Insider Threats Among Us: Looking Back at Lessons Learned from the Discord Intelligence Leaks

In April, many of us quickly became aware of the name Jack Teixeria.

He made headlines as the 21-year-old Massachusetts Air National Guardsman suspected of leaking intelligence documents online to a forum of internet denizens via a Discord server that centered around what the New York Times described as “a shared love of guns, racist online memes and video games.”

In case you missed the details of the story, Teixeria is suspected of having posted sensitive files containing American intelligence assessments on a range of topics, prominently among them -  tactical offensive plans in Ukraine.  This leak is being called the biggest blow to the U.S. intelligence community since Edward Snowden and has served to undermine trust with those entrusted to keep classified information secure.

By all accounts from what we know so far, this is a weird yet painfully accurate picture of the modern insider threat.

Let’s take a look at what we can learn from this story and the steps we can take to reduce our own risk of such a threat impacting our own organizations in the future.

A Weird and Pointless Leak

Usually when we think about government leakers, they fall into two categories based on their motivations.

The first are the ones that do it for the money. These are your Robert Hanssen and Aldrich Ames types.

Hanssen was a particularly fascinating yet damaging case to the not only because the information that he passed on to the Russians allowed them to uncover American human intelligence assets there, but also because he was part of the counterintelligence team that was tasked with hunting down spies itself. His inside knowledge and wide access to sensitive information made him one of the most destructive cases of espionage in U.S. history.

The vast majority of insiders in any kind of organization, government or private sector, are motivated by how they can leverage their insider knowledge for their own benefit.

The second type of insider threat is the ideologically motivated leaker like Edward Snowden and Chelsea Manning. Their disagreements, whether through conscientious objection or arrogance we will never know what was truly in their hearts, brought them to abuse their authorized access and steal information that embarrassed the U.S. government and may have compromised ongoing operations.

But then we come to the soon to be retired Airman Teixeria.

The 21-year-old IT specialist in the National Guard was reportedly looked up to by the teens and young guys of the Thug Shaker Central Discord server.

Obstentably spun up for talking about video games, this server became a small community of immature, racist, and gun obsessed juveniles. Teixeria appears to have gained a reputation in the group, impressing the kids with his knowledge of guns and geopolitics.

Apparently his antics on the forum was not enough to maintain his online version of “street cred”, so he began sharing highly classified information in the group. He started off with a few docs here and there. But when he did not get a sufficient dopamine hit of attention from his gaggle of devotees, he upped the ante and started flooding the forum with a tranche of classified material, telling them not to share it externally.

So of course the documents leaked out to Minecraft chat groups, Telegram, 4Chan, and eventually Twitter.

When the feds finally caught wind that they had a serious breach, it appears that they made fast work of finding the leaker, getting billing information from Discord and Teixeria’s first name and that he was in the Massachusetts Air National Guard from his chatroom followers.

Additionally, he apparently also searched for “leak” in the government intelligence system that he had access to, adding a final cherry on top for the list of things not to do when leaking classified information.

Teixeria for his part does not appear to have expected any kind of compensation for his leaking. His reported politics point to a reactionary with some feelings on Waco and Ruby Ridge, but there are no indications that his leaking was driven by politics.

In the still early days of the investigation following his arrest for retaining secret documents without authorization, all signs point to Teixeria just wanting to show off to his friends.

Video Games and Social Media a Target for Espionage

Funny enough, this is not the first time that classified documents have been shared in video game forums. In 2021 the manual for the French main battle tank was posted to a page for enthusiasts of the tank game War Thunder. This was a repeat of when the specs for the British Challenger tank was also posted to the chat for the game.

Apparently, the posters were fighting over the accuracy of the specs in the game and wanted to go to the source to prove their point.

Some people will really go to that next step to win an argument on the internet.

Global intelligence agencies have picked up on the opportunity to glean information from these forums, as well as social platforms in general. A fact that the government is painfully aware of but has not yet taken sufficient steps to mitigate the risk from.

Thankfully, there are some steps that you can take to limit the damage from an insider threat.

3 Steps for Reducing Risk from an Insider Threat

The list of “should haves” is going to be long following this investigation. Some of their findings are likely to be relevant for the wider public, but here are a couple of steps that you can take for your org.

1. Monitor User Behavior to Detect Suspicious Activity

   
   

There’s no reason why a single person should have had access to all the information that Teixeria did. Alarm bells should have started going off when he touched all of those files.

Some of the damage could have been limited by properly segmenting the data.

As an IT specialist, not necessarily an intel guy if the reporting is correct, then monitoring of his opening files from a wide range of topics should have sent alerts to the security team. This is if they were monitoring his user’s behavior with the right sort of tools.

User Behavior Analytics (UBA) tools can help to establish the baseline of normal behavior and then alert when it deviates from the expected behavior. It does not have to interfere with someone’s ability to access data, but allows you to maintain security surveillance and control.

2. Log Activity in Sensitive Data and Systems

Being able to investigate who is behind a leak means connecting a lot of dots. By knowing who did what, where, and when, you can triangulate who is the likely culprit and understand the full extent of everything that was impacted.

We saw in the reporting how investigators were able to see what Teixeria was searching for in their systems. Now that they have their man, they are probably going through his logs to see what he accessed to understand what else may have been compromised.

3. Limit Data Portability

Make sure that it is hard for someone to steal your sensitive data.

While this takes some threat modeling to understand what your most sensitive assets are, you need to have the ability to simply block certain kinds of data from being sendable over cloud services, email, chat, and even by downloading them onto an external drive.

This includes sending documents to printers so that they can simply walk out the door in somebody’s backpack.

There can be agility tradeoffs here, but this can help to frustrate the exfiltration efforts of your would-be insider.

Trust But Verify

One of the biggest challenges that many seem to be working through following this story is the fact that in order for our organizations to function, we need to trust a lot of people to act with propriety.

Reality is that not everyone is trustworthy, and there is a limit to your control over their loyalty.

Treat people with respect, educate them about the rules and best practices, but at some point they have their own agency.

Experts often refer to the “Clerk Problem” where the organization is always going to need some number of lower level people to actually manage the sensitive assets and data that they have. These individuals will generally be given access above their pay grade because there isn’t much of an alternative from a functionality perspective.

Militaries will continue to rely on 19 year-olds, and our organizations will have to find innovative ways to ensure data security.

Taking on this challenge successfully will require practices like continuous monitoring and being able to raise the red flag for investigators when one of our insiders takes a turn for the malicious, or in some cases, the moronic.