The Insider Menace

95% of insider threats are usually men.

Insiders that communicate and facilitate adversary groups are typically trusted male employees, which is constituted by some sense of failure in their life or need of money and lack of success which still outlines to that sense of failure.

During majority of the engagements and CNE operations, OnNet CNO team develops and collects intelligence on the insider threats involved and usually ends up identifying, a male between the ages of 28-40 years old.

Kenyan AFTs

The six threat actors OnNet tracks in Kenyan are Nairobi based financial groups that broke up from the primary AFT, and all five of them have the same TTPs when they approach insiders except SilentCards.

SilentCards approaches anyone with physical access to the building often involving guards and janitors and then offers them money. The insider assists them with the delivery of a rogue laptop to the institution’s building.

With Examples

We have witnessed a Janitor/Cleaner photograph statements and software queries from an office late in the evening and send them to an AFT operator via social media as seen below.

Such surveillance helps the AFTs’ to understand the banking software used by the Financial institution.

The same AFTs have used a communications officer in a different instituton to get names of all Western Union tellers, their usernames and emails as seen below.

Though Forkbombo used to work well with SilentCards over a couple years, predominantly the former concentrate on the personnel with an ICT background, collecting OSINT on the subject via LinkedIn, Facebook and other Social media platforms. Then in no time, they will communicate with him, to assist with installation of RUT backdoor. We have witnessed them approach an Accountant with some ICT background as stated on his LinkedIn profile, and such malicious insider would not only aid with the backdoor installation but forward copies of email threads so that the AFTs can understand the inner working of the banks systems.

The screenshot below shows a thread that was forwarded over to the AFTs.

Several batches are usually forwarded depending on the demand.

Some emails contain balances during loan heists when the AFT needs to understand how loans are paid and the organization’s/client’s with bigger credit.

This was a big Modus Operandi for another Threat group OnNet tracks codenamed GrapZone which specialized in loan sabotage, credit manipulation and bill de-credit operations.


Getting statement details for accounts with huge loans was a major MO used by Grapzone, to clear loans quietly little by little without getting noticed.

Computer Network Defense

With the insider threats growing and evading several security checks, a lot of institutions are under attacks everyday.

Building a framework to spy (DITU) or setting up UEBA solutions on the employees can get disastrous and expensive, rather educating them and establishing a culture of accountability can minimize such risks and inflict less harm to the organization already targeted by the AFTs.

Tooth Brushes and GoBags, when we go Counter Cyber

The Culture

When analysts join our ranks, the culture we had when most of us worked for different Governments between EU and EAfrica, was GoBags and all-nighters. These are usually essential when you are dealing with high level advanced actors. When most of us were in public service and running CNO, the mission always came first whilst in Private sector, its much different and adapting is essential because, what a client requires in such an engagement is a solution that will ensure continuation of his/her business.

Engaging The Adversaries

But, adversaries don’t require that due to the fact they are on a mission, they don’t ask for your ISO Cert or when you did your Pentest last, they have an objective which they need to service. So if the analysts coming to respond are not prepared to counter, the actors will be in a position to plant tools anywhere they wish to, at any time they necessitate thus making it hard to counter them. In the end, you find that even after a few machines are cleaned, the actor is able to run lateral movements through the environment detonating their tools at will. Hard work and in battle formation is imperative during counter cyber. Every adversary we encounter at OnNet has an operational timeline, and if you want to be ahead of them, you have to work twice as hard to access their breakout time, how they got foothold and their initial access into a subnet/environment. Advanced actors want to have a few active implants down into the environment while meeting mission objectives. The most dangerous are those that set up passive implants that call home after months, and these actors usually put the work between beachhead to foothold and then to expansion in months, close to an year of CNE operations.

Such stealth and methodical penetration is usually extremely hard to detect and if the tools are custom, the harder it becomes for a normal analyst to pick up such a threat. This is where in OnNet we come through for you, and during such counter cyber operations, there will always be offense.

Cyber Threat Intelligence

Having prior Threat Intelligence does help a lot on stopping the actor, in government, Intelligence is the first line of defense during a conflict or even at peace time. Approaching the environment that way, gives you leeway to set up on the high grounds and watch the battlefield. Getting ready requires camping at clients and collecting data, usually a lot of it and running it through analytics. This helps your operators on the high grounds and down range to understand the intent of the adversaries. You cannot assume or even result to think that they are irrational, due to their actions in the network because as a analyst you didn’t make sense of their intent and capabilities before the fire fight starts. This can result to failure during response and counter cyber ops. Thus, when on the battleground, soldiers do not go home until the dust settles and everything is cleared out .

Fifth Domain Of War

Cyber being the fifth domain of war, at OnNet we fight until the end.

When the fight starts, an infiltrate teams objective, is to zero on the target and take it out to the exclusion of all else. But remember these teams don’t identify everything besides their target through the scope of their rifles sights. A leader has to come through for them surrounded by his/her Threat Intel team and as much as he/she wants to fire, he/she needs to keep their weapon at full port arms, and listen to the intelligence dripping in while scanning the entire battlefield to see and apprehend it all, for action.

The new Age of Information Operations

Cyber has reached a new era of Information Operations, you cannot defend an institution without countering the actors as if you are in a battleground. Waiting for containment to be initiated after the actor has accomplished their mission should not be the case. Prevention should be executed real fast by stopping the adversaries before they succeed in their objectives.