Insider data breaches are especially dangerous because they are hard to identify. To boot, for employees with privileged access it is especially tempting to use the confidential data for their advantage because the intellectual property can cost millions or even billions of dollars.
The difficulty with insider threats is that they typically do not trigger any cybersecurity alerts inside the victims’ systems. It is really challenging to distinguish between the normal actions of an employee and abnormal ones.
However, in cases with suspicious privileged access activity and the actual download of files with sensitive data, registering anomalies is not impossible.
That’s why organizations are looking for ways to implement a behavior-based detection approach. Sigma rules at SOC Prime’s Detection as Code platform are written by seasoned experts in cybersecurity.
SOC engineers can use generic Sigma rules and instantly translate them into a SIEM, EDR, or NTDR format that they need by using an online translation engine Uncoder.IO.
Let’s look back at the 5 most devastating insider data breaches of recent years and try to trace the evidence of why they happened.
In August 2021, the company filed a lawsuit against their former process technician Martin Tripp who used to work at Tesla’s Nevada Gigafactory. He allegedly developed and injected code that periodically exfiltrated gigabytes of confidential data.
Moreover, this code was programmed to make changes to Tesla Manufacturing Operating System’s (MOS) source code.
To do that, Tripp created false usernames to continue funneling data about the manufacturing processes, materials used, and financial operations even after he left. Tesla assumes that the trigger for such unlawful behavior was the demotion of a former employee. Most likely, the data theft was a form of retribution.
Just a year before the electric car manufacturer announced the lawsuit proceedings, a Nevada court pressed conspiracy charges against a Russian citizen, Egor Kriuchkov. That time, it was about an attempt to leak Tesla’s data made by an outside agent. Kruichkov tried to recruit Tesla’s employee, offering him a $500,000 bribe for seeding malware into the network.
Elon Musk officially commented on this incident on his Twitter with a usual offhand comment: “much appreciated”. But that employee approached by Kruichkov turned down the juicy offer, that’s why the company’s security systems hadn’t been damaged.
However, even this wasn’t the first time Tesla became a victim of an insider threat. In 2018, all Tesla’s staff received an email from Elon Musk stating that one of the employees conducted extensive and damaging sabotage of the factory’s operations.
The implied motivation was once again, a promotion that the employee didn’t receive. Further details weren’t disclosed.
In July 2020, Twitter made headlines due to a stealthy insider attack. As a result, the most high-profile accounts like the ones of Barack Obama and Elon Musk were compromised and started spreading a bitcoin scam. Estimated losses accounted for $250 million.
The investigation still continues, however, some details have already been leaked to the media outlets. It turns out that the most probable attack vector was executed through phone spear phishing. Attack victims had privileged access to account admin tools and the admins’ Slack channel.
The team responsible for account credentials wasn’t careful enough to take proper security measures and ensure confidentiality of personal credentials that’s why adversaries were able to take over the accounts that they targeted.
After the attack, Twitter restricted access to internal systems and tools to make sure that they are being used only for legitimate business purposes. Also, they claimed to improve security workflows and threat detection methods that would help them better identify the incoming threats.
This attack was targeted at WebEx, Cisco’s platform for video conferencing, which is widely used by businesses for conducting online meetings, sharing demos, polling, and hosting large virtual events for over 1,000 participants.
In 2018, a former employee from an engineering department gained unauthorized access to the source code where he deployed malicious code from his personal Google Cloud Platform.
The purpose was to delete hundreds of virtual machines resulting in business damage to roughly 16,000 users of WebEx. Estimated damages accounted for $1.4 million after 456 VMs suddenly disappeared.
Notably, this insider attack happened four months after an engineer resigned from his role. The attacker was sentenced to two years in prison and a $15,000 fine. However, it is still not clear how exactly he injected malware into Cisco’s internal network when he no longer had legitimate access to the system.
Google and Uber
These two companies have a very special connection that appeared after an insider data breach. Since 2009, Google has been actively developing a promising project — a self-driving car called Waymo. Later, the project grew into a separate company, being a subsidiary of Alphabet Inc, Google’s parent company.
In 2015, a lead engineer of this project resigned to start his own venture Otto, also an autonomous driving technology company. Later it occurred that he was able to do so thanks to exfiltrating Google’s trade secrets before he left.
The insider took possession of the data regarding the radar technology, simulation diagrams and drawings, source code examples, videos of test drives, and confidential PDF documents. In general, he managed to download 14,000 files from the Google server directly onto his personal laptop.
A few months after the incident, Otto was acquired by Uber. Google experts realized that the data breach happened only after the acquisition was settled. Eventually, this story had its happy ending: Uber awarded Waymo with $245 million worth of their own shares and the data stealer pleaded guilty.
Just like in the previous case, the purpose of the infamous attack on General Electric (GE) was to maliciously download thousands of strictly confidential files with trade secrets. The scheme for this insider data breach was simple: employees download the files to their machines, then upload them to the cloud, and afterward send them to private emails.
This attack also didn’t include any technical sophistication. The employees allegedly convinced a system administrator to grant them authorized access to the systems with sensitive data in which, by protocol, they weren’t supposed to operate.
After the initial data theft, one of the employees launched a company for expert turbine calibration in power plants. In addition, this company won over GE in a few tender competitions, perhaps for the reason of submitting much lower bids.
Soon after that, GE executives discovered that they knew the person behind this new company and reported this situation to the FBI. After careful investigation, the FBI convicted the suspects and assigned a fine of $1.4 million.
Verizon’s Data Breach Investigations Report states that 40% of data breaches investigated by their researchers were leveraged by insiders and were performed on the basis of privilege misuse. Furthermore, the 2020 Insider Threat Report found that 68% of the surveyed organizations marked the insider threat risk as moderate or extremely high.
Surprisingly, even large international corporations with multiple levels of security policies fell victims to the insider attacks which didn’t even involve much technical expertise. In most cases, stealing data was as easy as plugging the USB flash drive into the computer and downloading files.