Security Intelligence
Loading table of contents...
On March 6, 2024, former Google engineer and Chinese national Linwei Ding was arrested for stealing proprietary information from Google and transferring it to two unnamed China-based companies.
The indictment alleges that Ding, an employee of Google since 2019, stole proprietary information related to Google's supercomputing data center infrastructure used for running AI models, the Cluster Management System (CMS) software for managing the data centers, and the AI models and applications they supported.
Between May 2022 to May 2023, Ding allegedly used Apple's Notes application on his Google-issued MacBook to copy data from Google source files. These stolen files were then converted into PDF format and uploaded to his personal Google Cloud account. Ding also allowed a fellow employee to use his access badge for Google’s U.S. office, making it appear as though he was working in the U.S. when in fact he was in China.
Risk management made easy.
Pinpoint cybersecurity vulnerabilities and other risks to your business with a personalized attack surface report.
Ding has been charged with four counts of theft of trade secrets to which he faces a potential penalty of 10 years in prison and a $250,000 fine for each charge. The U.S. Department of Justice alleges in the indictment that Ding’s motivation to steal the information was to enrich himself by providing two China-based AI companies, for which he worked as the Chief Technology Officer and Chief Executive Officer, an unfair competitive advantage.
Source: The Hacker News
Analysis
This incident serves as an excellent reminder of the damage insider threats can cause to organizations. With IT administrators busy focusing on keeping systems running and mitigating the ever-present risks posed by hackers, it's easy to forget that insider threats are also a clear and present danger, especially in the technology and defense sectors.
Insider threats can be current or former employees, interns, contractors, consultants, or stakeholders—basically any organization member with significant access or knowledge of its infrastructure and data. When their internal privilege is abused, either through deliberate action or unintended error, it can cause serious harm to business operations, reputation, customers, and assets.
In 2016, businessman Su Bin, a citizen of China and permanent resident of Canada, pleaded guilty to conspiring with two unnamed hackers in China to export U.S. military information between 2008 and 2014. Bin specialized in aviation and aerospace products as the owner of a company named Lode-Tech which specialized in aircraft cable harnesses.
While his company had very few U.S. Air Force contracts, Bin made close business contacts within the global defense industry community, which he used to gain insight into protected technology and eventually unfettered entry into company files. Prosecutors said Bin used this access to help two People’s Liberation Army hackers steal more than 630,000 files from Boeing related to the C-17 cargo aircraft and data related to the F-22 and F-35 fighter aircraft.
Su Bin instructed the hackers on which individuals, companies, and technologies to target, and helped translate the data they obtained from English to Chinese. Bin and his co-conspirators also drafted and distributed reports directly to a department in the PLA’s General Staff Headquarters.
Bin’s espionage work allowed the Chinese military to reverse-engineer a wide variety of aircraft components that would otherwise have cost millions to develop from scratch, saving not only money but a great deal of time associated with research and development.
It’s believed that some of the design features of the F-22 and F-35, outlined in information provided by Su, were later incorporated into China’s latest fighter, the J-20.
Image 1: Chinese J-20 fighter (left) and U.S. F-22 fighter (right)
More recently this week, Jack Teixeira, a Massachusetts Air National Guard member, pleaded guilty to leaking sensitive U.S. military documents about the Ukraine war and other sensitive military topics online, in one of the largest breaches in modern U.S. history. This shows that insider threats are just as much a threat to the public sector as they are to the private sector.
For more information on insider threats, please read Field Effect’s blog “What is an insider threat in cybersecurity?”
Mitigation
Fortunately, there are many measures organizations can adopt to mitigate the risk posed by insider threats. Employee Assistance Programs (EAP) are vital in providing support to employees who may be experiencing addiction, financial, and marital issues, which are all factors that may cause an employee to become an insider threat.
Furthermore, implementing security controls, such as restricting access to personal accounts from corporate resources and banning the use of removable media, makes it much more difficult for data to be removed from the network without authorization.
Covalence can automatically notify IT administrators when unauthorized removable media is inserted into protected endpoints and block employees from transferring data to them. Additionally, Covalence users are automatically notified when large amounts of data are transferred outside the corporate network. Covalence users are encouraged to review these types of AROs, indicative of a potential insider threat, as soon as possible via the Covalence Portal.
