile type, mitigating factors should be continuously monitored to ensure that risk of incident is decreasing over time. These may include positive social reinforcement at work or at home, development of healthy habits including stress reduction techniques, and voluntary persistence in counseling or assistance programs. Having a thorough off-boarding process, especially for high-risk individuals, can also prevent potential damage. Finally, internal information sharing on risks that impact security and personnel can provide important behavioral indicators that are crucial to identifying sabotage and aid the process of helping the individuals at risk.