Thursday 23rd July 2020

BLOG: COVID’s Metamorphoses part IV: insider threats, nation-state cybercrime and cyber security budgets during the “Great Lockdown” Recession

By Orpheus Analysts

The fourth part of our series on COVID-19 and the future of the threat landscape examines how the potential for a global recession caused by pandemic will shape two specific cybercriminal threats, along with the long-term future of cyber security budgets. You can read the series’ previous post on why a recession caused by COVID-19 will not significantly increase levels of cybercrime here.


In this blog post, we continue to unpack the effects of a recession caused by COVID-19 – an economic crisis dubbed the “Great Lockdown” by the IMF – on the cyber threat landscape. Although as we outlined in our previous blog we do not expect a recession to result in a significant increase in cybercrime, there are two exceptions to this. First, the insider threat is likely to growth due to a combination of factors related to the pandemic. Second, there is a possibility that a few nation-states will turn to cybercrime to raise government revenues or enrich kleptocratic regimes.

Also shaping these developments is the potential impact of a recession on cyber security budgets, particularly for SMEs, potentially increasing levels of supply chain cyber risk for larger organisations.


The malicious insider threat during the “Great Lockdown”

Although as we outlined in our previous blog post we do not predict a significant increase in individuals turning to cybercrime as a career, we do anticipate an increase in malicious insider threats as a consequence of a recession caused by COVID-19. We assess an increase in intent – difficult economic conditions and/or layoffs increasing the motive; in terms of capability, due to the additional opportunities afforded by remote working; and in terms of opportunity, with heightened merger and acquisition activity potentially accelerating the market for sensitive information from insiders.

Layoffs and working from home: the perfect insider combination?

Given current job losses due to COVID-19, and the high likelihood of this trend continuing in its wake, we expect an uptick in affected employees stealing potentially sensitive data. As research suggests the majority of malicious insiders are driven by financial motives,[1] rising levels of unemployment will result in an increase in employees taking basic data with them when they leave. A 2015 study by Biacom suggested that as many as 87 per cent of departing employees take some form of data with them.[2]

This problem could be particularly prevalent in industries with access to large databases of PII (personally identifiable information), which could be easily sold on the deep and dark web. For example, the healthcare industry is frequently targeted due to the large datasets held in relevant organisations.[3] The healthcare industry is likely to become an even more attractive target as it rolls out new digital services in response to COVID-19. Other operations which could prove enticing for malicious insiders looking to monetise their positions include payment manipulation attempts and intellectual property theft.

The one potential caveat against any potential rise in financially-motivated insider crimes is that IT staff, typically the type of insider best placed to act, are less likely to be made redundant if their services are needed in supporting the shift to remote working, though they still may be tempted to engage in revenue-generating options if they feel their position is ultimately at risk.


A less common but often more damaging type of insider are disgruntled employees seeking to harm their organisations, either by affecting data integrity, causing disruption, or selling highly sensitive information to malicious actors.

Furthermore, external threat actors may attempt to capitalise on employee dissatisfaction to induce or blackmail strategically placed employees to act against their employer. This could be cybercriminal groups, or even intelligence agencies, which have a history of exploiting malicious insiders.[4]

Insider crimes are also attractive because of an almost unique combination of minimal technical expertise required, and the opportunities presented by insider access to key systems or data.[5] In contrast to individuals deciding whether or not to pursue cybercrime as a career, perpetrators of insider crimes can justify their actions to themselves as one-offs, which may lower the barriers to entry.

Current remote working patterns could exacerbate this dynamic. Potential malicious insiders could be emboldened by the comparative lack of supervision to office work, and the greater opportunities to exfiltrate data or commit fraud. Working from home may also reduce technical barriers, as organisations may had to adapt to provide access to previously siloed information, or allowed increased usage of personal devices. Finally, remote working will likely further lower the psychological barriers to committing a crime, when compared to physically being on employer’s premises.

Market mergers

Moreover, changes in market conditions which ultimately stem from COVID-19 have resulted in a significant uptick in mergers and acquisitions (M&A) activity by big technology companies, who typically prize valuable intellectual property.[6]  Although the threat from cybercriminals gaining access to insider information is by no means new, the increase in M&A activity is assessed to represent an attractive opportunity for threat actors to achieve significant returns with comparatively limited risk,[7] by exploiting illicitly obtained confidential information. As the insider threat is believed to increase during M&A as employees hedge their bets or fear for their jobs,[8] we assess there will be an uptick in threat actors soliciting help from individuals with access to market moving information.


Nation-state cybercrime

In addition to an increase in the insider threat, we also expect a rise in what has to date been a niche threat: nation-state cybercrime. As government revenues take a significant hit as a result of the recession caused by COVID-19, the connection between some nation-state operators and cybercriminal activity is likely to grow. Governments could view the relative success of highly publicised North Korean efforts and seek to either emulate them, or to hire their services. In addition, nation-state operators or contractors that moonlight in cybercrime may increase such activity to raise revenues for themselves or their employers. Factors hindering a rise in individual cybercrime, such as fear of repercussions and law enforcement, could potentially be mitigated by the protection that working for a nation-state provides.

The North Korea effect

North Korean threat actors have consistently leveraged their sophisticated cyber capabilities to undertake financially motivated cybercriminal operations. In doing so, they aim to circumvent international economic sanctions targeting the regime and generate revenue for its nuclear weapons and ballistic missile programmes.


North Korea’s unique geo-political position, which that shields it from most international repercussions, enables to commit the kinds of cybercrimes outlined in the graph above. Indeed, a recent US government alert reaffirmed the growing nature of the North Korean cyber threat.[9] As of late 2019, North Korean threat actors had attempted to steal as much as USD 2 billion through cyber enabled financial theft and money laundering.[10] Other revenue generating activities include offering their sophisticated cyber capabilities for a nominal fee. This last point underlines the state’s desire to squeeze all potential revenue from its capabilities.

Although it is difficult to assess the exact impact of COVID-19 on North Korea, recent reporting suggests that that a self-imposed blockade to reduce the chance of the virus spreading has potentially done more damage to the country’s economy than years of international sanctions.[11] As such, we anticipate North Korea will seek to significantly increase its cybercriminal activity to raise revenues. This could extend to Pyongyang attempting to expand its capacity to rent out its capabilities to cybercriminals. As North Korean actors would be undertaking these operations, we expect to see an increase in Lazarus-style payment manipulation efforts, and extortion attempts.

The nation state/cybercriminal nexus during the “Great Lockdown”  

More broadly, we also expect to see a growth in nation-state operators or contractors that also engage in cybercriminal activity. Recent evidence has pointed to the growing number of examples of operations that blur the line between nation-state and cybercriminal activity. Although North Korea is the most prominent example of this, there are also numerous Chinese and Iranian nation-state operators that moonlight as cybercriminals. The recent indictment of two Chinese hackers linked to the Ministry of State Security is merely the latest example of the diverse aims of many Chinese contractors.[12]

An economic downturn caused by COVID-19 may force nation-state operators or contractors that engage in cybercrime to increase such activity. This will be driven by individual necessity or to generate revenues for their employers if central budgets are more restricted, particularly as there is increasing emphasis on self-sufficiency for these departments. Both factors will likely be more acute in countries such as Iran, where the pandemic has exacerbated negative economic conditions caused by sanctions.[13]


Cyber security budgets: new risks to the supply chain

The economic effects of the pandemic could also significantly hinder defenders’ ability to mitigate such threats. Although still considered vital, cyber security spending is likely to decrease as the recession hits. Faced by the prospect of economic uncertainty, companies, especially those with tighter budgets such as small and medium sized enterprises (SMEs), are re-evaluating how to best allocate investments to ensure business continuity.

Cyber security spending during the “Great Lockdown”

Although the cyber security sector is expected to continue to grow in the long-term, a general reduction in companies’ cyber security budgets is expected, if only in the short-term.[14] These potential reductions in capability are in turn likely to reduce companies’ ability to predict, prevent, detect and respond to threats.

Supply chain risks

Reduced cyber security spending could also prove detrimental to the security of larger supply chain environments. Although larger organisations may be better prepared to weather these changes, greater disparities between well- and poorly-secured companies increase the threat from supply chain compromise.

This is significant as supply chain compromise has become a popular infection vector within the threat landscape – a trend reflected in the Orpheus’s intelligence reporting database (Figure 3). Indeed, as discussed in a previous blog post, while traditionally associated with nation state espionage units,[15] supply chain compromise has become part of the TTPs (tactics, techniques and procedures) of cybercriminals as well.


We therefore expect the COVID-19 recession, and associated costs to cyber security budgets, to reinforce this trend of targeting supply chains. Threat actors will likely view less secure elements of an organisations’ supply chain as an attractive target, and direct operations accordingly. Therefore, while the overall number of cybercriminals may not drastically change, current economic constraints could simply lead to a reaffirmation of pre-existing trends in the threat landscape.



As we argued in our previous blog post, we do not anticipate that a recession will in and of itself cause significant increase in cybercrime. However, it will have some impact on the evolution of the threat landscape. A recession is likely to increase the insider threat to organisations and will reinforce the growing connection between nation-state and cybercriminal activity, as nation-state operators seek to raise revenues for themselves or their governments.

At the same time, it is worth remembering that at least two of the trends we have outlined in this blog existed before the pandemic. As we have emphasised throughout this series, the pandemic is mostly accelerating existing drivers in the threat landscape. As such, the evolution of cybercrime during a COVID-19 recession will predominantly continue in line with current trends. The increased potential for nation-state cybercrime and supply-chain compromise, for instance, are both examples of pre-existing threats that we believe may be reinforced by the consequences of the pandemic.

A threat-led intelligence approach is essential for understanding how malicious insiders and nation-state groups that engage in cybercrime will continue to adapt their targeting and tactics, techniques and procedures. To better understand cyber threats to your own organisation, click here.

[1] The 2020 Verizon Data Breach survey reported that more than half of malicious insiders are motivated by financial gain,


[3] Recent surveys indicate that the healthcare sector is particularly susceptible to insider threats: and





[8] ;






[14] There is considerable debate about the impact of a recession on cyber security spending. See and and and  


Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.