We’ve recently shared a link to a podcast, “The Ghost and the Mole,” which revisits the infamous case of FBI Special Agent turned Russian spy Robert Hanssen. Before dismissing this as just another insider threat story that has little to do with social engineering, take a second look. His operations involved abuse of others’ trust. The ways of espionage are not that far from those of the grifter, the fraudster, and the con artist. They all seek to gain, and then abuse, trust.
Employees need to put aside their emotions and look at situations objectively in order to identify insider threats, former FBI operative Eric O’Neill told the CyberWire. During his time with the FBI, O’Neill helped bring down one of the worst spies in US history.
Robert Hanssen had enjoyed a long career in the FBI, marked by successful advancement to positions of increasing responsibility. He was also a spy, with more than two decades of work for the Soviet Union and the Russian Federation behind him at the time of his arrest in 2001.
Hanssen wasn't just our worst spy in US history, but our first cyber spy.
He was a hacker, back in the time when hackers used to be bad guys. Now they're mostly the good guys. He was able to use his affinity and ability to penetrate computer security systems to steal secrets in a way that we couldn't catch.
When the FBI finally identified Hanssen as a mole, he was “promoted” to supervisor of a newly-created computer security department so the FBI could monitor him, and O’Neill went undercover as his assistant. O’Neill said that Hanssen used his extensive knowledge of the FBI’s security in order to avoid detection.
“In a lot of ways, you can compare Hanssen to that bank manager who knows all of the ins and outs of security for his bank, and slowly and methodically robs it over many, many years, and never gets caught because he knows all the flaws in that security,” said O’Neill. “Hanssen was exactly the same. He knew the flaws in the FBI security, particularly because the FBI was in the middle of an operation to computerize the Bureau, and he knew a lot more about computer security than many of the FBI agents that surrounded him. And that also meant that he knew how to exploit flaws in that security.”
How long it took to identify Hanssen
One of the most striking aspects of the case is how long it took to identify Hanssen as a spy, despite Hanssen’s quirky, narcissistic, and sometimes intimidating behavior. O’Neill emphasizes that the human elements of the investigation made his own job far more difficult and stressful, but they also led to Hanssen’s downfall.
“Humans are squishy,” he said. “We aren't machines. We're not task-oriented. We have an idea of where we want to go and what we want to do, but we meander a bit to get there. Emotions come into play, personalities come into play, foibles about what we think and what we dream and what our politics are all come into play, and everything we want to do.” That is, Hanssen’s colleagues, like people in any organization, were susceptible to social engineering.
His espionage was also enabled by technology. O’Neill came to realize that technology has made espionage much easier to carry out, since so much data are readily available for both on-site and remote exfiltration.
“What I've kind of started saying is that there are no hackers - there are only spies,” said O’Neill. “And that hacking is nothing more than the necessary evolution of espionage. We've made data the currency of our lives, and as we have placed all that data, and taken it away from paper and placed it into computer systems, the network computer systems, and shared information, we've given the spies a very good way in.”
Recruiting assets is nothing other than social engineering
O’Neill’s story shows that not even the FBI is immune to devastating, long-running insider attacks. And it’s also worth noting that the approach an intelligence service takes to recruiting its assets is nothing other than social engineering.
O’Neill makes this point vividly in the interview. Hanssen “became nicer near the end. And he started saying things like, well, there are ways that you can make ends meet and there are things you can do. He was getting very close to explaining what he had done, how he had made ends meet, how he had made the money he needed to support the lifestyle he wanted, and the family that he wanted, in the beginning, when he started his espionage. And the agents running the case and analysts were convinced that he was recruiting me.”
He may well have been doing just that. New-school security awareness training can build a culture of security within your organization so that these threats can be prevented from taking root, and that susceptible insiders can be warned off from the threats they face.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-special-2019-the-ghost-and-the-mole-eric-oneills-gray-day.html