CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises slacking on this growing attack method.
The admission by the company follows initial reports from BleepingComputer, which noted that screenshots had been shared via Telegram by the Scattered Lapsus$ Hunters threat group.
The hackers behind the scheme told the publication they’d paid the insider a fee of $25,000 for their involvement.
Data shared included authentication details that were already locked down by CrowdStrike as it had detected the insider's activity. The hackers were also seeking CrowdStrike's reports on threat groups they were affiliated with.
While CrowdStrike admitted the incident took place, a spokesperson for the company told ITPro that no systems were breached and customer data remains secure.
"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," the spokesperson said.
"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."
Chris Linnell, associate director of data privacy at Bridewell, said the incident highlights that such incidents are difficult to protect against.
Insiders already possess legitimate credentials and an innate knowledge of internal systems, meaning they’re able to bypass security controls undetected and wreak havoc.
"Malicious insider activity represents one of the most costly and challenging cybersecurity threats for organizations," he said.
"Unlike external attacks, these incidents exploit trust and authorized access, making detection and remediation far more complex.
Don't get caught by insider threats
Insider threats have become a recurring talking point in recent years, with security industry stakeholders warning about a sharp increase in these incidents.
Arctic Wolf's 2024 State of Cybersecurity report, for example, showed that 61% of organizations had spotted insider threats in the previous year — with 29% of those leading to a leak.
A similar report from Exabeam earlier this year revealed that two-thirds of European security professionals now see insider threats as a bigger risk than external threat actors.
There's a full spectrum of insider risks, Linnell said, ranging from inadvertent mistakes to deliberate acts of theft or sabotage, which we know can cause havoc for businesses.
In September, ITPro reported that fintech FinWise warned customers their data may have been leaked after an insider attack by a former employee.
Back in March, a "disgruntled" employee was convicted of "causing intentional damage to protected computers" after deploying a so-called "kill switch" on his former employer's networks.
High-profile incidents such as these should serve as a warning. However, Linnell noted that despite repeated warnings many enterprises still often disregard the threats they face.
"Recent cases highlight how motivated insiders can compromise sensitive data or systems, sometimes under pressure from organized crime or state-sponsored groups," he said.
"Despite this growing threat, many organizations still lack formal insider threat programmes and only identify issues after harm has occurred."
How to address insider threats
To mitigate the risk, Linnell recommended a layered approach combining technical measures such as behavioral analytics to watch for anomalies alongside data loss prevention tools to monitor sensitive data and network activity.
"Organizations should enforce strong access controls, including the Principle of Least Privilege, multi-factor authentication (MFA), and regular access reviews," Linnell added.
"Advanced measures like dynamic watermarking and screen capture blocking can deter and trace leaks, while adaptive protection technologies can automatically revoke access when abnormal behaviour is detected.
"Insider risk is not a problem that can be solved with a single tool — it requires a holistic, proactive strategy to protect sensitive data and maintain trust."
But it's not all about tech, he noted. Companies need to manage their people via clear policies with consequences, background checks during recruitment, and rescreening for high-risk roles.
Background checks and rescreening are a particular area of importance given the rise of fake IT workers. A host of businesses globally have been impacted by these types of attacks, which have become a hallmark of North Korean state-sponsored cyber crime activities.
These attacks typically involve state-linked individuals securing IT roles at companies, after which they begin extracting sensitive corporate data or infecting systems with malware.
The growing number of attacks has prompted advisories from law enforcement and big tech companies such as Google, which earlier this year warned hackers are targeting enterprises in both the United States and Europe.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
We need more academic thinking in techOpinion Greater focus on theoretical thinking and disciplines like ethical AI are needed to rein in big tech's worst tendencies
-
Infosys co-founder Narayana Murthy called for a 70 hour week last year — now he says that’s not enoughNews Murthy thinks longer hours akin to China’s '996' approach are the key to success
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
