Facing Hardened Defenses vs Easy Incentives: Why Insider Abuse is Becoming Commonplace in Ransomware Operations
Published
Key Takeaways
- Early detection allows organizations to act before ransomware reaches its most damaging stage.
- Legitimate access over long periods remains one of the highest-risk threat vectors.
- Deep-packet inspection enables large-scale monitoring when abused by insiders.
- SpyCloud notes that deep-packet inspection enables large-scale monitoring when abused by insiders.
- Johnson highlights that corrupt insiders are monetizing privileged access for personal profit.
Aurora Johnson is the Manager of Security Research Partnerships at SpyCloud, where she focuses on tracking cybercrime ecosystems, insider abuse, and large-scale data exposure risks.
Before joining SpyCloud, Johnson played a key role in U.S. government and private cybersecurity efforts. Earlier in her career, she conducted cyber and AI-focused research at the Center for Security and Emerging Technology and contributed to open-source intelligence investigations with the Los Angeles Police Department.
Johnson notes that mobile data has become a primary target for financially motivated actors. Cybercrime today relies heavily on bribing insider threats, identity exposure, and long-term data exploitation. In this interview, Johnson discusses identity exposure, supply-chain trust, and cross-border operations reshaping today’s threat landscape.
Vishwa: From your past threat-intelligence experience, what investigation or research moment most changed how you understood the global cybercrime landscape?
Aurora: Prior to coming to SpyCloud, I worked at CISA as a cyber threat analyst. At CISA, myself and a coworker started the Pre-Ransomware Notification Initiative (PRNI).
As part of this initiative, CISA works with a group of private industry partners tracking ransomware actors to surface active intrusions in their early stages and notify affected organizations. This allows notified organizations to take action before data exfiltration, network encryption, or extortion can occur.
Tracking ransomware actors as part of the PRNI taught me that good cyber threat intelligence can be proactive and not just reactive. By tracking these threat actors and working closely with a range of different partners, we were able to prevent thousands of ransomware incidents from progressing to their most damaging stages.
It was also enlightening to dive deeper into how ransomware groups operate. Like most modern cyber threats, ransomware actors rely on an interconnected ecosystem of tools, infrastructure, and service providers that we refer to as “cybercrime enablement services.”
A single ransomware incident might rely on a distinct malware developer, traffer team, initial access broker, ransomware affiliate group, and a ransomware gang.
Vishwa: SpyCloud’s research highlights the role of insider agreements within telecoms and infrastructure providers in China-linked cybercrime. Are these activities primarily a threat to U.S. organizations, or do you see similar patterns affecting other regions that are less reported?
Aurora: Our research has shown that corrupt insiders at Chinese institutions – including Chinese banks, telcos, and public security bureau – are selling sensitive data on the side for a profit.
This illicit data trade primarily harms Chinese citizens whose PII sits in these databases. However, it also has global effects, as these institutions and networks also collect and store data on anyone who travels to China, does business with China, or uses Chinese apps and cloud services.
Vishwa: SpyCloud’s research mentions deep-packet inspection and insider agreements within telecom networks. How do these relationships function in practice?
Aurora: Chinese telcos are already analyzing internet browsing activity taking place over their network using deep-packet inspection. The recent 500GB leak of infrastructure firms associated with the Great Firewall (GFW) documented in detail how China is using DPI for monitoring and censorship.
Corrupt employees at telcos are also profiting off of this practice – they have arrangements with illicit and gray-area data brokers to sell user browsing data to any paying customer. This “DPI marketing data” can then be used for nefarious purposes, like conducting highly-targetted social engineering campaigns.
Vishwa: How does the recent conviction of a U.S.-based Chinese insider for stealing fiber-laser defense technology fit into the broader patterns you’ve observed? What should companies learn about insider risk and cross-border employment from this case?
Aurora: This conviction highlights a pattern that has continued to grow over the past several years – insider threats are becoming increasingly transnational. In this case, access to sensitive defense-related intellectual property was obtained through the insider’s longstanding legitimate position at an American defense contractor.
After over a decade of employment, he decided to exfiltrate sensitive trade secrets and made arrangements to sell them in China. In some cases, nation-states surveil expatriates and specifically target them to bring stolen intellectual property back home; China's Thousand Talents Program is a prime example of this.
For enterprises, the takeaway is that insider threats are not just an HR or compliance issue. To ensure a secure workforce, all of the different departments in an organization need to work together collaboratively with security teams.
It also requires security teams to be vigilant about their own supply chain – an insider at a contractor or vendor can also leverage their privileged access for malicious purposes. The best defenses against these threats are proactive monitoring and continuous validation of identity and access, not just pre-employment screening.
Vishwa: How are Chinese-language cybercriminal groups innovating beyond traditional or Western techniques, and what does that innovation reveal about their evolving capabilities?
Aurora: Chinese-speaking cybercriminals have their own unique culture and tactics that differentiate them from other cybercriminal communities including Russian-language and English-language actors.
For one, we see more of a focus on monetizing persistent access to data sources which is very different from the smash-and-grab breaches and data-theft-extortion campaigns we see from Western actors.
Often, this persistent access relies on corrupt insiders who are monetizing their privileged access and selling data on the side. The insider data trade also inherently relies on the Chinese surveillance state. Because so much personal data about Chinese individuals is collected and centralized, it becomes more trivial for insiders to access it and sell it on the side.
Additionally, we see much more of a focus on mobile data and mobile-based scams among Chinese financially motivated actors. Mobile data is collected from apps with excessive user permissions that are developed using malicious mobile SDKs.
That mobile data is then sent back to criminal groups and gray-area data brokers who sell it to any paying customer. It is also collected centrally when insiders at telcos use their privileged access to deep-packet inspection on internet browsing activity to collect and sell data on individuals’ internet activity.
Additionally, Chinese-language phishing actors target both domestic and international users with smishing (phishing via text message). These actors typically use smishing over iMessage and RCS to distribute lures and cash out by committing financial fraud against their phished victims.
Some of the most popular cash-out methods even involve the use of mobile wallet applications – phishers load stolen credit cards into mobile wallet applications before using them to cash out at physical point-of-sale terminals.
Vishwa: Why does visibility into the Chinese cybercrime ecosystem give organizations a decisive defensive advantage, and how can they translate that intelligence into practical risk management actions?
Aurora: As Chinese cybercriminals continue to mature and evolve, it is critical for companies around the globe to understand their unique TTPs so they can protect their networks, employees, and customers.
We often see unique types of fraud and scam campaigns against Western users being perpetrated by Chinese-language threat actors. Pig butchering – a unique type of cryptocurrency investment romance scam – is carried out by Chinese organized crime groups operating in Southeast Asia and usually targets men in Western countries.
It’s also critical for multinational businesses to understand the unique risks to their employees and users that come from operating in different countries with their own distinct security risks.
For SpyCloud’s customers, this can mean correlating their employee or customer data with what appears in underground Chinese sources. Armed with this data, organizations can take actions like resetting compromised credentials, isolating vulnerable systems, and hardening supply-chain relationships before exposed data can be weaponized.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular