Transcription performed by Leah Hervoly
[START OF RECORDING]
JACK: Here’s a question; what’s the biggest threat facing music venues, sports stadiums, and theatres? Well, I don’t know, but I’m gonna go out on a limb and guess, but it’s insider threats. What I mean is I think there are a ton of people who want to get free entry into all these places, and they do get in without paying all the time by using an insider. I’ve seen it with my own eyes; I’ve been to the movie theatre and saw someone pay their way to go in and then once inside, open up one of the side doors and let their friends in who were outside. I’ve also seen the same thing at a baseball stadium; someone was standing outside the exit and they were just waiting for someone inside to leave, and as soon as that door opened on the stadium, boom, they grabbed the door right before it closed and went inside and quickly blended into the crowd. They just got free entry into a sporting event, all because someone on the inside let them in. Insider threats are a major problem that companies have to face.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Let’s start with just you telling us your name and what do you do?
LISA: Okay. [MUSIC] Do you want me to – are you good to start now?
LISA: Okay. Hi, I’m Lisa Forte. I’m a partner at Red Goat Cyber Security, and professionally I run cyber-crisis exercises, deliver training, and insider threat program development companies. In my personal life, I climb, cave, and explore abandoned mines.
JACK: So, do you have a degree? What did you get your degree in?
LISA: So, I did my degree in law and then I did a masters in international law and Maritime law. So, I was very legally focused and then decided that – well actually, by accident I got involved in security and more physical security, and I – that’s how my career sort of took off and I abandoned law completely. So…
JACK: Okay, so a degree in Maritime law. Where did that take you?
LISA: So, I actually got a job working for private security companies, as they like to be called, putting – you put eventually armed guards onboard ships to protect them from pirates and fortified the ships to protect them from pirates.
JACK: [MUSIC] Whoa, Lisa’s job out of college was to help secure ships from pirate attacks? That’s wild. Apparently there are a lot of ships that need to move cargo past dangerous waters like the coasts of Somalia. Now, Somalia has been characterized as a failed state in the past, with insurgents currently controlling a portion of the country. There are parts of Somalia that have no organized government. So, for a while, it was a dangerous area for ships to pass by, since there were Somali pirates that would try to come and take over the ship. When a pirate attacks you out to sea, nobody is around to rescue you if you get in trouble out there. So, ships were increasingly trying to find ways to protect themselves, but legal questions started to come up. Are they allowed to carry weapons and put armed guards on ships?
Well, sure; it’s out there in the ocean. Who’s gonna enforce laws out there? But what about when you’re docking into ports in countries where weapons are banned? Lisa was helping this shipping company navigate the Maritime laws to learn what they were legally allowed to do to protect themselves. But this soon got her interested in making their ships more secure, like adding defense mechanisms to thwart pirate attacks. She started thinking through all the scenarios of what could go wrong out in open waters and how to protect against it. This interested her more than the law stuff, so she moved into the operations side of things, helping boats secure themselves from pirates.
LISA: And just loved it, and just loved working on security and managing risk. That’s basically what kickstarted my love of security.
JACK: Yeah, tell me more about this pirate stuff. What were some of the tasks you were given and what were you doing there?
LISA: It sort of started really in the nineties in the Somalia area, so the Horn of Africa, as they called it. It actually started because the Somali people were attacking ships and tackling illegal fishing that was happening in Somali waters, and it sort of evolved to a point where they became essentially as sophisticated as we now see ransomware groups in the cyber-security space. So, they had – they were running insiders and big insurance companies in Europe, they were doing OSINT, they were running motherships to have lots of attack boats out on the water. They were hugely, hugely well-funded; I think at one point it was like $13 billion annually that they were making. It was an insane industry.
JACK: [MUSIC] She studied what these pirates were doing, and typically they had ways of finding out what ship would be passing by and where it was located off the coast of Somalia out in the Indian Ocean. Then the pirates would dispatch a few small, fast motorboats, skiffs to catch up to one of these massive cargo ships. They’d get alongside of it and throw grappling hooks onboard the ship and climb onboard with assault rifles.
LISA: So, they’d – they would take control of the ship. They would get to the bridge, they would take control of the ship, and then they would hold the ship and its cargo for ransom. So, that’s how they do it, and then typically that ransom would be paid and they would release the vessel. But yeah, it was obviously horrible for the crew. There were many situations where people were killed, crew were killed from the boardings that happened. It’s a very, very difficult situation to be on a ship. You definitely don’t want to be having a gun battle inside a metal ship. That’s – you know, there’s not an optimal situation for that.
JACK: Okay, so if that’s the typical attack scenario they’re facing, Lisa had to figure out ways to straight put an end to these attacks, which would also save lives of the people onboard her ships.
LISA: When you’re thinking that scenario through, you need to put barbed wire up around the ship to make it harder to get onboard. You need to weld internal doors shut in the right order so that you can slow their advance through the ship if they do get onboard. We’d also build a citadel in the middle of the ship which would be a bit like a panic room for the crew of that vessel to go into if the pirates boarded the ship, because obviously the main priority at that point is to save the lives of the crew. We’d also put water cannons around the ships, and there was this really cool device that lots of shipping companies implemented on their ships called an LRAD.
JACK: LRAD. Well, that sounds intriguing, and you know me; when I’m intrigued, I want to know more. So, I looked up what LRAD is, and it’s got an interesting origin story. It was invented because of what happened to USS Cole. [MUSIC] This is a Navy destroyer, a warship, and in the year 2000, USS Cole was parked in Yemen, resupplying. Well, a barge came up alongside it and [EXPLOSION] it detonated a bomb right next to it, causing a major hole in the hull of this destroyer. Al-Qaeda took credit for this attack, which was eleven months before 9/11. So, what the Navy needed was for a way for ships to warn or communicate or to protect themselves from potential enemies without having to be lethal. I mean, this was a warship that was attacked. They could have easily defended themselves by just opening fire on any ship that got too close, and that’s just not practical to shoot at any ship that gets too close. So what the Navy wanted was a way to stop other ships from approaching unless they were approved.
This is why LRAD was invented. LRAD is an acronym; it stands for Long-Range Acoustic Device. Simply put, it’s an MP3 player, but with a wicked set of speakers, speakers that can be pointed in a specific direction and heard up to two miles away. [MUSIC] So, if a boat is approaching, you can play it a message in whatever language you have on the MP3 player to warn them ‘don’t come closer or else.’ Okay, so LRAD’s a directional speaker, but it’s also a weapon. Some call it a sound cannon because this thing is capable of pumping out noises of up to 160 decibels at range. Your car horn is somewhere around 110 decibels, and I’ll tell you, if you stood right in front of your car while it’s honking, it’ll start to hurt your ears pretty quick, and you’ll want to leave the area or cover your ears. 160 decibels is more like a train horn, and if the LRAD is pointed right at you playing sirens as loud as a train horn, your ears are going to start to hurt and you’re gonna wanna get out of there.
Even if you cup your hands over your ears, it only reduces it like, twenty-five decibels, so it’s still uncomfortable. Even if you put really good earplugs in, well, now you’re pretty much deaf if you continue to approach. You can’t talk on the radio or chat with the person next to you, and you really can’t hear anything of what’s going on. So, once this technology became commercially available, cargo ships who were passing by dangerous waters were equipping them to try to push back any suspicious boats that were approaching, first by giving them a verbal warning in different languages, and then turning on a siren if it got closer, which would push them away if they couldn’t take the noise.
LISA: It’s supposed to be so incredibly painful if this sound wave hits you that it’s disorienting, and that was used really successfully because obviously the last thing we want to use is force, right? We don’t want to be firing at human beings. But we also recognize that we had to have that capability. For the while, pirates were often targeting ships that had no armed guards, and they knew what ships did and did not have the armed guards on. So, over time, that became mandatory. So, we put armed guards onboard the ships that would have – well, for the last company I worked for, they would have M4 carbines, and they had a whole set of rules of how you would escalate force with lethal force being the absolute last resort if necessary. One day it was – I would run these people and they would call it and check in and sort of tell me what was going on and whatever, and if there was an approach made by the skiffs, made by the pirates, they would call me on the satellite phone and alert me to it because the company had to be appraised of how the situation was escalating. [MUSIC] So, one day I’m driving back from a BBQ with another colleague and the phone goes.
I answer it and it’s one of my team leaders onboard the ship. He says we’ve been approached; we’re being approached by three vessels. We’ve sent them warnings, we’ve tried to raise them over the VHF, we’re not getting any response. They’re kind of heading straight for us. We’re just letting you know. So I was like okay, thank you; that’s great. Just escalate the force as usual, which would typically be fire the water cannons, set off the LRAD. If still that didn’t work, you’d fire shots well clear of the target, so into the water around the boat to give them a warning. So, they did all this escalation of force, and then one of the other guys comes on the phone and he says they’ve just fired an RPG at the boat. I remember I had them on speakerphone and I looked at my colleague. My colleague looked back at me and we just thought, what on Earth do we do now? The pirates had an RPG on their boat and they’d fired it and hit it at the ship. It hadn’t actually hit the ship; it hit a cargo container onboard the ship. To say that this shocked me well out of my comfort zone in about the space of thirty seconds was – be a huge underestimate of how I felt at that moment in time.
JACK: Well, clearly these approaching boats were escalating the situation, so the cargo ship returned fire on the smaller boats.
LISA: My team who were onboard the ship, they fire their weapons; they hit the skiff and the skiff stops dead in the water. This could have been a bit of a risk because the ship that they were on was slow. It wasn’t very maneuverable. Assuming they would possibly have more RPGs onboard that boat, they could have done a lot of damage, but thankfully it didn’t go any further. But that moment for me was – it just sort of catapulted me into a whole world of now what? It was – yeah, I don’t think I’ve ever had anything quite like that since, to be honest, and hopefully not again.
JACK: That story reminds me of the classic quote from Mike Tyson.
MIKE: Everyone has a plan until you punch them in the mouth.
JACK: I like that quote because I feel like it carries over into cyber-security; you can and should make all kinds of plans for when you get attacked, but there will still be an incident that hits you in a place that hurts, bad. [MUSIC] If whatever plan you have doesn’t guide you through that situation, you’re having to figure out things on the fly, which is not good.
LISA: Yeah, and I think the other thing was that in a very similar way to ransomware groups, the pirates’ tactics developed quite quickly. The other problem was they were very well-funded because they were receiving all these ransom payments. So, they had the ability to do things that we couldn’t do on our side because obviously it would be hugely illegal or at least incredibly frowned upon by the international community.
JACK: Yeah, that’s another interesting concept, that attackers don’t stick to what’s legal or play by the rules, yet defenders do have to remain legal on how they defend, which gives these kind of battles a type of asymmetry in how the battle is waged and how companies secure themselves online. So, after Lisa helped secure ships from pirate attacks, she decided to move on to something else.
LISA: So, I actually took a – I took a job working for UK counter-terrorism intelligence for – it’s essentially run by the UK police, their counter-terrorism intelligence capacity, I suppose, which was interesting. I learned a lot, definitely. Really appreciated the experience and learnt a lot about online radicalization, particularly, and how that worked and why it was so successful. So, it was a really good learning experience and it very much got me interested in the cyber OSINT online space. Then I moved into one of the UK police cyber-crime units as a cyber-protect officer helping basically give advice to companies on how best to protect themselves and spreading that message. That was really what kickstarted my cyber-specific type of career.
JACK: It was after that when she left that job and started her own cyber-security company called Red Goat, which is when I started following her on social media and such. Her company does cyber-security crisis exercises.
LISA: A bit like what I used to do with the ships, essentially; running through what we would do if an attack happened, but also we’ve been doing a lot of work in the insider threat space, helping companies develop their programs, helping companies develop their responses to insider threat attacks, and that’s been a really interesting journey for me.
JACK: Insider threats; this intrigues Lisa a lot, and she’s been focusing on this particular aspect of cyber-security for a while. Sometimes cyber attacks come from inside the company by somebody who works in maybe accounting or in a science lab, and this is very dangerous since these people have trusted access. So, why is that? Why would someone attack the very company they work at, and how can companies even defend themselves against this? Well, to understand this, let’s hear a story of how one of these attacks happened.
LISA: [MUSIC] So, I have one story that I can talk about, which I’ve had to – full disclosure, I’ve had to change a couple of details in it to obfuscate who the company was.
JACK: It starts out with her going to a company to have a meeting, and at that meeting, one of the guys there says he’s read Lisa’s report on insider threats and he wants to run something by her to get her take on it.
LISA: So I said okay, yeah, sure, no problem. He says it’s about insider threats, but I kind of need to have this conversation in a different room. So I thought okay, fine. We sort of chat on house rules, agree to keep it quiet and sort of redacted.
JACK: He goes on to say that the company he’s working for is in the middle of dealing with an insider threat themselves, and starts explaining what happened to Lisa.
LISA: He said well, he’s a scientist who works at this company and basically he’d written a long LinkedIn post. When we went back onto his LinkedIn to look, you could see the long LinkedIn post and this comment from this profile that was a woman who asked this kind of fairly leading, maybe slightly provocative question.
JACK: LinkedIn is turning more and more into a social network now. Not only does your profile show you where you work and where you live and what skills you have, but you can make posts and write articles and share pictures and comment on other people’s posts, too. The post that the scientist made didn’t have anything wrong with it per se; like, it wasn’t revealing any private data about the company or anything, but the comment he got from this woman was interesting. Well, to him at least, so he clicked on her LinkedIn profile. Huh, she’s a scientist just like him, and she works in the same field as him, too. This combination of having similar skills and interests and her comment on his post was enough to get him to direct message her and begin chatting. They started by pointing out their common interests and learning more about each other, and they seemed to be interested in each other. Chats continued going back and forth for a while. Eventually they exchanged e-mail addresses and he started e-mailing her from his work e-mail account. [MUSIC] Now, this is interesting because the company he worked at was able to later pull up these e-mails and see what they were talking about. So, Lisa was actually shown what these e-mails looked like.
LISA: When we review them, it’s sort of saying things like talking about how much he hates his manager, how frustrated he was. So, this was at the very start of COVID. Because of the nature of his job, he’d been asked to still come into the lab, whereas other colleagues could work from home and that caused him a lot of irritation, shall we say, and his manager was being rude. The normal, I suppose, problems that we have in a workplace. Nothing particularly untoward. Then she says to him, do you want to come and visit me? I’m in Kazakhstan. Having been – or been looking at flights to that area of the world, they’re about – from the UK, roughly about £500 for a flight. So, for someone’s who’s a relatively successful scientist in this kind of organization, that’s not a lot of money for someone that’s on that sort of salary. Yet, his response is I really can’t afford that. I can’t afford to take a trip.
I can barely afford to service my car, which is quite interesting but also sort of alludes to the fact that potentially he’s having some sort of financial trouble, personal trouble that’s draining his finances in some capacity. So, she then has this amazing idea that there’s a job role that she might be able to get him in Russia. Her company spans all these different countries and there’s a job opening for a scientist of his description there, and she’s pretty certain she can get him the job, but she needs to see proof of some of the things he’s been working on just to kind of make sure his experience is sufficient, et cetera, et cetera. So, he proceeds to send her large quantities of files, documents, projects, things that he’s been working on that are obviously hugely sensitive that the company themselves are sinking a large amount of money into R&D. They go into loads of detail oddly over work e-mail on relocation costs and relocation packages and remuneration packages and things like this, all of which were exceptionally generous.
JACK: Hm, imagine being in this position, yeah? You’re offered a significantly higher-paying job in another country with all moving expenses paid. It sounds and looks good to you. You want the job, but they say okay, but show us that you have the skills to do what it takes. You might say well, just look at my LinkedIn profile; it shows all the things I’m good at. But then they say yeah, but we want to see examples of your work. Is there any research that you’ve done that you can show us? This scientist thought that was a good opportunity. Of course he wanted to show off his work, right? This was a big chance for him to move up in the world.
So, he starts sending them work he’s done, formulas he’s created, compounds, mixtures, and some of the actual scientific work he was doing at this company. Of course they had more questions and wanted to know more about what he was doing at the company. So, he starts sending them other research and is now approaching the line of sending these people some of the intellectual property of the company he worked for. I mean, as Lisa explains it to me, it almost sounded like this scientist was giving up some of the secret recipe of what goes into the company’s product. Sending proprietary information that your company doesn’t want to be public is a form of a data breach. Since this was a scientist working in the lab of that company who was leaking the data, then this is classified as an insider threat actively exfiltrating private information.
LISA: This goes on for a while, and she actually sends him some documents too to get his opinion on some scientific documents she’s working on, the validity of which is very difficult to establish, I suppose, because they’re in Cyrillic, they’re – you don’t know whether you’ve just made it up or stolen it from somewhere else. Who knows how genuine it was?
JACK: This is sort of common for the scientific community to get their work peer-reviewed, so nothing was really out of normal for him to see some other research that another scientist was working on.
LISA: Yeah, so he sent all this stuff, she sent some stuff back to him, so I’m presuming from his perspective he’s thinking it’s – there’s some sort of level of reciprocity going on. Then something happened that really diverted the company’s investigation, and I’m not sure and I still to this day am not completely sure whether I think it was coincidental or whether it was a deliberate act to obfuscate what else had been going on. But essentially, this woman said that the person in HR in this company was going to send him some stuff to read. So, they sent him the stuff to read, he opens it on his work device – not a lab device but another work device – and surprise, surprise, it contains some malware.
JACK: [MUSIC] Hm, this just dialed up the threat significantly. I mean, up until this point, this could have been a legitimate job offer and he was voluntarily sending them data so he could just show them how good he was. But for them to install malware on his computer? Now I don’t trust her at all. In fact, I don’t even believe any of her profile is accurate. She’s probably not a scientist, she probably doesn’t live in Kazakhstan, and maybe she’s not even a woman. This whole thing was an elaborate plan just to get access into the company that this scientist worked for.
LISA: Now, the company at this point – for whatever reason, the malware didn’t execute properly or something was wrong with it. Something happened that meant that the payload wasn’t delivered successfully, which was lucky. But what happened was, which was more interesting, suddenly this set off alarm bells in the company, which was the first time they actually realized something had gone wrong. They hadn’t noticed any of this prior to this piece of malware. At that point, it diverted all of their attention and all of their resources into that.
JACK: The company took a look at the scientist’s computer for any suspicious activity, then started asking the scientist questions. This eventually led them to the e-mails that were going back and forth that the scientist was sending, and there were all kinds of private information in there being sent outside.
LISA: But they immediately suspended him as soon as they found out that he’d been passing files and so on and so forth. Now, interestingly, when I first came in and I started having conversations with them, I said how long has he been suspended for? They said something like two, three days, something like that. I said okay, so his account has been disabled; he can’t get in, he can’t do anything. They sort of paused and looked at me and I thought, you haven’t disabled his account, have you? They hadn’t. They hadn’t done anything at all. Thankfully he hadn’t tried to access anything from his home, so that was a piece of luck, but again, more often than not, these situations happen, you haven’t disabled that account, and then they go in in some sort of act of revenge or sabotage to do something callous.
JACK: So, they fired this scientist and tried to make sense of who would target a company like this. Lisa never got to the bottom of that, but she had some theories.
LISA: [MUSIC] I would say that the two most likely situations would either be corporate/industrial espionage, so a competing company in a foreign state wanting to steal R&D to get ahead. That’s likely. They’ll invest lots of time, effort, and money into doing that. Or conversely it could also be a nation state actor if they saw enough benefit in it. I know MI5 in the UK have – with another organization have launched a Think Before You Link campaign because they claim that this has become such a huge problem in the United Kingdom that they’ve launched a whole app and a whole campaign to try and raise awareness of this – pretty much this exact attack vector, in some respects; being contacted on LinkedIn by profiles asking for information. So, I think in certain industries, this could be attractive to nation states as well. But yeah, I think those are probably the two most likely, because we haven’t seen any evidence of it leaked anywhere. It hasn’t looked like it’s been up for sale anywhere to our knowledge. So, that – if I had to stab in the dark, that’s where I’d go.
JACK: Hm, nation state actors? Really? Are we at that point that government spies are using LinkedIn to make connections with people and sending them malware? Well, yeah. Looking at the news recently, I saw a story that did exactly this. [MUSIC] Back in March of 2022, someone broke into a crypto company, Axie Infinity, and stole $540 million worth of cryptocurrency. This was attributed to be the work of the government of North Korea. The latest article I read about this story is that the way they got in was through LinkedIn. They targeted people who worked at Axie Infinity, enticed them with great job offers, and when the employee opened the document, malware was put on their work computer, which gave North Korean hackers access into that network. That’s how they were able to steal $540 million worth of crypto. So yes, nation state-level threat actors are in fact using LinkedIn as a way to social-engineer someone to get access into that company. It’s no wonder, right? If you want to target a specific company, it’s so easy to go onto LinkedIn, look up the company there, and see a whole list of people who work there. Then you can interact with those people right there on LinkedIn to try to manipulate them or coerce them into doing something like sending you intellectual property or getting them to install your malware. So I wonder at this point; is LinkedIn itself a vulnerability?
LISA: I don’t know, because you see, this is the trouble I have. On the one hand, it’s important for my business and my career to be present online. But conversely, I appreciate that that makes me much, much more vulnerable. So, it’s a really difficult one. I’ve been contacted on LinkedIn by very strange individuals who have offered me all sorts of really strange opportunities in exchange for information on people and people I’ve worked with. You don’t have to name your clients, but tell me what they’ve been doing with this, this, and this, almost all of which have been very odd profiles; typical stock image-type profile pictures. I wouldn’t say hugely clever, but that may be because I’m tuned into this type of attack vector that I can spot that in a way other people might not be able to.
So, I’m well aware that this is clearly going on. I’ve got a friend, Philip Ingram, who used to work in the British military, and he gets contacted all the time by people who he, at least, believes are from China who are trying to get information or invite him to very suspicious-type events to sort of lure him, I suppose, into maybe handing over some information. So, I think it’s – it definitely makes you more vulnerable, but that’s the society we live in, so I think we probably need a little bit more healthy paranoia. It would also be great if on LinkedIn you could turn off direct messages. That would be an amazing functionality to have on LinkedIn, because you can do that on Twitter, you can do it on Instagram, but you can’t do it on LinkedIn.
JACK: It’s true; if someone has LinkedIn Premium, they can direct message any user they want. But I think fixing that alone isn’t enough that it’s gonna stop this kind of attack. Anyone can still comment on your posts and see your profile, and perhaps work out what your e-mail address based on your name and where you work. So, I’m not sure if that’s the best fix for this. Personally, I don’t like putting any personal information online, especially listing my whole resume on LinkedIn. I’m on LinkedIn myself, but I’ve redacted all the names of the companies I’ve worked for and all the locations. I used to say I’m a podcaster, but I get contacted by a lot of PR companies and shady marketers who want to pitch me a guest or game the podcast charts for me. So, now I don’t even say I podcast, but I can see clearly that the more information you put up on LinkedIn, the more someone can use that to their advantage, not yours. [MUSIC] We’re gonna take a quick break here, but stay with us ‘cause when we come back, Lisa’s gonna tell us another insider threat story.
LISA: So, I think one of the most powerful stories for me that I’ve come across in my work was actually a situation where there was a young girl who worked for this company. The company worked in the extractive industry, so sort of oil and gas, that sort of situation. People think that the oil and gas industry is not very innovative, but it’s actually really innovative and it has a lot of very valuable commercial licenses and information that is incredibly saleable. This girl had sort of come out of university, she’d traveled around South America, she’d done humanitarian, environmental projects, things like that, and she’d accepted this job within this company and was on their environment impact team. She was contacted on Facebook, actually, so a different platform to the usual ones. She was contacted by this girl who claimed to be in Peru. This girl actually claimed to work for the same company and she said oh, I see that you work for the same company as me. I’m really interested in learning and practicing English, I’m really interested in British culture, traveling to the UK and things like this. It would be great to connect, be friends on Facebook, whatever.
JACK: Huh, what a soft and gentle approach to start this out with, huh? The woman who worked at this oil and gas company had done some volunteer work in Peru and is now being contacted by a Peruvian woman who’s claiming to also work for the same company, but wants to know more about the British culture and language. I mean, I wouldn’t immediately flag this as suspicious if I was receiving this as a private message. I’d find it interesting, actually, that we had some commonalities. As they got chatting, it turned out they both had a lot of similar interests; they both cared about environmental issues and had traveled to many places in South America and did volunteer work and had similar degrees and worked for the same company. Pretty cool to meet someone who has all these similar interests as you, right?
LISA: Now in hindsight, looking at it, it was fairly obvious where these similarities had come from because this girl’s Facebook profile was wide open. All of her antics and voluntary work in South America was photographed, catalogued, and on Facebook. Pretty easy to work out what her political ideological interests, et cetera, were. This profile mirrored almost all of them exactly.
JACK: So, their relationship was building up over time and more trust was being formed, and even a friendship, all through the Facebook chat app which is text only; no audio or video. One day, this fake profile Peruvian woman contacted the woman who worked at this company and said…
LISA: [MUSIC] And she said I’ve been hugely distressed because the company that we work for has been leaving the site that they used in Peru unsafe, and it’s causing people to have all sorts of illnesses. These people are – they’re poor, they can’t afford legal help, they can’t afford medical care, and it’s part of the company’s plan to do this. They don’t care about my people in my country and it’s horrific.
JACK: Well, this hit this woman hard. She was horrified to hear that the company she worked for was causing people to get sick and to be unsafe work conditions and was contaminating the environment. In fact, she was so upset by hearing this news that she suggested they both quit working for this company. She wanted to quit her job over this. This was just too awful for her to be a part of.
LISA: The Peruvian lady said no, no, we’re not going to quit. What we should do is try and expose what they’re doing to a journalist. [MUSIC] So, she thought this is a good idea; okay. Well, how are we gonna find a journalist? The Peruvian girl said well actually, I know one and he lives here in Peru. He’s an American guy and he worked on the Wikileaks story. He’s worked on exposing governmental corruption and corporate corruption and all these sorts of things. So obviously this sounds like a really convenient, great idea, right? So, magically this journalist shows up in the Facebook Messenger chat.
JACK: [LAUGHING] Okay.
LISA: And in he walks, and he’s got all these ideas of what you would need, evidence-wise, to support a story that exposed corruption, which is reasonable to assume, I would have thought. So, he’s saying to both of the girls equally, these are the sorts of documents I need you to go get from your company. Go and find them; photocopy them, photograph them on their – on your phone, send them to me at this e-mail address, whatever mode of transmission you wish to employ. He’s saying it to both of them, but obviously only one of them actually works at the company. So, it’s all sort of – I suppose you could call it social proof in the sense that the actual victim in this situation thinks both of them are doing it. So, they go into the company and this went on for a long time. I think in total it went on about nine months of requesting different documents to be found and getting colleagues to print things off for you so that it’s not logged as you printing it off, and all these sorts of fairly obvious obfuscation methods, I suppose. But it was under a great guise ‘cause he’s an investigative journalist who you’d expect to know these sorts of tricks, right?
It all made sense. So, this girl’s going in and getting all these documents, and when she was interviewed by the company, she actually said to them that there were a few documents on that list that she was quite surprised to see. She wasn’t quite sure how they exposed environmental damage and corruption at an environmental human rights kind of level. But she deferred to his expert journalistic skills, I suppose, and obtained them. [MUSIC] Anyway, by the end of this sort of saga, when he at least claimed he had everything he needed for the story, what was really interesting was how they both extradited themselves from the situation. So, the journalist said I’m gonna disable my Facebook account for a while so I can focus on writing the story. He disappears. Then the Peruvian girl decides that this has been hugely stressful on her and she’s going to go and spend time with her family, and she’s going to log out of Facebook and, you know, be offline for a little while. So, she disappears. That’s the last she hears of either of them.
It wasn’t until later on that this gets discovered, which unfortunately I can’t tell you how it gets discovered, because the method that happened would reveal who it was. But safe to say, it was another company within the space that obtained information in a certain way. This was discovered by the company and then they sort of started to unpick everything and worked out what had happened. So, she was convinced, actually, that somehow her two friends who were genuine, in her mind, had been silenced or somehow disappeared by her employer for quite some while. So, she was actually very distressed to find out that this was actually not – this had all been a lie, because it had gone on so long. I think that’s part of the hugely damaging side of some of these attacks, is that you’ve built this rapport, you’ve built this relationship, you’ve built this narrative that gets yanked from underneath you. I think it’s a bit like romance scams I suppose, in that respect, that people get convinced of the narrative and it’s just not true.
JACK: As it turned out, the company wasn’t even mistreating people or causing people to be sick with unsafe work conditions. That whole story was a lie simply to get this lady to send them company documents.
LISA: One thing they did really cleverly, actually, was they kept reiterating for her not to tell anybody; not to tell her parents, not to tell her actual friends, not to tell her colleagues, because they’re writing this article, this super-secretive, whistleblower-esque article. It has to be kept secret. I think that line was what enabled it to go on for as long as it did, because I think if she told somebody else or started talking about it as a concern, someone would have said this sounds a bit odd to me. Then it might have unraveled.
JACK: So, any hunches here on who’s behind this one?
LISA: So, I suspect from the information that we had that this was actually acquired by potentially an organized crime group and then sold or attempted to be sold to another competitor, just because the person who approached the competitor who eventually flagged it wanted money for the information. So, I suspect that this was actually acquired purely for financial gain in this particular instance. But again, potentially it could have been another group. I don’t think it would have been a activist group just purely because I think you would have published it. As there was no actual wrongdoing, there wasn’t anything really to hang your hat on and say this company’s doing this hugely immoral thing. [MUSIC] So, yeah.
JACK: We all have some kind of weakness. We all have something we care about or have a passion for, but there’s something that’s just close to our heart, and with the right kind of message sent to us directly at the right time, it can hit us like a heat-seeking missile. In this case, because this lady cared about the environment and people’s health, this was used against her to get her to leak lots of sensitive documents from inside the company. It’s almost not fair that the bad guys out there play so dirty and manipulate those who genuinely want to do good in the world. It must have felt awful for this lady to learn that the whole thing was made up and it was a lie and she didn’t have a Peruvian friend at all. They were just actors there to manipulate her into sending them documents. They even made up the lies about how the company was doing misdeeds. How does a company protect itself from this kind of problem?
LISA: I think – so, insider threats is my sort of area and I think for me, if you’re building an insider threat program in your company or you’re developing one, you need to invest in training, for sure. Your staff need to be aware of these sorts of things that can happen and why they’re not things that we should be doing. But I think more importantly – and often I see companies make one really critical mistake here, and they start thinking about insider threat programs and they immediately go down Draconian monitoring of all staff. I had a company who said to me, am I able to turn on the webcams for my com – for my employees while they’re working from home? Now, there may be countries in the world where that’s permitted, but that’s not Europe.
Europe is not going to allow you to turn webcams on and off on your employee’s devices. I think the problem you have if you go down that route is you’re doing it because you want to know and you want visibility on what your employees are doing. But what you’ll actually do is you’ll increase the risk that you’ll get disgruntlement, that you’ll get people who want to sabotage the business. Unhappy employees are way more likely to become insider threats than really happy and contented employees. So, my argument very much is invest in employee assistance programs, helping your employees, identify when they’re struggling, and helping them recover from that. Essentially patching the vulnerability that exists so that they can’t be blackmailed and they can’t be exploited in the way that so many of these cases have been.
JACK: Mm-hm. That’s what my sentiment was too, is the happier the employee, the more loyal they’ll be and less likely to do something like this.
LISA: I became semi-obsessed with – recently with secret cities that had existed in Russia when it was in – when it was the Soviet Union. There was one city in particular called City 40 which was created by the Soviet Union to create their nuclear program. They basically took hundreds of thousands of people out of their homes, moved them across the country into this city that they had built, prohibited them from seeing their relatives, their family, prohibited them from contacting anybody on the outside. Yet, these people were so happy and content and loyal because they’d actually been given this amazing quality of life in comparison to the rest of the Soviet Union at the time. [MUSIC] It’s a really extreme example, but they felt privileged. They felt satisfied and privileged and because of that, they were more than happy to keep this agreement of silence to protect the Soviet nuclear program. I think it’s a really good example of how, actually, if we’ve got that feeling of ‘my employer really supports me and I’m happy and I’m content’, people who are happy and content don’t go and sabotage their employer, by and large, right? That’s coming from someone who’s in a really dark place, typically. So, I think we have to be very aware of how humans feel, and are we making it a really nice place to work where they are supported and challenged and promoted and whatever, because that’s how you’re going to get loyalty and that’s how you’re gonna get a less vulnerable workforce.
JACK: I’m trying to think if we should take some more lessons from this or if there’s things we should pay attention to.
LISA: Yeah, I think the only other thing that I’d add generally; I think the – and this kinda comes from my experience in working in the piracy industry and – or stopping piracy, I suppose I should say, is that a lot of security is very much focused on the perimeter. It’s very much focused on – to use the pirate analogy – stopping the pirates from getting onboard the ship, right? But if you don’t have a plan for what happens after that, you have no way of stopping the attackers’ advance. You have no way of remediating damage or assessing damage or in – or working out what’s even been compromised. I think that it has to be a two-limb thing, and it’s the same for insider threats. It’s all well and good building all this stuff to prevent it, but you have to also be able to detect it, remediate it, investigate it quickly and efficiently, which a lot of companies haven’t invested at all in what happens, so to speak, when the pirates board the ship. So, I think that’s a really powerful lesson that people need to start taking onboard as well.
JACK: Oh, I love that you brought it full circle at the end there. That was really well done.
LISA: [LAUGHING] Yeah, we’ve come full circle.
JACK: Okay, well then I think we’ll leave it there.
(OUTRO): [OUTRO MUSIC] A big thank-you to Lisa Forte for coming on the show and sharing these stories with us. You can follow her on Twitter; her name there is @LisaForteUK. If you want to hear more from her, she’s created her own podcast called Rebooting, but she’s also given many talks at conferences, so you can just look her up on YouTube and there’s tons of stuff that she’s sharing there. You can also learn more about her company by visiting red-goat.com. This show is made by me, the outsider, Jack Rhysider. Sound design by Ponyboy, Andrew Meriwether, editing help this episode by soda pop Damienne. Mixing is done by Proximity Sound, and our theme music is by the two-bit Breakmaster Cylinder. Fun fact; if you search for a lighter on Amazon, they’ll give you 6,000 matches. This is Darknet Diaries.
[END OF RECORDING]