The cybersecurity space is seeing actual espionage. It’s happening in the private sector—real-life spies in the office—it’s real-life spies in the office, and it seems to be picking up steam, according to Elise Manna-Browne, VP for Emerging Technologies at Novacoast. She says she’s observed espionage becoming a more and more common motive for threat actors.
While Manna-Browne admits that this is a topic she never thought she’d be speaking about when she entered cybersecurity, it’s indeed a spicy one filled with much of the intrigue found in the spy movies she loves.
This begins Part 1 of our two-part series.
In the News
While many people are aware of the North Korea remote IT worker situation, cyber espionage appears to be gaining significant attention as news coverage intensifies. Many of those working in cybersecurity and threat intelligence know that espionage has been happening and is driven by nation-state actors. Perhaps it’s something businesses should consider when hiring the IT team? How vetted are the people working on the MSP/MSSP teams they’ve contracted?
Example: a group of North Koreans were hired using a few different methodologies, including using AI deepfake videos, to implant themselves in organizations and exfiltrate data. In that case, they also extorted the employer on the back-end. However, their actions do not represent isolated incidents.
There have also been cases where malicious actors leveraged the numerous firings occurring in the US government to select their recruits, as many capable and disgruntled individuals have become available on the job market. It makes sense if you’re conscripting an asset to go after people already disgruntled with your target.
There was another case where an Ethiopian spy who infiltrated both the Department of State and the Department of Justice. He had authorization to work in a Sensitive Compartmented Information Facility (SCIF). He also had authorization to move data between classified and unclassified systems. So, that’s precisely what he did. He stole a lot of data.
But it’s not these kinds of governmental arms that we’re concerned about; even Google has had insiders recruited by nation-states that stole their data. So, when you think about how secure Google is, it’s worrisome that even they are facing this problem.
At this point, let’s consider this obligatory Sun Tzu quote. Even 2500 years ago, Sun Tzu was aware that the topic was important. He created an entire chapter specifically about the use of spies, and that topic remains just as relevant today. This concept is how you get ahead, not just of an adversary. They’re there to learn about you, but you’re there to learn about them, too.
Espionage
Let’s break down some definitions here. What are we talking about? As far as espionage goes, the key piece here is social engineering.
You’re using human behaviors, your understanding of them; you’re weaponizing known behaviors and then manipulating others and using deception to get whatever you need to get.
This may involve recruiting someone that’s already embedded in the company or organization that you’re going after. It could also involve pressure, such as social pressure or ideological pressure to push the recruited spy to take action.
They play the long game. They put their people where the data already lives versus relying on a system vulnerability or somebody to breach into a system to take it. Now, if you can actually put an implanted “employee” in there that is already aligned with your ideology or who is beholden in some other way (such as financially), that’s a perfect spy in place.
If we’re talking about cyber espionage, that’s really referencing espionage that uses digital tools. While this might feel a bit succinct, we’re going to dig deeper into how traditional spycraft and human-driven operations are crossing over into the cyberspace that we are all familiar with and trying to get ahead.
Adversaries may try to get ahead by disrupting either civil operations, data flows, or a critical business operation; doing something to upset the supply chain; or trying to get a competitive advantage. The other key piece is these attacks are not opportunistic; being able to run an operation such as this is not so much accidental or incidental. The planning of a successful recruitment operation has a lot that goes into it.
You might be thinking this doesn’t apply to me at this point. What’s difficult to see when you’re putting out fires all day long is the long-term planning against your business that your adversaries are conducting in the shadows.
Setting the Stage
Let’s make sure everyone is on the same page and clarify a few terms beyond the definitions.
Displacement of Risk
If you’re not familiar with displacement of risk, it is defined as when it’s unclear who owns the risk. A type of finger-pointing, such as “That’s your system, your employee, or your data.” This leads to organizations underestimating their part in the supply chain.
Systemic Risk
Systemic risk is about the indirect connections between several objects in a complex system. This focuses on risks that emerge from the interaction of disparate parts from within the system. So, you’ve got a system where things flow from one thing to another, like a domino effect. But no one is taking ownership, and they’re pointing fingers left and right.
- Who’s taking care of this?
- Who’s looking at the larger system itself?
Everyone is looking at just their piece of it. And this leads us to:
Risk Propagation
Risk propagation is that waterfall domino effect, or whatever you want to call it. It’s the spreading of risk from one part of the system to other parts based on their interdependencies within that system.
Ambient Risk
Ambient risk is essentially used to talk about low-level radiation or pollution that you might be exposed to over time, and you won’t even notice it. It’s always affecting you, and that’s a cumulative effect that builds up over time, and most people feel safe. There’s nothing really risky happening here, and there’s no malicious intent associated with creating ambient risk. But it builds in the background until it is fully problematic.
Normal Accident Theory
Stuff happens. That’s the gist of this. In tightly coupled systems, these accidents are inevitable, and you can’t always predict exactly what’s going to occur, especially when accountability is taken by individual organizations and those organizations are more interconnected than ever—it is easy to see how that domino effect can cause massive destruction if triggered.
Global Supply Chain
If anybody’s heard Elise talk about supply chain before, she kind of gets on a soapbox for a bit. But if we think about the global supply chain as one of these complex systems, it makes it clearer where that domino effect can happen. It stems from one person saying, “They’re going to displace this risk; not my problem,” creating a downstream effect.
The more integrated the supply chain gets, the more pieces there are required to make whatever widget or deliver whatever service, and the more impact a small domino can have on the greater system.
If you are thinking this doesn’t apply to you because you only do retail, or education, or whatever that is, it’s not so much that someone in a foreign government is sitting there planning to go after your company or university. And it’s not your data that affects you, but the data you’re holding that may affect some other company or target.
Think about it all as an interconnected puzzle: businesses interact, their systems interact, and all the data is constantly flying between them.
Continued in The State of Cyber Espionage in 2025 – Part 2
