Hostile foreign states are behind a surge in malicious insider breaches, driving IP theft and industrial espionage to an all-time high, according to DTEX.
The insider threat specialist analyzed over 1300 investigations across its global customer base to compile the 2024 i3 Insider Risk Investigations Report – Foreign Interference.
It claimed to have recorded a 70% increase in customers seeking help to protect against foreign interference since 2022, with the biggest uplift in numbers coming from the public sector and critical infrastructure organizations.
While the majority of IP theft incidents involved data exfiltration of some form, techniques varied based on the controls that customer organizations had in place.
Read more on insider threats: Over Half of UK Firms Concerned About Insider Threats
In a third (32%) of malicious insider investigations, the suspect performed unusual reconnaissance behavior such as repeated research into people associated with “crown jewel” topics, and on corporate security controls. In some cases, the suspect was observed testing these controls with innocuous data, to see if it passed through without being flagged.
Malicious insider conspiring with nation states also go to greater lengths not to trigger an alert when bypassing security controls, the report noted. It cited the recent case of Linwei Ding, a former Google engineer who was charged with stealing IP from the tech giant.
He allegedly copied data from Google source files into Apple Notes on his corporate MacBook, and then converted them into PDFs and uploaded them to a separate personal cloud account – in order to bypass the firm’s data loss prevention (DLP) checks.
DTEX claimed 64% of its malicious IP theft investigations also featured some form of sophisticated data preparation, aggregation and/or conversion. Many (37%) included the conversion of data into some form of image or PDF.
Under the Radar
Perhaps unsurprisingly, the majority (77%) also attempted to conceal their activity by using private browsers, VPNs, mobile hotspots, burner emails and encrypted messaging accounts. Some 95% even managed to avoid using ATT&CK techniques in order to stay hidden.
DTEX claimed that, overall, 15% of employees take sensitive data with them when they leave an organization, rising to 76% of employees who take non-sensitive information.
“Non-sensitive data, in the wrong hands, can have as detrimental an impact as sensitive IP, especially if weaponized by malicious insiders or external attackers. The DTEX i3 team has observed the crossover between corporate data on personal devices – a notable trend of the past two years – with organizations across industries having lenient acceptable use policies,” the report noted.
“This blurring of boundaries introduces visibility gaps and operational inefficiencies (primarily due to ongoing validation) that, together, can dramatically increase the risk of unauthorized disclosure.”