The Pentagon Leaks: An Insider Horror Story

The US military’s history is peppered with insider leaks that had severe repercussions. The recent Pentagon leaks have prompted organisations to question whether they have a Pentagon leaker in their midst. Phil Muncaster delves deeper

Let’s take a brief walk down memory lane. In 1971 it was the Pentagon Papers, a leaked government study on the Vietnam War which exposed the duplicity of successive administrations. In 2010 it was ‘Cablegate’ when Chelsea Manning shared hundreds of thousands of diplomatic cables with Wikileaks that unearthed uncomfortable details about the wars in Iraq and Afghanistan. Then came Edward Snowden, who blew the lid on America’s vast surveillance apparatus in 2013.

That leads us to 2023. Jack Teixeira, a 21-year-old member of the intelligence wing of the Massachusetts Air National Guard, appears to follow in those footsteps. Except he is no whistleblower in the traditional sense. He appears not to have leaked in the public interest but in an attempt to burnish his credentials with a Discord community. For those unfamiliar with Discord, it’s a VoIP and instant messaging social platform for gamers.

Teixeira’s actions could fatally harm Ukraine’s war offensive and seriously damage America’s relationship with its allies. And what’s more, it should also serve as a wake-up call to organisations that don’t yet have a plan to mitigate insider risk.

From Massachusetts to Moscow

Reports claim this could be the worst US intelligence breach since Snowden’s revelations shocked the world a decade ago. The classified Pentagon and CIA documents in question ended up in the public domain by a somewhat circuitous route. They are believed to have been shared by Teixeira with members of ‘Thug Shaker Central’, a private Discord server devoted to video games, guns and racist memes. Although it’s been reported that Teixeira had a “dark view of the government”, there appears little motive for the damaging leaks aside from internet bragging rights.

From landing in the private Discord community, around 50 initial documents leaked to other Discord groups, including one devoted to Minecraft, before being shared on 4chan and then Telegram, where they were reposted by Russians tracking the war in Ukraine.

There are thought to be hundreds more documents that Teixeira shared under his online moniker ‘OG’ that date back to last year. The content of these files includes highly classified information such as US assessments of Ukraine’s armed forces and how effective American weapons are proving, as well as information on world events and private conversations inside allied governments.

Some governments, such as the defence ministries of South Korea and the UK, have downplayed the seriousness of the leaks, saying they contained serious inaccuracies. Even President Biden is reported as saying they include “nothing … of great consequence”. Yet, although some documents reposted to Telegram had obvious signs of being doctored, those published appear legitimate. The speed with which the authorities found and arrested Teixeira is also telling. He’s being charged with two counts under the Espionage Act, with a maximum jail term of 20 years.

Bad news for Ukraine and the US

As for the impact the leaks could have on the course of the war, only time will tell. But they could provide Russia with a treasure trove of military intelligence. According to The Economist, the leaked documents include detailed information on the status of nine Ukrainian brigades, including artillery and armour supplies and the daily number of shells and rockets fired. It has been suggested that the Kremlin could work out which brigades are likely to mount the long-awaited Ukrainian counter-offensive this spring. Also included in the leaks are information on the status and precise location of Ukrainian air defences and assessments on how quickly they will run out.

“High privilege users can be the most devastating in a malicious insider attack” Matt Cooke

While that may damage Ukrainian operations, other leaked intelligence will likely degrade US relationships with allies. They purportedly reveal spying operations against officials in Hungary, Israel, South Korea and the UN watchdog, the International Atomic Energy Agency. Separately, the leaked documents are marked up to show how the intelligence was obtained. For example, “si-g” means it was generated by signals intelligence like wiretaps. This could help targets work out how the US is spying on them. Other documents apparently contain details on previously unknown US spy satellites.

What went wrong?

Teixeira was a “cyber transport systems journeyman” for the Massachusetts Air National Guard, whose job was maintaining the network over which intelligence from different sources was collated and summarised for military leaders worldwide. This IT role may explain his high-level clearance, which synergises with the Snowden events. Snowden was a cybersecurity contractor for the NSA. Yet it doesn’t explain why Teixeira was allowed to print out and take top secret documents home with him to photograph and subsequently upload. Ironically, he reportedly did so because he was concerned about being discovered making written transcripts in the workplace.

Whatever findings subsequently come to light, it’s clear that there were serious failures of internal security policy or enforcement of that policy, which allowed Teixeira to go undetected for so long. It’s an insider risk challenge which doesn’t just affect military and government organisations. However, according to Proofpoint director of cybersecurity strategy EMEA, Matt Cooke, these are more likely to make the headlines.

“Every organisation is at risk of insider threats, but specific industries such as governments obtain and store more sensitive data. An insider threat actor could sell intellectual property, trade secrets, customer data, employee information and more. Industries that store more valuable information are at a higher risk of becoming a victim,” Cooke tells Assured Intelligence.

“High privilege users can be the most devastating in a malicious insider attack, having the freedom to steal data and leaving very little trace behind them. These users are not always employees. Instead, they can be vendors, contractors, partners, and other users with high-level access across all sensitive data.”

Time to look inwards

Insider threats are a serious concern to businesses. And although negligence accounts for the majority (56%) of incidents, it is malign and intentional insider risk which is most expensive and potentially damaging. On average, malicious insider incidents cost £515,000 ($648,000) to remediate per incident, according to a Proofpoint study which claims that incident volumes have surged 44% over the past two years.

“Most organisations today spend significant time and resources detecting and mitigating external threats. Yet few make the same investment in addressing internal threats,” Cooke argues. “This is often because organisations don’t know what insider threats look like – let alone how to tackle them.”

According to Isaac Ben-Israel, a professor at Blavatnik Interdisciplinary Cyber Research Center (ICRC) and the architect of Israel’s national cyber strategy, technology systems are a good place to start.

“Limiting access and segregation is also critical – ensuring employees have access only to the information they need” Shmuel Gihon

“We’ve known for many years that the insider threat is a serious one, and its share is usually more the half of total threats,” he tells Assured Intelligence. “There are ways to control it cyber-wise. They may not eliminate the phenomena entirely, but still reduce it significantly.”

The key is to ensure these technological capabilities are deployed through a people-centric lens.

“People-centric security means having complete visibility and context into how insiders are interacting with corporate data and assets,” argues Proofpoint’s Cooke. “With visibility and context, security staff can more effectively conduct the three primary aspects of insider threat management: identifying risky user behaviour and sensitive data interaction; detecting and preventing incidents and data loss; and responding quickly to those incidents.”

Shmuel Gihon, research team leader at Cyberint, tells Assured Intelligence that malicious insiders who may have been working at an organisation for some time can be even harder to spot as they tend to be trusted more by bosses.

A wolf in sheep’s clothing

“Organisations and government entities should take actions such as: establishing an employee awareness programme regarding the risks of insider threats and developing policies about working with third-party suppliers such as contractors, partners, and other supply chain services,” Gihon argues.

“In the case of military entities, background checks are essential where the risk of insider threat might cause massive damage. Limiting access and segregation is also critical – ensuring employees have access only to the information they need. And monitoring should focus on looking for suspicious activity, such as exporting considerable amounts of data.”

This monitoring piece should also extend outwards to the web, and sites like Discord, according to Gareth Owenson, co-founder and CTO of Searchlight Cyber.

“If there is a malicious insider, eventually, they will have to interact beyond the company network, whether to share files or secure a buyer. Traffic from the organisation’s network to malicious sites or the dark web is another clear giveaway,” he explains to Assured Intelligence.

“By monitoring the clear, deep, and dark web for mentions of the organisation, secret documents, and data, organisations can identify an insider planning to leak confidential information and take mitigative actions.”

Gaming and social sites are an increasing source of risk for organisations – especially the US military, which increasingly looks to recruit from a pool of young gaming enthusiasts.

Martin Riley, director of managed security services at Bridewell, tells Assured Intelligence that other outlets, such as the multi-player combat video game, War Thunder, have also seen forum members post classified information in a high-stakes game of one-upmanship. He argues that a layered strategy of least privilege access policies, close monitoring for unusual network activity, continuous training, and strict vetting is needed.

The principle of least privilege means granting users the minimum access privileges needed to perform their job or task.

“To mitigate the threat earlier, organisations should consider the insider risk from the hiring process. Employers should perform thorough financial checks and referencing for individuals who have access to confidential information and systems to ensure there is a level of trust built amongst staff,” Riley adds.

“Organisations should be undertaking all of these approaches in future across all employees to mitigate the risk of a similar breach occurring.”

Large organisations, especially the US military, will never fully mitigate the risk insiders pose. But with better-designed policies backed by multi-layered technology, they can at least minimise the chances of something terrible happening. And rapidly contain the blast radius when an explosive leak occurs.