The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Government and critical industries aren’t ready for insider threats

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Hat tip to the judge in the bitcoin case detailed below for citing “The Big Lebowski” in his order, as Devlin Barrett notes. Ever wonder who’s the most cited musician in judicial opinions? The answer, my friend, is in this NPR piece from 2011.  

Below: The Justice Department seized $3.6 billion in hacked bitcoin and arrested a couple for laundering some of the funds. Microsoft is in reported talks to buy Mandiant. 

Companies need to heighten their guard against bad actor employees

Cyber threats don't always come from outside a company – they can come from malicious employees, too.

Government agencies and companies that are vital for national security aren’t doing nearly enough to prevent workers from stealing their data, a top research group for the federal government has found.

The danger of such “insider threats” has grown immensely during the past decade as employees of governments and companies have become increasingly tech-savvy people and able to outsmart many monitoring systems, Chris Folk, director of cybersecurity policy at the MITRE Corporation, told me. MITRE runs a group of research labs on behalf of the federal government. 

Growing threat

The big concern: Malicious insiders could release sensitive information to the public, as NSA leaker Edward Snowden did in 2013, or they could pass it along to U.S. adversaries such as China that are looking for ways to outsmart the U.S. government and better compete with U.S. firms. 

The danger reached the stratosphere during the pandemic when many employees began working from home, where it’s far easier to transfer sensitive work information to personal devices and tougher for managers and co-workers to spot anomalous behavior. 

“If we don't get a handle on how employees are behaving in the workplace, we are going to continue to see exponential amounts of data walking out the door,” Folk said. 

The study

MITRE ran a recent study with DTEX, a Silicon Valley-based insider threat detection company, aimed at sussing out the tactics employees use to steal data and whether systems that are designed to catch outside hackers are helpful at detecting them. The study was sponsored by the Australian government's Cyber Collaboration Center but largely funded by MITRE and DTEX.

The big picture: After more than a decade of government and industry programs to address such insider threats, there’s little hard data on how to spot them, and systems designed to spot external hackers prowling through networks aren’t much help. 

Now, DTEX is using data from that study to offer a new MITRE-approved insider threat detection program to government agencies and companies deemed critical infrastructure in the United States and its four closest intelligence-sharing allies: Canada, the United Kingdom, Australia and New Zealand. 

MITRE is going to pull aggregate data from that work to fine-tune a framework for addressing insider threats to share with government and companies in critical industries, such as finance and energy. MITRE is best known in cybersecurity circles for a similar system for combating cyberattacks known as the ATT&CK framework. 

The goal: to get critical organizations as good at protecting against data thieves inside their organizations as external hackers.

“Companies are doing a great job — admittedly not perfect — but a great job of really locking down their networks from the external threat, and the only place left for that information to get out is going to be through insiders,” Folk said. “When you have an insider, it's much harder to detect them because they can look very much like everybody else in the network.”

Here’s how the study worked:

  • MITRE ran a two-month experiment where it tasked 100 of its roughly 10,000 employees with trying to steal sensitive company data and it hooked up DTEX sensors to see if the companies’ techniques could spot them.
  • Half of the insiders were just taking data without much savvy, while the other half were highly trained technologist who were skilled at avoiding detection — a group the companies dub “super malicious insiders.”
  • DTEX spotted nearly all the insiders but in many cases didn’t know how much they’d stolen. In two cases, super-malicious insiders went undetected — including one who duped a co-worker into stealing the data for him.

DTEX and MITRE ran a pilot of their upgraded insider threat detection system for the National Australia Bank. About 50 companies and government agencies have signed up to use the service, Folk and DTEX co-founder Mohan Koo, told me. The customers don’t include any U.S. government agencies. 

Because of a U.S.-government requirement for MITRE-developed technology, the program is being offered on a not-for-profit basis.

The keys

Justice Department arrests married couple, seizes $3.6 billion in allegedly hacked and stolen bitcoin

Prosecutors accused self-described “angel investor” Ilya Lichtenstein and rapper and email marketer Heather Morgan of trying to launder bitcoin currently valued at ​​$4.5 billion that was stolen from the cryptocurrency exchange Bitfinex, Devlin Barrett reports. Court documents haven’t accused Lichtenstein and Morgan of hacking Bitfinex, and officials declined to say if they are suspected of committing the hack.

At the time of the theft in 2016, the total value of the stolen bitcoin was around $71 million, but it has since grown in value to around $4.5 billion. Prosecutors say they were able to seize around 94,000 stolen bitcoin, currently worth $3.6 billion.

It’s the single largest seizure of funds in Justice Department history. It’s also the highest-profile prosecution from the department’s new cryptocurrency investigations effort.

While Justice Department’s bitcoin haul was big news, much of the focus landed on Morgan’s side projects as a rapper and designer of streetwear. Bloomberg News’s Jeff Stone included her on his hall-of-fame list of accused hackers and scammers who have posted “totally bonkers pics” on Instagram and other social media sites. 

Observers were also perplexed by Morgan's explicit rap videos and her unique style:

Morgan, who rapped under the name Razzlekhan, may have telegraphed her willingness to flout the law, announcing in one of her raps that "following rules is for fools, instead I work the edge case with my tools."

Israeli police say they only tried to hack three people named in reports

The claims contradict a report from the business publication Calcalist that police targeted dozens of Israelis using NSO Group’s powerful Pegasus spyware. The targets reportedly included protest leaders and the son of former prime minister Benjamin Netanyahu.

  • Israeli leaders are planning a review of police claims led by Mossad, the country’s intelligence agency, and Shin Bet, the domestic security agency. 
  • That will probably be followed by an official state inquiry, the Jerusalem Post’s Yonah Jeremy Bob reports. 

The fracas has led to a week-long postponement of Netanyahu's corruption trial, Shira Rubin reports. “Netanyahu’s lawyers had asked the court to postpone the testimony of prosecution witness Shlomo Filber after police acknowledged last week that they used spyware to access the contents of his cellphone,” Shira writes. 

In other NSO news: The company gave the New York Police Department’s intelligence unit a demonstration of Pegasus in 2015, Motherboard’s Joseph Cox reports. Law enforcement agencies in New Jersey were also invited to the demo event. NSO has tried to pitch its spyware to other U.S. police departments as well. The FBI tested the technology but said it hadn’t been used “in support of any investigation.”

An investigation by The Washington Post and 16 news partners found that Pegasus was used to target dozens of devices belonging to journalists, activists and business executives. The Biden administration blocked NSO from receiving U.S. technology last year. 

Microsoft is reportedly in talks to buy cybersecurity giant Mandiant

Such an acquisition would represent a major consolidation of the cybersecurity industry, with one of the nation's highest-profile cyber incident response firms potentially combining with one of the nation's biggest and most powerful tech platforms. It’s possible that the talks between the two companies won’t result in an offer, Bloomberg News’s William Turton, Liana Baker and Dina Bass report.

“Mandiant became a stand-alone company again last year when FireEye Inc. — which had acquired Mandiant in 2013 — sold its eponymous security-product business for $1.2 billion to a consortium led by Symphony Technology Group,” they write. Mandiant and Microsoft declined to comment to Bloomberg News. 

The rest of the story: The remaining portions of FireEye previously combined with McAfee Enterprise and formed the new firm Trellix. CyberScoop's Joe Warminsky has all the details here and a broader look at cyber mergers and acquisitions here

Ancient history: Mandiant gained recognition throughout government and industry when it published its APT1 report in 2013 — the most detailed public accounting of Chinese government-backed hacking of U.S. companies to that date. It’s since become standard practice for top cybersecurity companies to publish reports detailing hacking campaigns by Russia, China and other U.S. adversaries.  

Global cyberspace

Hackers breached U.K. foreign office

The United Kingdom’s government revealed the “serious cybersecurity incident” affecting the Foreign, Commonwealth and Development Office (FCDO) in a contract announcement, the Stack’s Eliot Beer reports. The office is responsible for U.K. diplomacy and international development efforts.

Hackers breached the office but were detected, the BBC reported. ​​ An FCDO spokesperson declined to comment to the BBC but said it has “systems in place to detect and defend against potential cyber incidents.” The $633,000 contract with BAE Systems Applied Intelligence ended in January, according to a government website.

European, U.S. regulators tell banks to prepare for Russian cyberattack threat (Reuters)

Cyberattack targets Vodafone Portugal, disrupts services (Associated Press)

Privacy patch

Why have 14 of 15 U.S. Cabinet departments bought phone unlocking technology? Few will say. (The Intercept)

Hill happenings

CISA's new JCDC worked as intended, witnesses say at Senate hearing on Log4Shell bug (CyberScoop)

National security watch

U.S., Chinese investors feud over startup Icon Aircraft during national security review of deal (Wall Street Journal)

Industry report

U.S. Chamber urges FTC to hold off on incident reporting rule; financial groups say avoid duplication (Inside Cybersecurity)

Meta, Chime file lawsuit against alleged phishing scam on Facebook, Instagram (Reuters)

Securing the ballot

The bizarre voter-fraud hunt in a New Mexico county Trump won by 25 points (Philip Bump)

Cyber insecurity

Twitter tells U.S. senator it’s cutting ties to Swiss tech firm (Bloomberg)

Donation site for Ottawa truckers’ ‘Freedom Convoy’ protest exposed donors’ data (TechCrunch)

The hacked account and suspicious donations behind the Canadian trucker protests (Grid)


  • National Cyber Director Chris Inglis, CISA Chief of Staff Kiersten Todt and Principal Associate Deputy Attorney General John Carlin speak at the Cyber Initiatives Group’s first-quarter summit today.
  • The Securities and Exchange Commission is set to consider new cybersecurity rules for investment advisers and companies at a meeting today at 10 a.m.
  • The Senate Judiciary Committee is expected to discuss the EARN IT Act at a meeting Thursday at 9 a.m. The bill, which would remove social media sites’ liability protections when users share child pornography, has come under fire from encryption and privacy advocates.
  • INSF and WCAPS host an event on challenges and opportunities for Black women in the intelligence community Thursday at 11 a.m.
  • Cybersecurity firm Dragos hosts a webinar with NSA and CISA officials to discuss industrial control system cybersecurity on Monday at 1 p.m.

Secure log off

“Keep a clean nose. Watch the plain clothes.” Thanks for reading. See you tomorrow.