A variety of adversaries brought espionage and intrigue to the United States in the year 2024, and we may safely assume such will continue to be the case. Once again, the primary nation states taking the adversarial role were China, Russia, Iran, and North Korea. They were successful in penetrating national infrastructure, stealing intellectual property, and compromising individuals. The Department of Justice (DoJ) and other arms of government, to include the FBI, CISA, DHS, and the ODNI, as well as private enterprises, all contributed to compromising these covert activities. Some were brought to justice; others were neutralized and some continued to abscond.
China
In 2024, China continued its aggressive stance in cyberespionage and theft.
Cyberespionage
The continued targeting of critical infrastructure by Chinese state actors continued, with the influx of engagement from the APT-31 group, also known as Zirconium, and has been active since at least 2013. In 2024 seven members of the group were indicted by the DoJ. In addition to critical infrastructure, the group targeted: U.S. government officials, defense contractors, media organizations, universities, think tanks, and other critical infrastructure. They used phishing attacks and malware distribution to steal sensitive data and disrupt services and used modern, “living off the land” methodology where they were able to remain undetected for long periods of time while they did system reconnaissance.
Former CIA officer sentenced.
This year saw Alexander Yuk Ching Ma (age 71) sentenced to prison for 10 years. He together with his brothers, also a former CIA officer, volunteered their services to China and compromised historical operational information on CIA modus operandi and then agreed to attempt to penetrate the FBI at the Honolulu Field Office, one of 56 FBI divisions within the United States.
Google AI stolen.
An insider, Liang Chen, stole AI technology from Google while secretly working for two China-based technology companies. Chen provided detailed information concerning the architecture of the functionality of the GPU and TPU chips and systems and the software used for the chips to complete their tasks. Chen was paid $14,800 per month by one of the Chinese companies.
Russia
Russia’s influence operations reached new heights in 2024, with an ongoing campaign of misinformation and disinformation aimed at destabilizing elections worldwide.
Misinformation/Disinformation.
The ability of the Russian Federation to sow chaos and divisiveness was on full display in 2024. Indictments of individuals in the U.S. and abroad who supported the Russian efforts were widespread. These legal actions evidenced to all the resources that Russia was willing to bring to the table as national elections took place in over 50 countries, to include France and the United States.
IRAN
In 2024, Iran’s Islamic Revolutionary Guard Corps (IRGC) took drastic steps to suppress dissent, including hiring individuals for murder-for-hire schemes within the United States.
Murder for hire.
In an effort to squelch dissent, the IRGC hired two individuals to conduct assassinations in the United States against those with dissenting opinions and the president-elect.
North Korea
North Korea’s cyber activities escalated in 2024.
DPRK IT Workers.
We learned of the North Korean IT workers mid-year when they were caught up in a fraud case involving laptop farming and identity theft supporting individuals who were unauthorized to work within the United States yet contrived an illegal means to do so. In late 2024, we discovered that the DPRK’s involvement in these schemes was not incidental; they took the lead and, through their persistent and extensive efforts, they compromised numerous entities in the U.S. by assigning remote employees who were ostensibly authorized U.S. individuals. However, these individuals were actually a team of DPRK IT specialists who shared and produced jobs to generate hard currency for their homeland. The most recent indictment (December 2024) of 14 DPRK citizens showed that they were paid over $88 million for their efforts.
Other
And in 2024, it wasn’t just the big players making waves against the U.S.
Ethiopia.
If you didn’t have Ethiopia on your bingo card for 2024, you weren’t alone. In December 2024, Abraham Teklu Lemma, alias Tom or Thomas Ford, was indicted by a grand jury for delivering national defense information to a foreign government, Ethiopia. Lemma was a contractor whose work took him into a variety of government entities to include the National Reconnaissance Office (NRO), the Department of State (DoS), and the DoJ. He had a TOP SECRET clearance, worked within a SCIF, and did indeed have the authority to transfer information between unclassified systems and classified systems. He also retained a great deal of classified materials to which he had incidental and contrived access, delivering the information to the most senior ranks of the Ethiopian government to include the Deputy Prime Minister and members of the country’s military. His case is pending.
Heading into 2025
Nations have interests, and they pursue their national interests via means that advantage them the most. The fact that we are talking about Ethiopia in this year’s summary speaks to the fact that any country may find national defense information from the United States and a treasure. As we head into 2025, the insider risk management program of all enterprises and entities, especially those who operate under the mandate of the DCID and NISPOM, will be of prime importance. It is not enough to know you’ve been compromised and then react. You must get ahead of it and evolve an ability to be predictive and proactive to stop the adversaries early in their attempts to compromise. Your personnel are the capstone to your efforts. Awareness training, counterintelligence training, and regular briefings and education as to why one must adhere to policy and procedures, how to react to an aderverial approach, and most importantly, how to “say something.” The “see something, say something” only works if we actually say something.