How nation-state actors exploit human trust

Nation-states don’t exploit weak security. They exploit workplace dynamics. I know, because this is exactly how I recruited insiders. Espionage doesn’t start with secrets. It starts with validation. A compliment at the right moment. A shared frustration. Someone who listens when your company doesn’t. That’s not spycraft. That’s just a Tuesday at work. I never asked for sensitive information up front. I asked what was broken. Who made their job harder than it needed to be. What they would fix if anyone actually listened. They thought they were venting. I was mapping access, influence, and motivation. That’s called elicitation. Companies like to believe insider threats come from “bad actors.” They don’t. They come from good employees in very human moments: burnout, loyalty conflict, money stress, bruised ego, identity cracks, resentment that’s been quietly fermenting. And yes, your highest performers were always my favorite targets. They were trusted. They were visible. They had access. And they cared enough to talk. Remote work didn’t invent this. It removed friction. You trained people to network. We trained people to recruit. Same skills. Different intent. If your organization still treats espionage as a cyber problem or a personality flaw, you’re already behind. Because the easiest way into your organization was never through the firewall. It was through someone who finally felt understood. #InsiderThreat #HumanRisk #Espionage #TrustIsASystem #Cybersecurity #Leadership #HR *Photo of me back in the day, post deployment*

As cybersecurity professionals, we've long focused on building walls against external attackers. But what happens when the threat walks through our front door with legitimate credentials and a smile? The recent revelations about North Korean nation-state actors systematically infiltrating Fortune 500 companies as fake IT workers represent one of the most sophisticated insider threat campaigns we've ever witnessed. The numbers should terrify every CISO: "Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers," according to Mandiant's CTO Charles Carmakal. Security leaders estimate that 7% of Fortune 2000 companies have already been infiltrated by North Korean operatives working as full-time employees with privileged access. This isn't a distant threat—it's already inside our networks. These aren't amateur hackers trying their luck. North Korean operatives are leveraging AI to craft convincing resumes, manipulate voice and video feeds during interviews, and even form shell companies posing as legitimate US contractors. One startup founder estimates that 95% of IT job applicants are North Korean operatives posing as American developers. The sophistication is breathtaking: they're not just stealing identities—they're manufacturing them wholesale. Australia isn't immune. The Australian Sanctions Office has identified "thousands of highly skilled IT workers" dispatched globally by North Korea, specifically targeting employers in wealthier countries including Australia. These operatives are active across multiple sectors—business, health, entertainment, and technology—making no industry safe from infiltration. While we focus on nation-state actors, the broader insider threat landscape reveals the true scope of this challenge. The average cost of insider threats has reached $17.4 million annually per organisation—up from $16.2 million in 2023. Even more alarming, 95% of all data breaches are caused by human error, and insider-driven events cost organisations an average of $13.9 million per incident. We're fighting yesterday's war with today's budgets. Companies spend $211,021 on containment for every insider incident but only $37,756 on monitoring. We're still building higher walls when the enemy is already inside, wearing our badge and accessing our most sensitive systems. The North Korean IT worker campaign represents the future of cyber warfare: patient, sophisticated, and leveraging our own hiring processes against us. It's time to acknowledge that insider risk isn't just about disgruntled employees—it's about nation-states weaponising our trust in remote work and global talent pools. What strategies is your organisation implementing to address the evolving insider threat landscape? #CyberSecurity #InsiderThreats #NorthKorea #RiskManagement #InfoSec #Australia

For two decades, Western cybersecurity strategy focused on infrastructure. We hardened networks, deployed zero-trust frameworks, and invested heavily in detection and segmentation. And it worked....until adversaries adapted. Today, state-linked actors from China, Russia, Iran, and North Korea are shifting their focus from systems to people. The modern reconnaissance cycle increasingly begins not with malware, but with resumes, LinkedIn profiles, conference bios, and publicly shared career milestones. A single resume can reveal what technology you use, the programs you support, the vendors you work with, where facilities are located, whether you hold a clearance, and even who you report to. That data enables tailored spear phishing, credential harvesting pages that mirror real defense portals, and precision social engineering that references actual teammates and projects. This is counterintelligence in a digital society. Our professional culture rewards visibility and openness. In most sectors, that transparency creates opportunity. In the national security ecosystem, it can create exposure. In today's episode, I discuss how resume harvesting has become a strategic collection method, why the personnel layer is now a primary attack surface, and what that means for the defense industrial base. 🎧 Full episode here:

Another wave of hyper-personalized social engineering attacks by a state sponsored threat actor, targeting defense & government officials. 𝘛𝘩𝘦 𝘮𝘰𝘥𝘶𝘴 𝘰𝘱𝘦𝘳𝘢𝘯𝘥𝘪 𝘪𝘴 𝘯𝘰𝘵 𝘶𝘯𝘧𝘢𝘮𝘪𝘭𝘪𝘢𝘳, 𝘢𝘯𝘥 𝘪𝘵 𝘪𝘴 𝘶𝘴𝘦𝘥 𝘣𝘺 𝘮𝘶𝘭𝘵𝘪𝘱𝘭𝘦 𝘰𝘵𝘩𝘦𝘳 𝘴𝘵𝘢𝘵𝘦-𝘣𝘢𝘤𝘬𝘦𝘥 𝘢𝘤𝘵𝘰𝘳𝘴 𝘵𝘰𝘰 (𝘣𝘦𝘤𝘢𝘶𝘴𝘦 𝘪𝘵 𝘰𝘧𝘵𝘦𝘯 𝘸𝘰𝘳𝘬𝘴 𝘲𝘶𝘪𝘵𝘦 𝘸𝘦𝘭𝘭). In this case, the group known as APT42/SpearSpecter: 🔹 Conducted extensive reconnaissance on specific targets via social media, public databases, and professional networks. -->This later enabled them to impersonate people from the victim's affiliations and craft believable scenarios involving exclusive 𝒄𝒐𝒏𝒇𝒆𝒓𝒆𝒏𝒄𝒆𝒔 𝒐𝒓 𝒔𝒕𝒓𝒂𝒕𝒆𝒈𝒊𝒄 𝒎𝒆𝒆𝒕𝒊𝒏𝒈𝒔.. 🔹 They devoted weeks to approach their targets, sustain multi-day conversation and slowly build personalized relationships with them. They often used WhatsApp to do so. ❗ What's unique: They 𝒂𝒍𝒔𝒐 𝒂𝒑𝒑𝒓𝒐𝒂𝒄𝒉𝒆𝒅 𝒇𝒂𝒎𝒊𝒍𝒚 𝒎𝒆𝒎𝒃𝒆𝒓𝒔 of their targets in order to further build trust & credibility, and apply subtle pressure n their main targets. 🔹 Eventually, the group would either direct victims to spoofed meeting pages that harvest credentials, or (if the end goal is persistent long-term access) the attacks lead to the deployment of a known PowerShell backdoor dubbed TAMECAT. 🔸 It is paramount to train your high value targets on hyper-personalized social engineering, especially if you work in industries relating to the 𝒄𝒓𝒊𝒕𝒊𝒄𝒂𝒍 𝒊𝒏𝒇𝒓𝒂𝒔𝒕𝒓𝒖𝒄𝒕𝒖𝒓𝒆, 𝒈𝒐𝒗𝒆𝒓𝒏𝒎𝒆𝒏𝒕, 𝒅𝒆𝒇𝒆𝒏𝒔𝒆, 𝒐𝒓 𝒄𝒖𝒕𝒕𝒊𝒏𝒈-𝒆𝒅𝒈𝒆 𝒓𝒆𝒔𝒆𝒂𝒓𝒄𝒉. This is yet another social engineering attack that almost solely relies on the target for detection & defense on this initial phase of exploitation. More Details: https://lnkd.in/eD8ePyxp https://lnkd.in/eueDR-9z #socialengineering #cyberttack #ThreatIntelligence

Meeting someone in person isn't verification, six months of interaction isn't vetting, a $1M deposit isn't due diligence. My takeaways from the recent Drift incident: 👉 The people Drift met in person were not North Korean nationals, they were third-party intermediaries deployed specifically to build human trust at close range 👉 The attack only worked because the relationship felt completely legitimate and that legitimacy was manufactured over six months with deliberate patience 👉 DPRK is running structured intelligence operations with third-party human proxies that pass every informal trust check we've ever relied on The Drift hack wasn't a technical exploit, it was a few handshakes followed by six months of conferences across multiple countries, a functioning trading operation, real money in the vault and months of back-and-forth until they felt like co-workers. Then on April 1st, in 12 minutes, $285M was gone, chats wiped and intermediaries vanished. If you're embedded in any high-value ecosystem there may already be someone inside who's been there long enough to feel completely normal. The trust signals we've always relied on, meeting in person, shared history, skin in the game, can all be engineered by a state-backed operation with enough time and resources. Know who's in your ecosystem and how they got there. Read on: https://lnkd.in/gSHzPmUX