Countering Insider Threats and the “Little Hook”
By TorchStone VP, Scott Stewart
Western technology and intellectual property have long been high-priority collection targets for foreign intelligence services.
And some of these services have not been shy in telegraphing their interest in obtaining such materials.
Similarity and Equality
In March of 1986, the government of China launched an initiative called the 863 Program that declared its intention of achieving technological parity with the West by whatever means necessary.
Subsequent programs, such as the Made in China 2025 Program and the Thousand Talents Program, reaffirmed the Chinese government’s intention to achieve technological parity and even superiority over the West.
For its part, Russia is no less brazen in telegraphing its intent to achieve technological parity with the West.
Indeed, the Soviets (and later Russians) have aggressively targeted Western technology since before they stole the plans for nuclear weapons from the American Manhattan Project in the 1940s—and their efforts continue today.
In 2014, the United States sanctioned Russia after its seizure and annexation of Crimea from Ukraine.
The Kremlin even had the audacity to publicly announce its intent to do so.
World Politics
Tensions once again ratcheted up when severe sanctions were established against Russia in the wake of their invasion of Ukraine.
The visit of U.S. House Speaker Nancy Pelosi to Taiwan has also increased the strain on relations between China and the United States.
Therefore, the espionage threat to Western technology companies and research universities by these two countries is arguably the highest it has ever been.
The threat is further compounded by other state and non-state espionage actors.
Historically, hostile espionage actors have used human intelligence as one of the most successful tools to obtain critical technologies—most often in the form of recruiting insiders with access to the desired information.
The Little Hook
One of the most effective techniques used by intelligence officers to recruit insiders as spies is known as the “little hook.”
As the name suggests, the little hook is a subtle approach that is used after a recruitment target has been identified and as the intelligence officer works to develop a close working relationship with the target during the recruitment process.
Rather than just openly pitching the target for recruitment at once, the little hook involves asking the target for information that is not particularly sensitive or classified.
In a classic example, it is asking the target agent for a copy of the unclassified embassy telephone directory rather than a trove of highly sensitive top-secret documents.
Once the target provides the requested information, he or she is then flattered and sometimes provided cash or other favors.
The concept is to develop a relationship in which the target becomes accustomed to responding to taskings for information and then being rewarded for providing the requested information in a transactional process.
Wait for It…
Generally, after the first transaction, the intelligence officer will work to deepen the relationship further while requesting increasingly sensitive information in subsequent requests.
Once the officer is confident that this little hook has been set and the transactional relationship has been sufficiently established, they will then formally pitch the target and attempt to recruit them as a spy.
Some intelligence services are more aggressive than others and may go for a formal pitch after the first transaction.
In many, if not most cases, the early little hook transactions are video recorded to create incriminating material to use as blackmail material if the target rejects the formal recruitment pitch.
Once the agent has been successfully recruited, the intelligence officer will train them on tradecraft and teach them techniques to gather and pass intelligence without detection.
“Come Speak at Our Conference”
One form of little hook that is frequently employed is the offer to speak at a technical conference at a university, trade group, or conference in exchange for travel expenses and a small stipend.
This was the approach used by Yanjun Xu, Deputy Division Director of the Sixth Bureau of the Jiangsu Province Ministry of State Security, when he attempted to recruit an engineer from GE Aviation.
Xu was the first Chinese intelligence officer to be extradited to the United States to stand trial and was convicted in November 2021 for conspiring to and attempting to commit economic espionage and theft of trade secrets.
In this case, the deputy director of the Nanjing University of Aeronautics and Astronomics (NUAA) approached the engineer in March 2017 under the guise of an academic exchange.
As the conversation progressed, the engineer was eventually invited to speak at NUAA.
After delivering his presentation at NUAA in June 2017, the engineer was invited to a dinner where he was introduced to Xu.
Xu was operating under an alias while claiming to be from the Jiangsu Science and Technology Promotion Association, which is affiliated with NUAA.
At the dinner, Xu flattered the engineer for his knowledge, paid him $3,500 in cash for his presentation, and set up arrangements to continue communicating.
As Xu continued to communicate with the engineer, he pressed for technical data while holding out the carrot of another speaking engagement in China that would bring another cash payment.
At some point during these communications, GE and the FBI became aware of them, and the employee was approached by the FBI and agreed to cooperate with them.
Turning the Tables
In January 2018, Xu requested “system specification, design process” information from the engineer.
The engineer, at the FBI’s direction, sent Xu a two-page document (cleared by the company) to further whet Xu’s appetite.
Buoyed by the success of enticing the engineer to send a sensitive file through his nonwork email account, Xu decided to take things a step further.
He sent the engineer a list of “domestic requirements” he had been tasked with obtaining information on, asking the engineer which of them he was familiar with.
Among the items on the list was “design criteria for the foreign country’s composite material rotor fan blade, stator fan blade and fan casing”—items that are clearly proprietary to the engineer’s company, the only one in the world that makes composite fan blades.
At this point, the engineer advised Xu that the topic involved his company’s commercial secrets, something Xu replied that they could discuss later in person.
Xu then asked the engineer for a copy of the file directory on his company-issued laptop computer.
Under the FBI’s direction, the engineer sent a copy of a directory that GE Aviation had heavily edited to remove any sensitive information.
After receiving the directory, Xu told the engineer that “they” had looked at it and believed it was “pretty good stuff.” Xu then asked the employee if he intended to bring his company-issued laptop on his Europe trip and if the data in it could be transferred to an external device.
The engineer replied affirmatively to both questions.
Xu took the bait and began to discuss ways that he could copy the contents of the hard drive in the engineer’s company-issued laptop.
Since GE company policy prohibited the engineer from traveling with his work laptop to China, Xu agreed to meet the engineer in Brussels during a “previously scheduled” business trip, and Xu could clone the hard drive.
The fact that Xu was willing to travel is a reminder that the Chinese espionage threat is not confined to China’s borders or those of the country of the targeted company.
Like all other services, they pose a threat wherever information they want is located.
The business trip to Belgium was a sham, and Xu was arrested by Belgian authorities and then extradited to the U.S. where he was tried and convicted.
He is currently in custody, awaiting sentencing.
“Write a Paper for Us”
In February of 2017, Kevin Mallory was in bad financial shape.
He had lost his job as a government contractor in 2012, and his efforts to start his own consulting company had floundered.
As a result, he found himself hundreds of thousands of dollars in debt.
However, Mallory seemingly encountered a stroke of good luck when he was approached on LinkedIn by a man from a Chinese think tank, the Shanghai Academy of Social Sciences (SASS), who offered to pay him as a consultant if he could write white papers on U.S. China policy for the SASS.
Mallory wrote the papers and was flown to Shanghai to present them in March and April of 2017.
He was paid $10,000 for his first paper and $16,000 for the second.
Like the NUAA, the SASS was closely connected to the Chinese Ministry of State Security and was used to identify potential agents for recruitment.
During his trips to Shanghai, Mallory was met by various intelligence officers, and during his second trip appears to have been formally recruited as a spy because his MSS handler provided him with a phone designed for clandestine communications.
Mallory was tripped up as he re-entered the U.S after his April 2017 trip and a search of his carry-on luggage by Customs and Border Patrol found $16,500 in undeclared cash.
This discovery led to an investigation that ultimately led to a conviction for espionage and a 20-year sentence for Mallory.
“Let’s Be Friends”
Mallory’s case is similar to that of U.S. college student Glenn Duffie Shriver.
While studying Chinese in Shanghai and working as an English teacher, Shriver was approached by a woman who offered to pay him $120 for a paper on U.S./China relations.
Like Mallory, this led to Shriver being introduced to intelligence officers from the Ministry of State Security.
While Shriver didn’t have Mallory’s background of working for the U.S. government, due to his age and language capabilities, he was a good candidate to apply for such jobs, which his Chinese handlers encouraged him to do.
He was paid to take the foreign service exam, which he failed twice, and then to later apply for a job at the CIA.
Shriver was caught during the application process, pleaded guilty, and was sentenced to four years in prison.
While these three cases all involve Chinese intelligence officers, almost all other intelligence services take this type of gradual, little hook approach during the development stage of the human intelligence recruitment cycle.
In cases where a “walk-in” or self-motivated spy volunteers to provide information for money or other motives, a gradual, subtle approach is not needed, and the little hook is not used.
The intelligence officers can just negotiate an acceptable price (monetary or other) with the walk-in who has already determined they want to work as a spy.
Countering the Little Hook
The most effective weapon in combatting human intelligence recruitment is education.
Employees should receive training on espionage tactics, including the little hook, honey traps, and other frequently used tactics.
They should be warned to be wary of requests to participate in conferences or academic exchanges—especially when invitations are made to employees with access to sensitive proprietary technology, processes, or data.
Participation in such events should be undertaken with a healthy dose of skepticism and only with company knowledge and clearance.
This is especially true when the invited individuals work with technologies specifically targeted by Chinese and Russian programs to achieve technological parity with the West.
Though the Chinese and Russians are definitely not the only ones seeking such information—nor is the industrial espionage threat limited to state actors.
Some companies also have active and aggressive industrial espionage programs to gain a competitive edge.
Say Something
Employees should also be taught to report potential human intelligence approaches to corporate security for additional investigation and potential coordination with the appropriate law enforcement or counterintelligence agency.
Employees must be taught exactly what to report, who to report it to, and how to report it.
Corporate security must also strive to create an atmosphere of trust and confidentiality so employees feel comfortable reporting such activity.
They must know that they can come to corporate security without fear of consequences or ridicule to report the incident.
They need to be provided with an off-ramp so that they do not feel trapped by the intelligence officer’s threat of blackmail and can instead extricate themselves from a bad situation.
If an employee has taken the little hook and provided some piece of information to an intelligence officer, and they are being pressured to take the next step, they must be taught to put off the recruitment attempt and ask for time to think it over.
In a best-case scenario, the company can then contact the appropriate government security service in an effort to catch the intelligence officers like GE Aviation was able to do in the Xu case.
Companies don’t have to be passive victims of corporate espionage.
They can fight back with the proper help.