In what can only be described as insider gone sideway, a senior adviser within the U.S. Department of Treasury’s Financial Crimes Enforcement Division (FinCEN), Natalie Mayflower Sours Edwards, shared with media her confidential work and more.
Edwards, through her position of trust within FinCEN, harvested thousands of suspicious activity reports (SARs), focusing on the work being done by the Special Counsel and the U.S. Attorney’s office for the Southern District of New York. She specifically harvested information associated with Russian diplomatic accounts, Paul Manafort, Richard W. Gates and others. She successfully navigated through any internal Treasury infosec data loss protection schema by staying within her natural access and walked confidential information out of Treasury via a government-authorized USB thumb drive.
The U.S. Attorney prosecuting Edwards noted in a Department of Justice (DoJ) statement that she, “… allegedly betrayed her position of trust by repeatedly disclosing highly sensitive information contained in (SARs) to an individual not authorized to receive them. SARs, which are filed confidentially by banks and other financial institutions to alert law enforcement to potentially illegal transactions, are not public documents, and it is an independent federal crime to disclose them outside of one’s official duties.”
The multicount criminal complaint includes the unauthorized disclosure and conspiracy to make unauthorized disclosures of SARs.
This is a signal to us that Edwards was not acting alone and DoJ may have another shoe to drop. That shoe may fall upon a more senior FinCEN employee, one to whom Edwards reports. This co-conspirator is described as, “an Associate Director of FinCEN to whom Natalie Mayflower Sours Edwards, the defendant reports.”
While the DoJ’s statement and the criminal complaint are circumspect in identifying to whom she provided the information, they provide a clear road map that points to Jason Leopold of BuzzFeed News as the recipient of the information.
In addition, both Edwards and the co-conspirator are identified as having had hundreds of confidential message exchanges using an encrypted messaging application contemporaneously with the publication of Leopold’s articles.
Edwards the Insider’s Actions
Of interest to the information security/cybersecurity world is this is an insider threat realized.
Every CSO/CISO is reading this and most likely overlaying the Edwards activity on their own IT infrastructure, thinking, “Is this possible here?”
Let’s review Edward’s mechanics for hoodwinking the gate guards at Treasury.
Tough to Detect Someone Staying in Their Swim Lane
The criminal complaint lists in detail the corpus of material Edwards collated and shared. Much of the information was within her normal footprint of operational access, according to the complaint. Even though the SARs numbered in the thousands and the documents pigeonholed by Edwards numbered in the tens of thousands, all appear to have been within her normal access as a senior adviser within FinCEN.
Edwards’ Communications with Buzzfeed
Edwards, according to DoJ, initiated contact with Buzzfeed’s Leopold in July 2017 and continued contact through at least mid-October 2018.
Much of the communications between the two occurred via “an encrypted application.”
A review of Buzzfeed’s site shows that organization uses Secure Drop, an anonymous filed-sharing capability using a Tor Browser, and Signal, an encrypted messaging application and PGP for those who wish to encrypt email contact.
These communications occurred predominantly via her personal cellphone, and the magnitude of the communication between the two was realized only when the search warrant revealed what appears to be the incriminating information.
Thumb Drive Used Was Authorized
Furthermore, Edwards was authorized the use of a USB thumb drive for the purposes of her work. A review of her work product stored on this drive demonstrated that she was hoarding information for later use. The incriminating clues? The names of the folders: “Debacle-Operations CF” and “Debacle-Emails-Asshat,” which contained thousands of SARs and other sensitive materials. These materials pertained to Russia, Iran and ISIS, as well as Manafort and Leopold.
In sum, the U.S. Treasury’s infosec infrastructure permitted the use of the USB drive by Edwards, so her copying of material to the drive may have not triggered any of the data loss prevention switches within the system. Natural access to information and storing materials in a manner that is permitted comes up green on most data loss prevention dashboards.
What is not clear is whether that USB drive was plugged into an unauthorized machine for Edwards to upload the SARs to Buzzfeed, or if she was using her government issued computer/workstation/laptop.
Insider Threat Program Failure
Unfortunately, Treasury’s insider threat program failed to detect Edwards’ illegal actions. Rather, Edwards was identified during a reactive investigation by Treasury and FBI, which were “investigating a series of unauthorized disclosures of SARs and SAR information occurring between in and or about October 2017 and continuing at least until mid-October 2018.”
From this seat, it looks as though the insider threat program within Treasury needs a tune-up.