Bribing Employees Easier Than Hacking Silicon Valley, Security Experts Say
Why ask your government’s elite hackers to play ninja against a target’s network and steal data when you can achieve the same result by buying off insiders?
That’s the alleged nation-state assault tactic that came to light last week, when the U.S. Department of Justice charged three men with funneling information on Twitter users to the Saudi government. “The criminal complaint … alleges that Saudi agents mined Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users,” U.S. Attorney David L. Anderson said in a statement after the charges were unsealed (see: Feds Allege Saudi Spies Infiltrated Twitter).
Money, ideology, coercion and ego – MICE – are the top motives for spying, experts say.
In this case, the FBI says the Saudis paid $100,000 to one of the three suspects – ex-Twitter employee Ahmad Abouammo, 41 – and also gave him a watch that was later appraised at $20,000. The FBI arrested Abouammo last week in Seattle.
Here are seven takeaways from this case.
1. Spies Are Going to Spy
Using moles to steal information is nothing new. “One of the toughest security problems for the big tech companies is having moles of foreign intelligence agencies planted to work in the organization,” says Mikko Hypponen, chief research officer at Finnish security firm F-Secure, via Twitter.
Intelligence agencies have long faced such problems, so they employ counterintelligence teams – filled with experts in human intelligence, or HUMINT, rather than the more technical art of signals intelligence,or SIGINT – to hunt double agents. But history is still riddled with major intelligence breaches brought about by malicious insiders, including the Cambridge Five, who in the 1930s were recruited by the KGB to work against the British government.
In the U.S., Robert Hanssen, an FBI agent who specialized in working with computers, spied for Russia’s GRU military intelligence agency – now known as the GU – from 1979 to 2001. “Hanssen is considered the most damaging spy in FBI history,” the bureau says, with his actions leading to the betrayal of at least 50 spies or potential recruits.
Central Intelligence Agency Officer Aldrich Ames was working as a double agent for Russia’s KGB from 1985 to 1994. (The KGB has been succeeded by the Federal Security Service, known as the FSB.)
Both Hanssen and Ames received money from the Russians in return for their spying.
2. Bribery Can Be Cost-Effective
For organizations or individuals that want to gain access to information being stored by big tech firms, security experts say it’s much less expensive – and usually much more reliable and stealthy – to buy off insiders than to attempt to remotely hack corporate systems.
“The cost of turning an insider will be cheaper than breaching the external side,” says the operational security expert known as the Grugq, via Twitter. “Lots of [countries] still have heavily staffed intelligence offices with effective HUMINT officers, and some targets are getting better at cybersecurity. It’s economics.”
3. Insiders May Facilitate Killings
The complaint against the Twitter ex-employees is especially chilling Saudi Arabia’s treatment of its critics.
One of the men named in the U.S. complaint is Abouammo, 41, an ex-employee of Twitter who worked at Amazon until a year ago. The complaint says Abouammo, a dual U.S. and Lebanese citizen, was recruited by a Saudi official, which it doesn’t name. But a person familiar with the case tells the Wall Street Journal that the official was Bader Al-Asaker, who’s since become head of the private office of Saudi Crown Prince Mohammed bin Salman.
The U.S. Central Intelligence Agency concluded that in October 2018, Washington Post columnist Jamal Khashoggi, 59, a U.S. resident, was murdered at the Saudi consulate in Istanbul by a hit squad dispatched on bin Salman’s orders.
In June, Agnes Callamard, a UN special rapporteur, issued the results of a six-month investigation into Khashoggi’s murder, concluding that “Saudi state agents, 15 of them, acted under cover of their official status and used state means to execute Mr. Khashoggi,” under the direction of “high-level officials.” The kingdom has dismissed the allegations.
4. Shopping Stolen Data Is Easy
But not all insider breaches involve recruitment by nation-state actors. Instead, bad-behaving insiders might steal data or intellectual property, then make it available via underground forums to whoever wants to buy it, be they criminals, nation-state actors or others.
The Canadian credit union Desjardins Group, for example, has accused a former employee of stealing information on 4.2 million customers, including their social insurance numbers, and selling it to buyers via darknet cybercrime sites.
Police say they suspect that the former employee sold at least some of the stolen information to 12 individuals or organizations, many likely located abroad, with each victim’s record retailing for up to $150, reports Journal de Montréal. Quebec provincial police have questioned 17 people during the course of their ongoing investigation into the breach, which was detected in December 2018. The ex-employee has yet to be charged.
5. Threat Hunting: Watch for Rogue Insiders
As with intelligence agencies, big technology firms must have policies and procedures in place to detect misbehaving insiders, says Alex Stamos, the former chief security officer of Facebook.
“All big tech companies need internal monitoring and hunting teams,” tweets Stamos, who’s now director of the Internet Observatory at Stanford University.
Insiders can potentially be bought, as the FBI alleges the Saudi government did with Abouammo. But other inducements can also be brought to bear, including blackmail. As Stamos notes, “lots of tech employees have access to data” as well as “families back home” that governments or criminal syndicates might threaten unless the target cooperates.
Patriotism and appeals to nationalism can also be a driver. In the Twitter case, for example, both of the other suspects are Saudi nationals who remain at large, presumably in Saudi Arabia. One is Ahmed Almutairi, aka Ahmed Aljbreen, 30, who’s accused of acting as an intermediary for the Saudis. The other is Ali Alzabarah, 35, a former Twitter site reliability engineer who fled the U.S. on Dec. 3, 2015, one day after officials at Twitter questioned his data access, seized his laptop, placed him on leave and escorted him off the company’s premises, according to the complaint.
The FBI says that in July 2015, Alzabarah created notes to himself in Apple Note about his desire to secure a permanent position at a charitable organization run by Bader Al-Asaker. Within one month of arriving back in Saudi Arabia, the FBI says that Alzabarah appeared to be doing just that, working with fellow suspect Almutair “and several others, on a team to monitor and manipulate social media under [Al-Asaker’s] leadership and for the benefit of the kingdom of Saudi Arabia.”
One final takeaway, via Stamos, is that when it comes to governments that might pressure their citizens to act as moles, the kingdom of Saudi Arabia “wouldn’t be at the top of my list of high-risk countries with lots of citizens in Silicon Valley,” he says. “There will be more.”
6. Employees Can Spy on Exes and Celebrities Too
Sometimes rogue insiders don’t commit espionage, but instead spy on exes or celebrities such as Beyoncé. In December 2016, for example, a former forensic investigator at Uber testified that employees regularly used the ride-sharing service’s “God view” to review rides taken by “high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” the Guardian reported.
Earlier this year, Vice reported on Snapchat employees spying on users, including their saved “snaps.” And last year, Vice reported that multiple Facebook employees were fired for abusing their access to user data. Sources who had signed non-disclosure agreements said some of the fired employees appeared to have been stalking their exes.
“It’s important that people’s information is kept secure and private when they use Facebook,” Stamos, then Facebook’s CISO, told Vice in a statement at the time. “It’s why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs – for example to fix bugs, manage customer support issues or respond to valid legal requests. Employees who abuse these controls will be fired.”
7. Create a Positive Environment
One of the best ways to prevent insider breaches, security experts say, is to foster positive workplaces. Per Wheaton’s Law, the leaders of organizations that want their employees to behave well should themselves behave well. That includes avoiding discrimination and maximizing inclusion.
“Discrimination against women is probably the biggest HUMINT security threat in IT,” the Grugq tweets. “If I were recruiting, I know exactly where I’d start.”