When employees go to the dark side

Insider threats are shrouded in mystery, eerily intriguing, and very real. Cybernews consulted an expert to discuss the dangers and what to do if you're approached by a cybercriminal.

BBC cyber correspondent Joe Tidy received a message that gave him a whole new perspective on cybercrime.

“If you are interested, we can offer 15% of any ransom payment if you give us access to your PC,” the cybercriminals told Tidy.

Bad actors had contacted the BBC correspondent via Signal, hoping he would give up his credentials for a slice of the media outlet.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

“We can retire you,” wrote the cybercriminal, urging Tidy to pursue their offer and hand over his credentials so that hackers could break into the BBC’s systems and hold the media outlet’s data hostage in exchange for a ransom payment.

"I guess you don't want to live on the beach in the Bahamas?" the hackers taunted.

If Tidy had taken the bait and gone along with the deal, he would’ve become an insider threat, someone who has authorized access to a company’s systems or data but gives external parties unauthorized access.

hackers, chairs, pc — Image by Cybernews.

Tidy toyed with the cybercriminals, under supervision, and eventually had his account privileges limited until the ordeal was over.

But this story got me thinking. How often do insider threats cause massive damage to a company?

We’ve heard about North Korean laptop farms and state-sponsored actors infiltrating businesses with the sole purpose of exfiltrating company secrets.

But insider threats, when employees go over to the dark side, may be more prevalent than we think.

Cybernews consulted the co-founder and CEO of the offensive security company, 0rcus, to discuss the dangers of insider threats and what to do if you’re approached by cybercriminals.

Bionic hacker, half human half robot — A bionic hacker. By Cybernews

Hackers gain legitimate access – they don’t need to break in

The reason why insider threats can be so damaging, Nicholas “Nic” Adams from 0rcus told Cybernews, is that hackers have legitimate access to a victim’s systems. They don’t even need to break in.

“Insider actions subvert perimeter and signature defenses by operating through valid credentials and trusted processes, which increases dwell time and obfuscates attribution,” Adams told Cybernews.

Hackers use real credentials and legitimate processes to enter the victim’s systems, which allows them to stay undetected for longer and doesn’t lead to immediate suspicion.

However, Adams said that while insider threats are generally uncommon, they can be extremely damaging when they do happen.

Not common, but still devastating

Typically, “most incidents arise from targeted recruitment, financial coercion, or ideological cultivation rather than mass contagion,” Adams told Cybernews.

Although rare, according to Adams, threat actors will contact their victims through a variety of channels “that preserve deniability and escalate trust incrementally.”

“Examples include intermediated introductions via forums or recruiters, unsolicited offers over encrypted messaging, and abuse of legitimate vendor or contractor relationships to make contact appear routine.”

Hackers target specific types of people due to the privileges they have within the company or the roles they play in the business.

white office cubicles, white bots, one human is white shirt, red carpet — Image by Cybernews.

Who do hackers manipulate to get what they want?

“Criminals prize roles that grant privilege over identity, build or deploy systems, and data stores, because these positions enable persistent access and scalable impact,” Adams said.

He claims that hackers target certain roles, including system administrators, cloud architects, DevOps engineers, and third-party integrators with broad API permissions.

“Weak separation of duties and excessively long-lived credentials convert a single compromised account into an enterprise-wide vector.”

Hackers will employ specific techniques that “exploit social, economic, and procedural weaknesses” rather than just breaking into a system using cryptographic methods.

These include phishing techniques that mirror corporate tools or offer one-time credential submission, Adams explained.

Can we trust what a hacker promises?

While hackers and threat actors can be manipulative and tactile when approaching a target, what they promise, like what the hacker promised BBC correspondent Joe Tidy, is far-fetched.

“Criminal promises about ransom shares are inherently unreliable and should be treated as coercive narrative rather than contractual obligation,” Adams told Cybernews.

Furthermore, the criminal ecosystem is inherently murky, making it unlikely that hackers can fulfil their targets' financial desires.

“Group fragmentation, opaque distribution channels, and internal violence or theft within criminal networks all degrade the probability of fair payment,” Adams explained.

blonde person looking at a phone, red laser square on forehead, criminal and red X — By Cybernews.

What should you do if you’re contacted by a threat actor at work?

If you’re ever contacted by a threat actor, it’s best not to engage with the hacker and never give over your credentials.

“Preserve communications, isolate affected accounts, and notify internal security or law enforcement so forensic artifacts and attribution opportunities remain intact,” Adams advised.

Take this as a warning: the negatives far outweigh the positives when it comes to handing over your company credentials to threat actors.

While Adams says that these threats are uncommon, it’s always best to stay vigilant. Remember, your chances of being targeted are low, but never zero.

Unlock more exclusive Cybernews content on YouTube.

Share

Post