The cybersecurity space is seeing actual espionage. It’s happening in the private sector—not stories in the news—it’s real-life spies in the office, and it seems to be picking up steam, according to Elise Manna-Browne, VP for Emerging Technologies at Novacoast. She says she’s observed espionage becoming more and more socialized.
While Manna-Browne admits that this is a topic she never thought she’d be speaking about when she entered cybersecurity, it’s indeed a spicy one filled with much of the intrigue found in the spy movies she loves.
This begins Part 1 of our two-part series.
In the News
While most people are aware of the North Korea situation, it appears to be gaining significant attention as news coverage intensifies. Many of those working in this space and threat intelligence know that espionage has been happening and is driven by nation-state actors. Perhaps it’s something businesses should consider when hiring the IT team? How vetted are the people working on the MSP/MSSP teams they’ve contracted?
Example: a group of North Koreans were hired using a few different methodologies, including using AI deep fake videos, “insert buzzword here,” and they implanted themselves in organizations and then exfiltrated data. In that case, they also extorted on the back end. Therefore, the statement that we will not leak the data, do anything else with it, or pass it to a competitor unless we are paid this ransom in crypto is characteristic of North Korean tactics. However, their actions are not isolated incidents.
Initially, it was believed that this situation was related to the numerous firings occurring in the US government, as many capable and disgruntled individuals are currently present in the industry. It makes sense if you’re recruiting an asset to go after disgruntled people.
What was surprising to discover was how well Ethiopian-driven assets and data exfiltration worked. This individual was a spy who infiltrated both the Department of State and the Department of Justice. He had authorization to work in a Sensitive Compartmented Information Facility (SCIF). He also had authorization to move data between classified and unclassified systems. So, that’s precisely what he did. He stole a lot of data.
But it’s not these kinds of governmental arms that we’re concerned about; even Google has had insiders recruited by nation-states that stole their data. So, when you think about how secure Google is, it’s worrisome that even they are facing this problem.
This story is also fascinating from the Ethiopian perspective. The actor had top-secret security clearance as well. So many organizations are planning to do more thorough background checks. Even though the clearance was classified as Top Secret, it still represents a comprehensive background check. He continued to sneak in, recruit others, and steal data.
At this point, let’s consider this obligatory Sun Tzu quote. This is why every CIA analyst you may meet has a gigantic ego. But even 2500 years ago, Sun Tzu was aware that the topic was important. He created an entire chapter specifically about the use of spies, and that topic remains just as relevant today. This concept is how you get ahead, not just of an adversary. They’re there to learn you, but you’re there to learn them, too.
Espionage
Let’s break down some definitions here. What are we talking about? As far as espionage goes, the key piece here is social engineering.
You’re using human behaviors, your understanding of them; you’re weaponizing known behaviors and then manipulating them and using deception to get whatever you need to get.
This may involve recruiting someone that’s already embedded in the company or organization that you’re going after. It could also involve pressure, such as social pressure or ideological pressure—like you owe us something. These types of things don’t require a little bit more of those details. You have compromise, which is essentially blackmail or implants. So, all of this is kind of the North Korean piece.
They played the long game. They put their own people where they could steal data versus relying on a system or somebody to breach into a system to take it. They kind of had a trustworthy piece in there. So, if they recruited somebody already embedded there, there’d be that question of loyalty.
Now, if you can actually put a complete implant in there that is already aligned with your ideology, that’s a perfect spy in place.
If we’re talking about cyber espionage, that’s really referencing espionage that uses digital tools. While this might feel a bit succinct, we’re going to dig deeper into how traditional spycraft and human-driven operations are crossing over into the cyberspace that we are all familiar with and trying to get ahead.
Getting an advancement over adversaries by disrupting either civil operations, data flows, or a business; doing something to upset that; or trying to get ahead. There is definitely room for espionage to try to get a competitive advantage. It has even been observed from private sector to private sector.
The other key piece is it’s not opportunistic; being able to run an operation such as this is not so much accidental or incidental. It’s like they see an IP address in a scan and notice the service header and decide to go after it.
The planning of a successful recruitment operation has a lot that goes into it. While you might be thinking this doesn’t apply to me at this point. What’s difficult to see when you’re putting out fires all day long is the long-term planning against your business that your adversaries are planning against you because you’re constantly in the weeds.
Setting the Stage
Let’s make sure everyone is on the same page and clarify a few terms beyond the definitions.
Displacement of Risk
If you’re not familiar with displacement of risk, it is defined as when it’s unclear who owns the risk. A type of finger-pointing, such as “That’s your system, your employee, or your data.” Meaning, it’s not your problem. Not my chair, not my problem.
Systemic Risk
Systemic risk is about the indirect connections between several objects and a complex system. This focuses on risks that emerge from the interaction of disparate parts from within the system. So, you’ve got a system where things flow from one thing to another, like a domino effect. But no one is taking ownership, and they’re pointing fingers left and right.
- Who’s taking care of this?
- Who’s looking at the system itself?
Everyone is looking at just their piece of it.
Risk Propagation
Risk propagation is that waterfall domino effect, or whatever you want to call it. It’s the spreading of risk from one part of the system to other parts based on their interdependencies within that system.
Ambient Risk
Ambient risk is essentially used to talk about low-level radiation or pollution that you might be exposed to over time, and you won’t even notice it. It’s always affecting you, and that’s a cumulative effect that builds up over time, and most people feel safe. There’s nothing really risky happening here, and there’s no malicious intent associated with creating ambient risk.
Normal Accident Theory
Stuff happens. That’s the gist of this. In tightly coupled systems, these accidents are inevitable, and you can’t always predict exactly what’s going to occur because there are so many pieces. Of the puzzle, it’s really hard to get ahead and say, OK, if A and B happen, then J and K are going to certainly happen, and therefore Y and Z. It will be very easy to overlook that risk, especially if no one is considering the systemic aspect of this.
Global Supply Chain
If anybody’s heard Elise talk about supply chain before, she kind of gets on a soapbox for a bit. But if we think about the global supply chain as one of these complex systems, it makes it clearer where that domino effect can happen. It stems from one person saying, “They’re going to displace this risk; not my problem,” creating a downstream effect.
The more integrated the supply chain gets, the more pieces there are required to make whatever widget or deliver whatever service, and the more impact a small domino can have on the greater system.
Mosaic Intelligence
Essentially, this is the collection of small pieces of very benign data, correlating them all together. It’s usually unclassified types of data that are very simplistic, taken from multiple sources, and synthesized together.
If you are thinking this doesn’t apply to you because you only do retail, or education, or whatever that is, it’s not so much that someone in a foreign government is sitting there planning to go after your company or university. And it’s not your data that affects you, but the data you’re holding that may affect some other company.
Think about it all as an interconnected puzzle: businesses interact, their systems interact, and all the data is constantly flying between them.
Continued in The State of Cyber Espionage in 2025 – Part 2