Malicious Insider Scenarios
Insider threats are often discussed as a broad category. This essay explores the malicious flavor of insider threat and ignores the “human error” or “accident” categorizations.
Each scenario is supported with in-the-wild observations. I’ve done my best to select resources that describe the threat’s TTPs or motives as best as possible.
I’ve expressed these risks as scenarios to help focus a group discussion. Narrow mitigations are easier to brainstorm with clear scenario-based requirements. Lastly, historical evidence is easier to come by when structured this way, as we’ve done below.
Impact is also expressed well as a scenario. However, you (the reader) will likely have their own impacts that concern them based on what they protect.
Hopefully this acts as a useful reference for those of you concerned with insider threats. Enjoy!
Writing risks in scenario language
I push others to express risks as scenarios. A scenario is quickly described like a tabletop scenario. In longer form, it is a explicitly stated future event that can pass a clarity test. (ctrl+f “the clarity test”) This test makes it easier to subject your risk to quantitative measurement when a time frame is added.
The following scenarios are discussed with examples.
- An insider (or recent employee) has sabotaged operations.
- An insider has profited from privileged data.
- An insider has accessed the customer data of someone they know.
- An insider has stolen data to advance a competitive interest.
- An insider has compromised data on behalf of a state actor.
- An insider has shared confidential information with media.
- An insider is holding the the company hostage.
Below are quick discussion with historical events.
1. An insider (or recent employee) has sabotaged operations.
Nearly every instance of sabotage involved a disgruntled employee who knew termination was imminent and took action before termination. Access wasn’t properly cut-off for post-termination sabotage, or the insider managed to backdoor their access before their last day.
Many were fairly simple administrative actions: delete this, disable that, change a password. One case (Omega) involved the deployment of malware.
Disney: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World’s restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.
WebEx: Ramesh admitted to intentionally accessing the Cisco Systems cloud infrastructure that was hosted by Amazon Web Services without Cisco’s permission on September 24, 2018. Ramesh further admitted that during his unauthorized access he deployed a code from his Google Cloud Project account that resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application, which provides video meetings, video messaging, file sharing, and other collaboration tools. He admitted that he acted recklessly in deploying the code and consciously disregarded the substantial risk that his conduct would harm Cisco. As a result of Ramesh’s conduct, over 16,000 WebEx Teams accounts were shut down for up to two weeks and caused Cisco to spend approximately $1,400,000 in employee time to restore the damage to the application and refund over $1,000,000 to affected customers.
Tesla: “Direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.” (Disputed)
Enervest: “Remotely accessed EnerVest’s computer system and reset the network servers to factory settings.”
City of San Francisco: A network administrator completely boxes out all access to critical San Francisco government network. Absolutely absurd story.
Oregon Health Authority: Heydari had administrative access to Oregon MMIS servers located in Salem, Oregon… Heydari was laid off by HPE. A few days later, he intentionally altered part of the MMIS system causing it to fail and resulting in an 8-hour loss of user functionality.
U.S. Army’s Chaplain Corps Religious Support System: Anthony engaged in a scheme to sabotage Federated IT’s contract with the U.S. Army Chaplain Corps including by deleting all user and administrator accounts except his to give him sole access to network systems, changing domain name registration information, deleting numerous files belonging to Federated IT, and unlawfully sharing proprietary information belonging to Federated IT with his personal accounts.
Bupa Global (UK): An employee of our international health insurance division (which is called ‘Bupa Global’), had inappropriately copied and removed some customer information from the company.
Canadian Pacific Railway: GRUPE was notified by Canadian Pacific that he was going to be fired. Before returning his company-issued laptop computer, GRUPE used the laptop to access Canadian Pacific’s computer network. Once on the network, GRUPE deleted data, including deleting some system administrator accounts entirely and changing passwords for the other system administrator accounts. GRUPE attempted to conceal his access to the network by deleting logging information on the Canadian Pacific computer network that would have revealed his activity.
Omega Engineering (CNN) (Wikipedia): Three weeks after he was fired, he unleashed a hacking “time bomb” within OMEGA’s computer systems, deleting the software that ran all of OMEGA’s manufacturing operations.
2. An insider has profited from privileged data.
These cases required some form of profit scheme that otherwise wouldn’t have been possible without access to data.
Note: This section balloons in size if you consider classic insider trading where insiders were authorized to have confidential data. I will only include scenarios where an insider was active in searching for data they weren’t authorized to have.
Block (Square Cash): On April 4, 2022, Block, Inc. (the “Company”) announced that it recently determined that a former employee downloaded certain reports of its subsidiary Cash App Investing LLC (“Cash App Investing”) on December 10, 2021 that contained some U.S. customer information. While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.
Bank of America: The theft, “involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” said Bank of America spokeswoman Colleen Haggerty, in an email message.
AOL: Jason Smathers of Harpers Ferry, W. Va., used his inside knowledge of AOL’s computer system to steal a list of 92 million AOL customer account “screen names,” and then sold them to Sean Dunaway, who is not an AOL employee.
Certegy Check Services Inc: According to court records, Sullivan, a resident of Florida’s Pinellas County, systematically accessed Certegy’s databases and downloaded consumer records over a five-year period starting in February 2002. The information that he stole included names, addresses, dates of birth, phone numbers, bank account as well as credit and debit card numbers, and payment card transaction data. Sullivan admitted that he sold the data to an unidentified third party for a total of $580,000. The third party in turn sold the information to other data brokers.
Amazon: Employees are offering internal data, via intermediaries, to independent merchants selling their products on the site to help them increase their sales in return for payments... Brokers for Amazon employees in Shenzhen are offering internal sales data and reviewers’ email addresses, as well as a service to delete negative reviews and restore banned Amazon accounts, in exchange for payments ranging from $80 (£61) to more than $2,000, the Journal reported.
Bithumb: As a result of the internal inspection, it is judged that the incident is an “accident involving insiders”… However, it was our fault that we only focused on defense of outside attack and lack of verification of internal staff… This won’t be happened again as we develop the internal workforce verification system.
Trend Micro: Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor.
AT&T: Syrilien unlawfully provided a co-conspirator with the personal identifying information from multiple AT&T customer files. Defendant Segu also unlawfully provided personal identifying information of numerous individuals to the co-conspirator.
Countrywide Home Loan: In his position, he had access to Countrywide computer databases, many of which contained sensitive information of Countrywide clients. He was responsible for giving out account information belonging to Countrywide customers to third parties over the course of two years. Rebollo said he obtained the information from Countrywide computers at his workspace and saved the reports to personally owned flash drives, according to the complaint. Rebollo opened a personal bank account specifically for the purpose of depositing and holding the illegal proceeds of the Countrywide data sales, and he estimated that he profited approximately $50,000 to $70,000 from the sale of the Countrywide-owned data, according to the complaint. Rebollo was requested by other individuals to obtain specific types of data from Countrywide, and he was able to provide the information because of his access to many of Countrywide’s databases that contained information about clients from around the United States, according to the complaint.
Verizon: Last week the U.S. Attorney’s Office charged a former Verizon Wireless employee, DANIEL EUGENE TRAEGER, 51, of Bessemer, with computer intrusion for gathering customer records to sell to the same private investigator. Traeger worked for Verizon in Birmingham as a network technician. Traeger is charged in a one-count information and, like Conley, has agreed to plead guilty. Traeger has admitted that he sold the private investigator hundreds of Verizon customer call records and location data records between 2009 and 2014.
AT&T: Conley was employed as a retail sales consultant at AT&T in Gardendale in 2011 when a private investigator offered to pay Conley for particular AT&T customer records, according to the plea agreement. Conley accepted the offer and, between 2011 and 2013, sold hundreds of customer records to the private investigator, all of which Conley had obtained from AT&T computer systems without the customers’ permission. In exchange, Conley received thousands of dollars in cash and check payments.
Jackson Health System: Reid was an employee of Jackson Health System when she accessed Jackson’s computer databases to steal patient PII, including social security numbers, of over approximately 24,000 individuals during a five-year period. Using the stolen information, Reid’s co-conspirators filed fraudulent tax returns in the names of Jackson Hospital patients.
AT&T: …Employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer records without authorization. These employees accessed CPNI while obtaining other personal information that was used to request handset unlock codes for AT&T mobile phones, and then provided
that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or secondary market phones that they wanted to unlock.
AT&T: FAHD recruited various AT&T employees to the conspiracy. Some early recruits were paid to identify other employees who could be bribed and convinced to join the scheme. So far, three of those co-conspirators have pleaded guilty admitting they were paid thousands of dollars for facilitating FAHD’s fraudulent scheme. Initially, FAHD allegedly would send the employees batches of international mobile equipment identity (IMEI) numbers for cell phones that were not eligible to be removed from AT&T’s network. The employees would then unlock the phones. After some of the co-conspirators were terminated by AT&T, the remaining co-conspirator employees aided FAHD in developing and installing additional tools that would allow FAHD to use the AT&T computers to unlock cell phones from a remote location. FAHD and a second co-conspirator, who is now deceased, allegedly delivered bribes to the AT&T employees both in person and via payment systems such as Western Union.
ShapeShift.io: Shortly after he leaves, one of our engineers pulls myself and Greg aside, and says, “While you were on your call, we were all sitting around the table, and we saw in the logs that Bob deleted two SSH keys while he was sitting there with us, then he grep’d several times for them [a server command to find specific text], and then he left. Those two keys matched the two keys we saw in the log this morning which accessed the Bitcoin server just prior to the hack.”
HackerOne: We discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.
3. An insider has accessed the customer data of someone they know.
These include domestic harassment, child exploitation, or sexual harassment, celebrity curiosity, or an unknown curiosity.
Dakota County Sheriff’s Office: An audit found that officers in the Dakota County Sheriff’s office, Bloomington Police, and state troopers, were among those who illegally accessed the file of Anne Marie Rasmusson over the course of nearly four years. There were 24 police officers in Minneapolis who accessed her record 133 times, and 42 officers in St. Paul who looked her up 175 times. A female officer in St. Paul looked up Rasmusson’s record 30 times over the course of two years.
Facebook: Facebook was investigating a claim that one of its employees used access to data granted by their job to stalk women online.
Google: …Repeatedly took advantage of his position as a member of an elite technical group at the company to access users’ accounts, violating the privacy of at least four minors during his employment
NSA: In 2011, one NSA employee working at an overseas base spied on the calls of her foreign boyfriend and other foreigners she met socially because she wanted to find out if they were “shady characters.” In 2004, an NSA spy monitored the calls of a foreign number she found in her husband’s cellphone because she suspected he had been unfaithful. In 2003, an NSA employee was internally investigated after a woman with whom he had a sexual relationship reported him to the government because she suspected he was monitoring her calls. An investigation revealed that over a period of five years, the employee had unlawfully monitored nine phone numbers associated with female foreign nationals.
Snapchat: Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.
Uber: Early this November, one of the reporters of this story, Johana Bhuiyan, arrived to Uber's New York headquarters in Long Island City for an interview with Josh Mohrer, the general manager of Uber New York. Stepping out of her vehicle — an Uber car — she found Mohrer waiting for her. "There you are," he said, holding his iPhone and gesturing at it. "I was tracking you."
Ring: Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data… the attempted access to that data exceeded what was necessary for their job functions.
Lyft: Lyft staffers have been abusing customer insight software to view the personal contact info and ride history of the startup’s passengers. One source that formerly worked with Lyft tells TechCrunch that widespread access to the company’s backend let staffers “see pretty much everything including feedback, and yes, pick up and drop off coordinates.”
University of California: is firing at least 13 employees and suspending six others for peeking into the star’s confidential medical records, The Los Angeles Times reports.The newspaper also says six doctors face disciplinary action for peeking at Ms. Spears’s computerized records related to her recent stay there for psychiatric evaluation.
Tampa General Hospital: The lawsuit alleges that in June 2013, “it was discovered that a nurse who worked at TGH had accessed without authorization … records of a patient and discovered that the patient had given up a baby for adoption in October 2008. The nurse informed the family of this patient of this fact at a family reunion.” The nurse was later terminated for the violation, the complaint notes.
Jackson Health System: As part of our investigation into the breach, it was discovered that two employees inappropriately accessed the patient’s health record. That finding resulted in the termination of both employees.
MySpace: Multiple Myspace employees abused an internal company tool to spy on users, in some cases including ex-partners, Motherboard has learned. Named ‘Overlord,’ the tool allowed employees to see users’ passwords and their messages, according to multiple former employees. While the tool was originally designed to help moderate the platform and allow MySpace to comply with law enforcement requests, multiple sources said the tool was used for illegitimate purposes by employees who accessed Myspace user data without authorization to do so.
4. An insider has stolen data to advance a competitive interest.
There are a few cases where an individual has clearly been accused of taking data to start up or support their new business that competes with their former employer. Similar to the sabotage category, this also blurs the line between “insider” and “former employee”.
There are also cases where a competitor has somehow elicited the leak from an employee (Outside In).
Illinois Locomotive Company: Yao began working for the manufacturer in August of 2014. Within two weeks, Yao allegedly downloaded more than 3,000 unique electronic files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives. Over the next six months, Yao allegedly downloaded numerous other electronic fles containing proprietary and trade secret information, including technical documents and software codes. During that time, Yao allegedly sought, negotiated, and accepted employment with a business in China that provided automotive telematics service systems. The Chicago manufacturer terminated Yao in February of 2015 for reasons unrelated to the alleged theft, which at that time had not been
discovered. Shortly thereafter, Yao allegedly made copies of the stolen information. He allegedly traveled to China in 2015 and began working
for the Chinese company. On November 18, 2015, Yao traveled from China to Chicago. At the time, he allegedly had in his possession the stolen information, including nine complete copies of the Chicago manufacturer’s control system source code and the systems specifications that explained how the code worked. Yao allegedly returned to China at some point thereafter.
AMSC: Through Su and Zhao, Sinovel convinced Karabasevic, who was head of AMSC Windtec’s automation engineering department in Klagenfurt, Austria, to leave AMSC Windtec, to join Sinovel, and to steal intellectual property from the AMSC computer system by secretly downloading source code on March 7, 2011, from an AMSC computer in Wisconsin to a computer in Klagenfurt. Sinovel then commissioned several wind turbines in Massachusetts and copied into the turbines software compiled from the source code stolen from AMSC. The U.S.-based builders of these Massachusetts turbines helped bring Sinovel to justice. Su and Zhao are Chinese nationals living in China, and Karabasevic is a Serbian national who lived in Austria, but now lives in Serbia
Reversing the previous scenario, an insider employee has courted a competitor’s interest in the data. (Inside Out)
Walmart: accused the Compucom employees of sifting through internal Walmart correspondence in search of information that could give the firm an edge over competitors. In at least one instance, the filing says, the Compucom employees obtained information that may have helped the firm submit a winning bid… Investigators found that one of the contractor’s employees had gained access to the email accounts of Walmart’s chief executive and others involved in approving contracts with vendors like Compucom, the filing says. The Compucom employee, according to the F.B.I., would scroll through Walmart emails to obtain information about competing contractors’ bids and then pass what he learned on to his managers.
Gillette: DAVIS, was employed as a process controls engineer for Wright Industries, Inc., a Tennessee designer of fabrication equipment, which had been hired by Gillette to assist in the development of the new shaving system. The new shaving system project was extremely confidential and was treated so by both Gillette and Wright Industries. DAVIS told the court that in anger at a supervisor and, fearing that his job was in jeopardy, he decided to disclose trade secret information to Gillette’s competitors. The disclosures were made to Warner-Lambert Co., Bic, and American Safety Razor Co.
Or, they are just planning to compete.
Google/Waymo (Evidence) : Stroz identified multiple internet searches conducted in January 2016 on Ron’s iMac regarding data destruction, such as, “how to secretly delete files mac,” “secure delete of trash on mac” and “how to permanently delete google drive files from my computer.” Stroz Friedberg also recovered one deleted message between Ron and Levandowski on March 9, 2016 in which Levandowski instructed Ron to delete all messages on his PC and phone- “Make sure you delete all the messages tonight on both your PC and iPhone “ See Exhibit 79.
Rigzone.com: KENT conspired to access information belonging to Website-1 without authorization and to defraud Company-1. KENT accessed the Website-1 Members Database without authorization and stole customer information, including information from over 700,000 customer accounts. KENT then exploited this information by inviting Website-1’s members to join Oilpro. Similarly, one of Kent’s employees at Oilpro who previously worked for Website-1 (“CC-1”) accessed information in Website-1’s Google Analytics account without authorization and forwarded the information to KENT. In the meantime, KENT attempted to defraud Company-1 by misrepresenting during discussions about a potential acquisition of Oilpro by Company-1 that Oilpro had increased its membership through standard marketing methods.
IBM: Xu was arrested in December 2015 after meeting with an undercover officer at a White Plains hotel, where authorities said he was recorded saying he used proprietary IBM code to make software to sell to customers, according to prosecutors.
Allen & Hoshall: Needham admitted to repeatedly accessing, over a nearly two-year period, Allen & Hoshall’s servers to download digitally rendered engineering schematics and more than 100 PDF documents containing project proposals and budgetary documents. Needham also admitted to accessing, on hundreds of occasions, the email account of a former colleague at Allen & Hoshall, which provided Needham access to the firm’s marketing plans, project proposals, company fee structures and the rotating account credentials for the company’s internal document-sharing system. According to the plea, Needham used his unauthorized access to view, download and copy proprietary business information worth over $500,000
Apple (Complaint): As a result, an Apple investigation team (composed of Employee Relations and Global Security employees known to me) spoke to Chen. According to the Apple’s Global Security employees that I spoke with, Chen admitted to taking photographs in Apple’s workspace. In addition, Chen acknowledged that he had backed-up his Apple work computer to a personally- owned hard-drive. After Apple requested to examine Chen’s personally-owned devices that contained Apple materials, Chen provided Apple with a personally-owned computer and a personally-owned hard-drive. Chen provided consent for Apple to review those devices. In addition, Chen allowed, with Chen present, Apple to review his personally-owned phone. Apple’s review of Chen’s personally-owned hard-drive showed that Chen conducted a backup of his entire work computer onto a personally-owned hard-drive, in violation of Apple policy, since Chen’s Apple work computer had Apple’s confidential and proprietary materials.
5. An insider has compromised data on behalf of a state actor.
This involves any employee that is acting at the instruction, or interests, of a state. The “employed spy” is an enormous category in terms of intellectual property theft in government. The recent Twitter example is a good example of how this model may change with persistent access for surveillance goals against the private sector.
Twitter (2): …was involved in assisting notable accounts of public interest, brands, journalists, and celebrities for the MENA region with content, Twitter strategy and sharing best practices.
6. An insider has shared confidential information with media.
This is a huge category that is best represented with a few choice google searches.
Note: Whistleblowing should be treated with a very different approach than a malicious insider and conflating those two scenarios can be dangerous.
“source with knowledge of” site:techcrunch.com fundraising
“employee fired” leak to journalist -cbs
Microsoft: a former Microsoft employee in Lebanon and Russia, admitted to Microsoft investigators that he provided confidential company documents and information to the blogger, documents from a Seattle federal court showed.
Apple (2): A low-level Apple employee with friends in the jailbreaking community took code from Apple while working at the company’s Cupertino headquarters in 2016, according to two people who originally received the code from the employee. Motherboard has corroborated these accounts with text messages and screenshots from the time of the original leak and has also spoken to a third source familiar with the story.
Tesla: In January an employee was identified for sharing confidential business information on Twitter, including production numbers, with journalists
7. An insider is holding the company hostage.
I’ve had to add this category with recent ransom / extortion trends.
Ubiquity: …announced the arrest today of NICKOLAS SHARP for secretly stealing gigabytes of confidential files from a New York-based technology company where he was employed (“Company‑1”), and then, while purportedly working to remediate the security breach, extorting the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization.
Ransomware: This is a placeholder for any incident where an insider employee is recruited to deploy ransomware on behalf of a criminal.
Conclusion
This is mostly an example of how you can dig into a problem and find data to help model an area of risk. There’s often enough data about a risk to build a rigorous model to represent it.
Ryan McGeehan writes about security on scrty.io
A big thanks to Suzanne for her support gathering this data!