By Tyler Lalicker, Principal Detection Engineer, Data Science
Accidental insider threats are a serious security concern that can significantly impact organizations. They are caused by employees, contractors, or other personnel who unknowingly cause harm to an organization’s information systems, networks, and data. The three case studies presented below — business email compromise (BEC) fraud involving tech companies, a data exposure incident at a US federal agency, and a significant spear phishing attack — collectively demonstrate the different types of incidents that can occur and the potential impact they can have. These incidents highlight the importance of understanding the critical traits of accidental insider threats, implementing adequate security measures, and training employees to help prevent and mitigate these types of incidents. As we continue to forge the new work-life ecosystem, which includes remote and hybrid work, staying on purpose requires continuous adaptation — INSA (Intelligence and National Security Alliance) has an excellent paper on the topic here.
Threat Profile: Accidental Insider
Impact Area: Data Loss, Malware Execution, Sabotage, Fraud
Description: Insider who, by accident or negligence, hurts their organization, affiliates, co-workers, or customers
Accidental insider threats, caused by employees and contractors unknowingly harming their organization’s information systems, networks, and data, are a significant security concern for companies today. These threats can be challenging to prevent as they are often a result of an individual’s risk-tolerant behaviors, cognitive biases, or personal/professional stressors (read more from CMU on this topic). This report provides an overview of the concept of accidental insider threats and uses case studies to illustrate the impact of these threats on organizations. We will explore different stages and implications of accidental insider threats and provide an understanding of the importance of being proactive in identifying, preventing, and mitigating them.
Case 1: $100M fraud involving US tech giants
For a period of two years, an attacker orchestrated an elaborate scheme to deceive two large US-based internet companies into wiring funds to bank accounts they controlled. The fraud included impersonating a supplier the victim organizations worked with, setting up bank accounts to cover their tracks, and a targeted phishing campaign.
Stages of the attack
- The attacker created and incorporated a company in Latvia that bore the same name as an Asia-based computer hardware supplier with which the victims regularly conducted multimillion-dollar transactions.
- They then used this company to open and control various bank accounts in Latvia and Cyprus.
- Fraudulent phishing emails allegedly from the supplier were sent to employees of the victim companies, directing them to wire money intended for the supplier to the fraudulent bank accounts instead.
- Emails were sent from accounts designed to look like they were from employees of the supplier.
- The phishing emails successfully deceived the victims into complying with the fraudulent wiring instructions.
- After the funds were wired, stolen funds were moved to different bank accounts worldwide, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
- The attacker also used forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victims. These documents which bore false corporate stamps embossed with the victims’ names were submitted to banks in support of the large volume of funds that were fraudulently transferred.
Impact of the attack
- The two victim organizations lost over $120 million due to this scheme.
- The companies face reputational damage due to the incident.
- In addition, the incident potentially exposed the victim companies to legal and regulatory repercussions.
- The incident occurred due to a lack of proper oversight and monitoring of financial transactions and a failure of security measures such as multi-factor authentication and fraud detection systems.
- The incident also highlights the importance of employee education and training in identifying and responding to phishing attempts and the importance of regular security audits and assessments to identify and address vulnerabilities.
- It also shows that companies must have a proper incident response and communication plan to handle such scenarios.
Case 2: Data exposure at US federal agency
Private information involving about 120,000 taxpayers was temporarily made public by a federal agency. The confidential data was accessible to download on the agency’s website search engine for about a year. On investigation, the agency discovered a human coding error was responsible for the data exposure.
Stages of the attack
- An employee of the victim organization made a coding error while updating the website.
- This error led to the exposure of confidential data of about 120,000 taxpayers from Form 990-Ts, a business tax return used by tax-exempt organizations, being posted on the organization’s website via the site search engine.
- The error went unnoticed for about a year until an employee recently discovered it.
Impact of the attack
- The data that was accidentally leaked included the taxpayers’ names and business contact information.
- Sensitive information such as social security numbers, income information, or “other sensitive information that could impact a taxpayer’s credit” was not released.
- The data being publicly accessible for a year potentially exposed these taxpayers to identity and financial fraud.
- This incident highlights the key trait of accidental insider threats being caused by employees, contractors, or other personnel who unknowingly cause harm to their organization’s information systems, networks, and data.
- The incident occurred due to a lack of proper oversight and monitoring of the website, which allowed the coding error to go unnoticed for months.
- The incident also highlights the importance of proper training and standard operating procedures in preventing accidental insider threats and the importance of monitoring and oversight in detecting and mitigating them.
Case 3: Spear phishing attack
Over a decade ago, attackers successfully hacked into the victim organization’s system. Because of the nature of the attack and the potential damage to the organization’s reputation, this attack that became the event the cybersecurity community would recall for years, the details of the incident are only recently available. Examining how the attack unfolded provides valuable insights for security teams.
Stages of the attack
- The attackers executed a spear phishing campaign targeting the victim company with an email that contained a link to a malicious website which appeared to be trusted.
- An employee clicked the link, and Poison Ivy malware was downloaded to the computer giving the attackers access to the company network.
- The attackers established remote control with a tool called Hammertoss which gave them the ability to laterally move through the network and gain access to additional systems and data.
- The attackers stole sensitive information which led to a supply chain attack with their two-factor authentication product.
- The stolen information was later used in a separate attack on a customer of the victim organization.
Impact of the attack
- Seeds were used to clone SecurID tokens, allowing hackers to bypass security systems and access sensitive information.
- The victim organization’s security team physically cut off network connections to limit damage and stop further theft, severely impacting the company’s operations.
- The organization’s reputation and trust with customers were severely compromised.
- The hackers escaped before an employee was able to delete stolen information.
- An adversarial military was identified as the perpetrator of the hack.
- The victim organization’s CEO believed it was necessary to notify customers and replace SecurID tokens, but faced challenges due to a lack of available tokens and had to shut down manufacturing for weeks.
- Victim organization executives have maintained that it was never proven that SecurID had any role in the contractor breach. Still, other sources, such as that contractor and a prominent US government agency, disagree.
These three cases highlight the importance of implementing proactive mitigation strategies such as creating productive and healthy work environments, reviewing and improving management practices, providing training and awareness, and implementing automated defense tools. Additionally, organizations must have adequate policies and countermeasures to guard against the impacts of accidental insider threat incidents.
For security professionals, it is essential to understand and recognize the distinct personality and behavioral profiles of individuals who may be at higher risk for being accidental insider threats, as well as the technical indicators such as suspicious network traffic, abnormal user authentication attempts and access, and unauthorized data access that can be used to detect and mitigate them.