I.R.W.T.O
Insider Risk and Workshop Trust Office
Ensuring the protection of Santa's Workshop operations, elf workforce, & the Naughty & Nice List data from insider risks.
MEMORANDUM FOR RECORD: 2024 Christmas Season Prevention of Potential Insider Risks
Executive Summary:
The I.R.W.T.O Team is pleased to present a comprehensive report on the successful prevention of potential insider risks during the 2024 Christmas season. The diligent efforts of Santa's elves within the I.R.W.T.O Team have ensured the smooth operation of toy production and delivery, safeguarding Christmas against any disruptions. This report highlights some of the noteworthy incidents that were mitigated, showcasing the effectiveness of our security measures.
1. Mischievous Mistletoe Mischief Averted
An elf named Jingles was observed attempting to place enchanted mistletoe strategically in Santa's office, potentially compromising the Naughty and Nice List data. The Insider Threat Team swiftly intervened, neutralizing the threat and implementing additional security measures to prevent unauthorized access.
Mitigation: Jingles was retrained on security protocols, and enhanced access controls were established in Santa's office, preventing any unauthorized entry.
2. Reindeer Games Sabotage Foiled
Winky, an elf with access to the reindeer stables, exhibited suspicious behavior tampering with the magical feed that keeps the reindeer in top shape for the Christmas journey.
Mitigation: Quick detection by the Insider Threat Team led to the removal of Winky from reindeer-related duties. Emergency protocols were activated, and additional checks on the reindeer's well-being were implemented to ensure they were fit for Christmas Eve.
3. Present Production Peril Addressed
Twinkletoes, a disgruntled elf, was identified attempting to introduce defects in toy production, potentially causing widespread disappointment among children.
Mitigation: Twinkletoes was immediately placed under investigation and provided with counseling to address his concerns. Quality control measures were reinforced, ensuring that only high-quality toys made their way into Santa's gift bag.
Conclusion:
The I.R.W.T.O Team’s proactive measures have effectively safeguarded Santa's Workshop against potential disruptions. The swift response and mitigation strategies employed demonstrate the commitment of our elves to maintain the integrity and magic of Christmas. With these successful interventions, Santa's Workshop remains secure, and the joy of the holiday season will be delivered to children around the world without any hindrance.
Note: This report is entirely fictional and created for entertainment purposes. No actual incidents occurred at Santa's Workshop.
SEPTEMBER IS NATIONAL INSIDER RISK AWARENESS MONTH
What is Insider Risk
Insider Risk is the danger that an insider will use their authorized access, wittingly or unwittingly, to do harm to the national security of the United States. This risk can include damage through espionage, terrorism, unauthorized disclosure of Classified National Security Information, or the loss or degradation of Department of Commerce or other U.S. Government resources or capabilities.
Why is it Important
The Department of Commerce has a workforce of over 47,000 personnel with authorized access to information, data, systems, and facilities to support broad missions that create conditions for economic growth and opportunity for all communities. It is the inherent responsibility of our workforce to play a critical role in preventing and protecting against insider risks.
To address insider risks, the Department has established the Insider Risk Management Program Office (IRPMO) to increase the workforce’s education and awareness of possible insider risks. The IRMPO provides guidance on useful potential indicators to identify risky activity and behavior in everyday job interactions which help to deter, detect, and mitigate insider risk issues of those with access to Classified National Security Information and systems.
About the DOC’s 2024 Insider Risk Awareness Month
The Insider Risk Management Program Office is holding the annual National Insider Risk Awareness Month September 1 – 30, 2024. All DOC employees are invited and encouraged to attend and participate in the events listed below:
| Event Name | Date & Time | Audience | Location | Description |
| In-person Meet and Greet with the Insider Risk Management Program Office (IRMPO) (HCHB Only) | Tuesday, 03 Sep 2024, from 8 a.m. to 9 a.m. Monday, 09 Sep 2024, from 7 a.m. to 8 a.m., Friday, 27 Sep 2024, from 7 a.m. to 8.am. | HCHB Personnel | DOC Main Entrances | Members of IRMPO will greet DOC employees at all main entrances as they enter the building allowing for conversation about the program and IRMPO’s support to the Department. |
| Insider Risk Awareness Training Session 1 | Tuesday, Sept 10 1:00 - 2:00PM | All DOC | MS Teams | This training will help you Deter, Detect, and Mitigate risky activity. |
| Insider Risk Roundtable Forum | Wednesday, Sept 18 11:00 a.m. - 12:00 p.m. | All DOC | MS Teams and Commerce Research Library | Join us for a panel discussion on Insider risk Management where we will engage in topics that will broaden your awareness on the different functions provided by the Insider Risk Management Program Office. |
| Insider Risk Awareness Training Session 2 | Monday, Sept 23 2:00 - 3:00 p.m. | All DOC | MS Teams | This training will help you Deter, Detect, and Mitigate risky activity. |
| Insider Risk Awareness Mind Challenging Games | Available all Month via the IRMPO web page or by clinking the link in this Broadcast message. | All DOC | IRMPO Website | These games will test your Insider Risk Knowledge and Awareness. |
Mind Challenging Games to test your Insider Risk Knowledge and Awareness
Word Search - Reporting Requirements (usalearning.gov)
Whodunit Mystery Game : Whodunit Mystery Game (usalearning.gov)
Kinetic Violence Quiz: Kinetic Violence Quiz (usalearning.gov)
Insider Threat - Trivia Twirl: CDSE's Insider Threat Trivia Twirl (usalearning.gov)
Insider Threat Crossword - Puzzle 1: CDSE Insider Threat Crossword - Puzzle 1 (usalearning.gov)
Insider Threat Crossword - Puzzle 2: CDSE Insider Threat Crossword - Puzzle 2 (usalearning.gov)
Insider Threat Crossword - Puzzle 3: CDSE Insider Threat Crossword - Puzzle 3 (usalearning.gov)
Nation States Returning to USB's. The Resurgent Threat of USBs
How often have you opened your door, seen an Amazon package on your welcome mat, and forgotten what you'd actually ordered two days ago?
"Recently, we worked with a power company where one of the employees received an Amazon box, with Amazon tape," Daniel Wiley, Check Point head of threat management, recalled at a Wednesday presser. "Inside there was a sealed SanDisk USB — completely brand new. He thought his wife ordered it. So he opened it up, plugged it in. Everything else was a chain reaction. It was able to break in across their VPN. Let's just say the power company was not in a good place."
That it was a power company employee was no coincidence — critical industry often separates IT and OT networks with air gaps or unidirectional gateways, through which Internet-based attacks cannot travel. USBs provide a bridge over that gap, as Stuxnet famously demonstrated more than a decade ago.
USB attacks can be useful without that air-gap constraint as well. Consider an employee of a UK hospital, who not long ago attended a conference in Asia. During the conference, he shared his presentation with fellow attendees via a USB drive. Unfortunately, one of his colleagues was infected with Camaro Dragon malware, which the hospital employee then caught and brought back with him to the UK, infecting the hospital's entire corporate network.
For the full article, refer to: https://www.darkreading.com/ics-ot-security/weirdest-trend-cybersecurity-nation-states-usb
Air Force Veteran Accused of Disclosing Classified Data on Aircraft, Weapons in Latest Military Leak Case
The U.S. Attorney's Office for the Northern District of Florida announced Thursday that retired Lt. Col. Paul J. Freeman, 68, of Niceville, has been indicted by a federal grand jury on nine counts of retaining and sharing national defense information.
"As alleged in the indictment, Freeman, on multiple occasions between November 2020 and March 2021, transmitted classified national defense information about United States Air Force aircraft and weapons to people not authorized to access the information," the U.S. Attorney's Office said in a press release.
Prosecutors said in the news release that Freeman could face up to 10 years in federal prison for each of the nine counts. Both the FBI and the Air Force Office of Special Investigations are working on the case, the release added.
A service record for Freeman, provided to Military.com by the Air Force, shows him as retired from active-duty service. He joined the service in 1975 as an enlisted airman and became an officer in 1984 after graduating from Officer Training School. He served until 2003 as a developmental engineer with the 46th Test Squadron at Eglin Air Force Base in Florida.
The indictment does not detail the specific information Freeman is accused of disclosing or to whom it was allegedly sent.
Freeman has a detention hearing scheduled for Monday in Pensacola, Florida. An attorney was not listed for him in federal court records, and he could not be reached at phone numbers associated with him in public records.
Freeman's case marks the latest in a string of charges and sentences current and former service members have faced related to mishandling classified and sensitive information.
In March, Military.com reported that a 53-year-old civilian employee -- who was also a former Army officer -- at Offutt Air Force Base, Nebraska, faces charges of providing classified information through an online dating app to someone he believed was a woman in Ukraine.
That same month, Airman 1st Class Jack Teixeira, an Air National Guardsman with the 102nd Intelligence Wing at Otis Air National Guard Base in Massachusetts, pleaded guilty to six violations of the Espionage Act related to leaking highly classified Department of Defense information online in early 2023.
Teixeira faces a sentence that could range from 11 months and up to roughly 16 years -- which could mark one of the strictest sentences in history for such a crime -- under his plea deal. While his sentencing is due later this year, the airman also faces a potential court-martial from the Air Force, Military.com reported in May.
In 2022, Lt. Col. Robert Birchum, a retired Air Force intelligence officer, took a plea deal with federal prosecutors and admitted to possessing a thumb drive with 135 documents "containing classified national defense information," including the National Security Agency's collection methods and targets, Military.com reported.
And last month, Navy Chief Petty Officer Bryce Pedicini was sentenced to 18 years in prison after being accused of delivering classified information to someone involved with a foreign government.
U.S. Companies Tricked by North Korean IT Workers: DOJ Unveils Complex Fraud Network
As if taken from a Hollywood script, the DOJ shared publicly how an Arizona woman and three unidentified foreign nationals placed overseas information technology workers, posing as U.S. citizens and residents in remote positions within U.S. companies. In a nutshell, the quartet put together a scheme where they hoodwinked over 300 companies into hiring North Korean (DPRK) IT workers who used stolen or borrowed U.S. person identities in order to raise hard currency revenue for the DPRK. The scheme ran from at least October 2020 through October 2023.
Separately, yet remarkably similar, the DOJ also shared data concerning the arrest of Ukrainian national, Oleksandr Didenko who ran a years-long scheme creating fake identities on U.S. IT search platforms with U.S. based money service transmitters. Didenko, then sold these accounts to foreign nationals outside the United States who used these identities to apply for jobs. Some of those identities, Didenko advises, were used by the DPRK.
LAPTOP FARMING FOR NORTH KOREA
The U.S. citizen, Christina Marie Chapman, identified in the unsealed indictment was arrested on May 15 in Litchfield Park, AZ. Ukrainian citizen Didenko was arrested on May 7 in Poland and the United States is seeking his extradition. There is a $5 million reward for information leading to the arrest of Chapman’s three co-conspirators.
According to the DOJ, “The overseas IT workers gained employment at U.S. companies, including at a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company, all of which were Fortune 500 companies.”
It is important to note, that the DOJ was cognizant that some of these companies could have been targeted specifically by the DPRK with their statement, “Some of these companies were purposely targeted by a group of DPRK IT workers, who maintained postings for companies at which they wanted to insert IT workers.”
Furthermore, Chapman’s stable of IT workers attempted to garner employment to two U.S. government agencies on multiple occasions (unsuccessfully).
Chapman ran a “laptop farm” hosting a multitude of IT workers “company issued” computers inside her home. These computers provided the U.S. presence for the “employees” and would then interconnect the overseas IT workers into her home and then via their company issued device into their employer’s network. Chapman used her residence to receive checks, correspondence, etc, and charged a monthly fee to the workers for the service. As noted, over 300 companies were impacted and over 60 U.S. identities of U.S. persons were stolen or borrowed. The scheme generated over $6.8 million in revenue for the overseas workers laundered through Chapman’s laptop farm.
SOUTH KOREA DETAILS THE SCHEME
It should be noted that on December 8, 2022, the Republic of Korea (South Korea) Foreign Ministry issued a warning that this scheme was being used by North Korea to increase hard currency revenue for the DPRK. The warning was explicit, “DPRK IT workers are located all around the world, obfuscating their nationality and identities. They earn hundreds of millions of dollars a year by engaging in a wide range of IT development work, including freelance work platforms (websites/applications) and cryptocurrency development, after obtaining freelance employment contracts from companies around the world.”
South Korea outlined the modus operandi of the DPRK dispatch of “highly skilled IT workers all over the world, including Asia and Africa. IT workers located overseas from groups and live together and they earn foreign currency by obtaining IT development work via online freelance work platforms.”
The warning continues, “They present themselves as non-North Korean nationals and work as freelance IT workers, obtaining employment contracts from companies located in developed countries in North America, Europe and East Asia.”
The indicators, provided to assist employers to identify the DPRK IT workers working under false identities, according to the Ministry are:
- Multiple logins into one account from various IP addresses in a relatively short period of time;
- Developers are logged into their accounts continuously for a whole day;
- Developers log into multiple accounts on the same platform from one IP address;
- Developer accounts whose cumulative working hours exceed several thousand hours;
- Developer accounts receiving high ratings, especially when client companies which engaged in ratings have a payment account identical to that of the account owner;
- New developer accounts using same or similar documents with those submitted by existing accounts.
DIDENKO’S IDENTITY ROULETTE
The affidavit supporting the complaint alleges Didenko managed approximately 871 “proxy” identities on three U.S. IT hiring platforms. To accomplish this he used three U.S.-based laptop farms, hosting 79 computers. Didenko offered a slightly different service than Chapman, with the same end goal, placing workers inside U.S. companies. The DOJ described Didenko’s efforts as “Didenko ran a website, upworksell.com, which advertised creating, buying, and renting accounts at U.S. websites using false identities, and also advertised “Credit Card Rental” in the European Union and the United States and SIM card rental for cellular phones. ” The DOJ also notes the interaction between Didenko’s and Chapman’s clientele, when a laptop from Didenko’s laptop farm was requested to be sent to Chapman’s laptop farm.
SEEDING INTO U.S. COMPANIES
“Today’s announcement of charges and law enforcement action show our broad approach to attacking funding sources for North Korea across the United States,” said U.S. Attorney Matthew M. Graves for the District of Columbia. “We will continue to vigorously pursue cases against individuals, in the United States and abroad, that use U.S. financial systems to raise revenue for North Korea.”
The U.S. Attorney’s office understands the financial fraud taking place which provides an avenue to prosecution. There is more than just financial fraud at play, this jaded-eye observers. If egg on the face of 300-plus companies whose hiring and onboarding pipeline have been hoodwinked isn’t sufficient incentive for all human resource departments to review their “verification processes”. The understanding that the DPRK used this mechanism to seed individuals in targeted companies for purposes beyond the financial aspect. They were after infrastructure knowledge, intellectual property, and more.
____________________________________________________________________
US Air Force employee charged with disclosing classified information on dating website
A civilian U.S. Air Force employee has been charged with disclosing classified defense information to a woman he met on a foreign online dating platform, the Justice Department said on Monday.
David Franklin Slater, 63, was taken into custody in Nebraska on Friday on a three-count federal indictment. He was expected to make an initial court appearance on Tuesday.
The indictment accuses Slater of giving classified material by email and online messages about the Russia-Ukraine war to someone claiming to be a woman living in Ukraine.
https://www.reuters.com/world/us/us-air-force-employee-charged-with-dis…
Contractors Failed Background Checks, Maintained Access to Sensitive Agency Systems
IRS watchdog: Contractors who failed background checks, maintained access to sensitive agency systems. A new IRS inspector general report says the agency continued to give 19 contractors access to sensitive systems despite failing background reports as recently as last July.
IRS watchdog: Contractors who failed background checks maintained access to sensitive agency systems
A new IRS inspector general report says the agency continued to give 19 contractors access to sensitive systems despite failing background reports as recently as last July.
Two U.S. Navy Sailors Charged with Providing Sensitive Information to China
Two U.S. Navy sailors were charged Thursday with providing sensitive military information to China — including details on wartime exercises, naval operations and critical technical material. The two sailors, both based in California, were charged with similar moves to provide sensitive intelligence to the Chinese. But they were separate cases, and it wasn’t clear if the two were courted or paid by the same Chinese intelligence officer as part of a larger scheme. Federal officials at a news conference in San Diego declined to specify whether there is any tie between the cases.
https://apnews.com/article/espionage-us-navy-arrests-national-security-…
Former Analyst with the FBI Sentenced for Illegally Retaining Documents
A former analyst with the Kansas City Division of the FBI was sentenced in federal court today for illegally retaining documents related to the national defense at her residence.
Kendra Kingsbury, 50, of Garden City, Kansas, was sentenced by U.S. District Judge Stephen R. Bough to 46 months in federal prison followed by three years of supervised release. Kingsbury pleaded guilty on Oct. 13, 2022, to two counts of unlawfully retaining documents related to the national defense.
According to court documents, Kingsbury was an intelligence analyst for the FBI for more than 12 years, from 2004 to Dec. 15, 2017. Kingsbury was assigned to a sequence of different FBI squads, each of which had a particular focus, such as illegal drug trafficking, violent crime, violent gangs and counterintelligence. Kingsbury held a TOP SECRET/SCI security clearance and had access to national defense and classified information. Training presentations and materials specifically warned Kingsbury that she was prohibited from retaining classified information at her personal residence. Such information could only be stored in an approved facility and container.
Kingsbury admitted that, over the course of her FBI employment, she repeatedly removed from the FBI and retained in her personal residence (at that time in North Kansas City, Missouri) an abundance of sensitive government materials, including classified documents related to the national defense.
https://www.justice.gov/opa/pr/former-fbi-analyst-sentenced-retaining-c…
DOE Official Pleads Guilty for Accepting Bribes
In Federal court in Central Islip, Jami Anthony, the former Small Business Program Liaison and Procurement Officer for a Department of Energy Laboratory based in Virginia, pleaded guilty to a criminal information charging her with receiving bribes as a federal official in connection with a scheme to pay her more than $18,000 in exchange for more than $900,000 in DOE contracts.
https://www.justice.gov/usao-edny/pr/former-department-energy-employee-…