As Insider Threat Awareness Month comes to a close and Cybersecurity Awareness Month begins, the National Counterintelligence and Security Center (NCSC), in conjunction with the Federal Bureau of Investigation (FBI), released a 30-minute video, “The Nevernight Connection.”
“As this movie highlights, foreign intelligence services are posing as headhunters and consultants on professional networking sites to aggressively target Americans,” said Alan E. Kohler, assistant director of the FBI’s Counterintelligence Division.
Defense and intelligence officials have been urging caution for national security workers engaged on social networking platforms, which remain one of the top ways foreign adversaries to identify and target cleared workers.
“Social media deception continues to be a popular technique for foreign intelligence services and other hostile actors to glean valuable information from unsuspecting Americans,” said NCSC Director William Evanina. “Through this movie and other resources, we hope to raise awareness among Americans so they can guard against online approaches from unknown parties that could put them, their organization and even national security at risk.”
The Nevernight Connection synopsis
The film walks us through the modus operandi of the Chinese MSS in their use of fictitious social network “Rav-In” (LinkedIn) to spot and ultimately recruit “Daniel Landry” a former naval intelligence officer who was now working working in private sector on maritime issues. He provides a throw-away research report for $1500 and then ultimately provides sensitive information to the Chinese. His actions, trying to elicit and solicit information from former colleagues drew attention upon himself. The investigators found he had transmitted classified information via WeChat. The investigators enlist the assistance of his wife and arrest “Landry” upon his return to the U.S. at Baltimore-Washington Airport from China. In the closing credits, the filmmakers give a hat-tip to the insider program and “Landry’s” colleagues, noting their assistance.
The cases upon which the film is based
The real-life cases of Dickson Yeo and Kevin Mallory are singled out as examples of how LinkedIn was used identify and compromise U.S. government employees.
Dickson Yeo – pleaded guilty – July 24
Readers will remember that it was Yeo, a Singaporean, working on behalf of the Chinese Ministry of State Security (MSS – the security and intelligence ministry of the People’s Republic of China) who relocated to Washington, D.C. to obtain sources of intelligence.
Yeo used his fake consulting company to spot, assess, and assist in the recruitment of intelligence sources on behalf of the MSS. Court documents revealed that Yeo told investigators that “he received over 400 resumes” of which 90% were from individuals with U.S. government clearances. The ultimate target of the MSS, an insider, enjoying the ultimate trust of the United States government, one with access to classified secrets.
How productive were Yeo’s efforts on LinkedIn?
Yeo said he “was addicted to LinkedIn,” as every day their algorithm would suggest to him new potential targets for him to contact. At least two individuals passed through the hypothetical to become an actual source of information for the MSS due to Yeo’s efforts. One, a disgruntled individual within the State Department, shared information on a current U.S. cabinet member (not further identified). The other was an individual involved with the U.S. Air Force F-35B program.
Kevin Mallory – sentenced to 20 years in prison – May 17, 2019
The case of Mallory was one of the early instances of confirmed uses of non-Chinese nationals to engage in a substantive manner in the spotting, assessing and development of sources on behalf of the MSS. Mallory, who had worked within the CIA, DIA, Department of State and the U.S. Army in either staff or contractor capacity, was a fluent Mandarin speaker with a tanking consulting business.
Mallory was contacted via LinkedIn by a Chinese “headhunter” who convinced Mallory to travel to China where the relationship was cemented. China had a fully collaborative and cooperative asset. They issued him a covert communications package and had him return to the Washington, D.C. area. In D.C., Mallory reached into his network of former colleagues within the intelligence community to elicit information and assess suitability for a relationship with the MSS.
Ron Rockwell Hansen – sentenced to 10 years in prison – September 24, 2019
Another case that is worthy of approbation is Ron Rockwell Hansen who was also recruited by the MSS via LinkedIn. Hansen used the implied trust created by mutual “connections” between himself and individuals targeted by Hansen. When arrested in 2019, Hansen had pages of printouts of LinkedIn profiles of colleagues.
A friend of a friend may not be a friend
The film is worthy of 30 minutes of your time, and each Facility Security Officer should include it in their annual counterintelligence threat briefing program, as well as their insider threat program briefs. The salient point is that anyone can be spotting, assessing, and assisting in the recruitment of your insider on behalf of a hostile intelligence service. The NCSC/FBI admonishes, “Never accept an invitation to connect from someone you do not know, even if they are a friend of a friend.”
The warning, “caveat utilitor” still applies.
