They are words that could strike fear into the heart of a CISO, Chief Risk Officer, or corporate counsel. Not to mention military leadership.
A nuclear engineer for the U.S. Navy, appearing in court today, wrote the following in a recent email:
"I was extremely careful to gather the files I possess slowly and naturally in the routine of my job, so nobody would suspect my plan.
We received training on warning signs to spot insider threats. We made very sure not to display even a single one.
I do not believe any of my former colleagues would suspect me, if there is a future investigation."
What he did not know is that an investigation was already underway and he was the focus of it.
Navy insider threat case revealed in court documents
SecureWorld News just analyzed dozens of pages of court documents to understand this story of the naval engineer—an insider—who is accused of going rogue in a high-tech and high-stakes operation.
Tools involved digital media, encrypted communication, cryptocurrency, and secret data handoffs.
According to emails we have viewed, the suspect in this case was selling a variety of restricted military intelligence with the goal of making
$5 million in cryptocurrency.
Could your organization have an insider threat attempting to utilize these same methods and technologies? It is something to consider as we explore what happened here.
Navy insider threat: the nuclear engineer with data to sell
Jonathan Toebbe is 42 years old and lives in Maryland. He is a government employee working as a nuclear engineer in the United States Navy.
At the time of his arrest on October 9, 2021, he held two active Top Secret security clearances: one through the Department of Defense (DOD) and another through the United States Department of Energy (DOE).
That is to say, he knows things most of us do not. In particular, he knows details of what powers the Virginia class of submarines. These are expensive and technologically advanced nuclear-powered, cruise missile, fast-attack subs, which the U.S. military relies on.
Court documents accuse Toebbe of stealing data on these subs and nuclear propulsion programs, then attempting to sell thousands of documents, schematics, and charts to a foreign government.
Here is how his insider threat scheme allegedly worked, and how it fell apart without him knowing it until the FBI swooped in to arrest him.
Navy insider threat case: how the scheme started
As Jonathan Toebbe said in his own words, he had been through insider threat training. He knew warning signs the government would look for.
As a result, he was both strategic and cautious. So how did he get caught?
He had to take a risky first step to get his data-for-crypto scheme going. And that step opened a hole in his operational security that gave the FBI and the Naval Criminal Investigative Service (NCIS) a front-row seat to what he was attempting to do.
Here is how the scheme started.
Using snail mail, he sent an anonymous note and an SD card to a foreign government address. According to investigators, he wrote the following in April 2020 as he tried to connect with a foreign nation:
"I apologize for this poor translation into your language. Please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax."
Court documents do not reveal which country was he trying to sell to. However, the documents do explain that a contact at that foreign government turned the SD card over to the U.S. government. By the end of 2020, the FBI was looking at it.
Readers who are into encryption will appreciate this part:
"On December 23, 2020, the FBI analyzed the encryption keys that were in the SD card sent in the original envelope. There were three keys located on the SD card: Alice Hill — Public Key, Bob Burns — Private Key, and a ProtonMail Public Key. In cryptography, Alice and
Bob are commonly used as placeholders in discussions about cryptographic protocols or systems."
In plain English, the card was locked until the anonymous seller provided a digital key to unlock it.
The FBI affidavit explains what happened next:
On December 26, 2020, the FBI initiated the first of several emails to "ALICE" on ProtonMail. The FBI utilized a ProtonMail account utilizing the pseudo name BOB.
The email stated, "We received your letter. We want to work with you. It has been many months, so we need to know you are still out there. Please respond to this message, then we will provide instruction on how to proceed."
As you will see, the two parties involved would from this point on call themselves ALICE and BOB based on the encryption placeholders on the very first SD card.
For several months, ALICE (really Toebbe) was silent. And then suddenly, this response on February 10, 2021:
"Thank you for contacting me. I am still here. The Covid disease has made it more difficult to find chances to check this email. Let us discuss how to proceed."
BOB (really the FBI) wrote back a couple of weeks later.
"We understand the delay and hope you are well. Our experts reviewed the information you provided. We would like a sample of your [US. Navy] Information. We have a trusted friend in your country who has a gift for you to compensate for your efforts...."
The FBI had proposed an in-person swap of data for cash, but ALICE was too cautious for this.
How the FBI brought the Navy's rogue employee out of the shadows
So if "ALICE" was too worried to appear anywhere besides in the digital world, how did the FBI change his mind?
This happened through social engineering, which included a secret signal for him in Washington D.C.
But this took time. On March 5, 2021, ALICE wrote the following to BOB:
"I am uncomfortable with this arrangement. Face to face meetings are very risky for me, as I am sure you understand. I propose exchanging gifts electronically, for mutual safety. I can upload documents to a secure cloud storage account, encrypted with the key I have provided you.
You can send me a suitable gift in Monero cryptocurrency to an address I will provide. 100,000 USD should be enough to
prove to me that you are not an unwelcome third party looking to make trouble for me.
When I have confirmed receipt of your gift, I will provide you the download link. We are both protected. I understand this is a large request. However, please remember I am risking my life for your
benefit and I have taken the first step. Please help me trust you fully."
Although the Navy's nuclear engineer thought he was talking to a foreign government, he wanted to make sure this was not a trick. He wanted to continue doing things digitally.
He was using public Wi-Fi at a location away from his home, along with a Tor .onion connection to hide his actual IP address. This is how he connected to ProtonMail, which provides end-to-end encryption. He felt confident continuing in this way.
This led to a series of back and forth emails regarding encryption, exchange logistics, and cryptocurrency—all in the name of covering up as many digital tracks as possible.
The FBI, posing as BOB, wrote:
"We understand a face to face meeting would be uncomfortable. We suggest a neutral drop location. When you visit the location alone, you retrieve a gift and leave behind the sample we request.
We hope to have a very long friendship that benefits mutually."
On March 22, 2021, ALICE replied. He was concerned with his operational security.
"I understand your proposal to start a dead drop. I am concerned that using a dead drop location your friend prepares makes me very
vulnerable. If other interested parties are observing the location, I will be unable to detect them. l am not a professional and do not have a team supporting me.
I am also concerned that a physical gift would be very difficult to explain if I am questioned. For now, I must consider the possibility
that you are not the person I hope you are. It would be very easy for the serial numbers of bills to be recorded. Tracking devices and other nasty surprises must be considered as well.
I propose to modify your plan in the following ways:
1. I will place the sample you requested on a memory card and place it in a drop location of my choosing... I am not a professional and I am sure that publicly available information on this subject is incomplete.
2. The samples will be encrypted using GnuPG symmetric encryption with a randomly generated passphrase.
3. I will tell you the location and how to find the card. I will also give you a Monero address. This form of gift protects both of us very well. I am very aware of the risks of blockchain analysis of BitCoin and other cryptocurrencies and believe Monero gives both of us excellent deniability.
4. Once I confirm receipt of my gift, I will give you the passphrase.
Your friend and I will never go to the same drop location twice. I will give you a new Monero address each time. The decryption key will be different each time. No patterns for third parties to observe. The only electronic footprints will be Proton to Proton, so there is less risk of encrypted traffic being collected for future analysis by third parties."
Ironically, as he explained his hesitancy, he was actually laying out his insider threat best practices directly to the Federal Bureau of Investigation.
Meanwhile, the FBI was still using social engineering tactics to get the Naval nuclear engineer to make an in-person data drop. This is something that took several months of convincing and trickery.
On April Fools' Day, 2021, the undercover FBI agent wrote:
"We understand your concern and appreciate the thoughtful plan... as a sign of good faith and trust, we wish to pay you equivalent of 10,000 USD immediately on Monero to address you provide.
Drop locations are safest and allow us to make exchanges without coming in contact and of course, leave no electronic footprint... Your proposed method of memory card with encryption/passphrases is acceptable.
For the small sample we requested, you will receive another $20,000 USD. Once you confirm Monero's address we will activate payment.
Our next step will be information on drop location we have selected. This method will build trust between us for a larger transaction in future. Our experts are interested in information you have but we insist on maintaining our discretion and security as a priority."
On April 9, ALICE wrote back that this idea of an in-person data drop was going too far when working with someone he could not yet trust:
"I am sorry to be so stubborn and untrusting, but I can not agree to go to a location of your choosing. I must consider the possibility that l am communicating with an adversary who has intercepted my first message and is attempting to expose me. Would not such an adversary wish me to go to a place of his choosing, knowing that
an amateur will be unlikely to detect his surveillance? If you insist on my physically delivering the package, then it must be a place of my choosing.
I ask you to consider the viability of an electronic dead drop. I can establish an encrypted online storage account without providing any
identifying information and without provoking any suspicion...
Another possibility occurs to me: is there some physical signal you can make that proves your identity to me? I could plan to visit Washington D.C. over the Memorial Day weekend. I would just be another tourist in the crowd.
Perhaps you could fly a signal flag on your roof? Something easily observable from the street, but nothing to arouse an adversaries suspicion?... "
Amazingly, the suspect in this case asked the FBI to do something he believed only the foreign country he wanted to sell to could make happen: a secret signal.
The undercover FBI agent then responded that it could accomplish this. As it turned out, it was the social engineering trick that this Navy insider threat would finally fall for. And he had asked for it himself.
"This relationship requires mutual comfort. There is risk on both sides and we understand your need for safety assurance of who you are communicating with. As you suggest we can accommodate a signal in Washington D.C. over the Memorial Day weekend. We will set a signal from our main building observable from the street.
It will bring you comfort with signal on display from an area inside our
property that we control and not a [sic] adversary. If you agree please acknowledge. We will then provide more instructions about the signal. We hope this plan will continue to build necessary
trust and comfort of our identity."
So, Naval Engineer Jonathan Toebbe visited Washington D.C. during the 2021 Memorial Day weekend, looking at another nation's property, likely an embassy, for a sign that it was eager to buy his U.S. military secrets.
This likely means the U.S. had more cooperation from the foreign government that received the SD card in the first place. However, court documents do not reveal the secret signal or how it was accomplished.
But we do know that Toebbe saw it, fell for it, and suddenly changed his mind about an in-person data drop.
On May 31, 2021, the insider threat also started to spill more details:
"Now I am comfortable telling you... I am located near Baltimore, Maryland. Please let me know when you are ready to proceed with our first exchange. Once you have drop location details for me, I will give you the Monero address and prepare the sample you have requested.
I will place information you have requested, encrypted, on a memory card along with the address for the second payment you offered in a plain text file. After I confirm the second payment I will provide you with the decryption passphrase using the new communication method. I am also excited to continue our relationship."
Navy insider threat case, how the data drops worked
Now the stage was set. The FBI had primed the anonymous insider threat to finally come out of the digital shadows. To seal the deal, on June 10, 2021, the FBI paid ALICE (Toebbe's pseudonym) approximately $10,000 USD in Monero cryptocurrency.
Then in late June 2021, a secret data drop happened in Jefferson County, West Virginia. Court documents explain more, including the role of a peanut butter sandwich:
"...the FBI recovered a blue 16GB SanDisk SD Card left by JONATHAN TOEBBE at the dead drop location. The SD card was wrapped in plastic and placed between two slices of bread on a half of a peanut butter sandwich. The half sandwich was housed inside of a plastic bag. The FBI electronically paid 'ALICE' approximately
$20,000 USD in Monero.
On June 29, 2021, 'ALICE' provided the password to the FBI in an encrypted ProtonMail message. The FBI subsequently opened the provided SD card and provided the contents to the U.S. Navy subject matter expert.
The U.S. Navy determined that multiple documents on the SD card contained Restricted Data. Specifically, the U.S. Navy subject matter expert determined that several of the documents contained militarily sensitive design elements, operating parameters, and performance characteristics of Virginia-class submarine reactors.
The document contained schematic designs for the
Virginia-class submarine. Virginia-class submarines are nuclear-powered cruise missile fastattack submarines, which incorporate the latest in stealth, intelligence gathering, and weapons
systems technology. Virginia-class submarines, with a per-unit cost of approximately $3 billion, are currently in service with the United States Navy and are expected to remain in service until at least 2060."
As it turns out, the Navy's rogue employee who had been reluctant to do anything in person, found that he liked this arrangement.
He proposed more of the same with a keen eye on his operational security and the appearance of innocence. Consider his attention to detail:
"For now, I propose we continue with weekend exchanges at suitable parks and trails, similar to this one. Details of my daily routine may narrow an investigator's search too much if your organization is infiltrated by an adversary one day.
Hiking and visiting historical sites is easier to explain than unexpected stops during rush hour if they ever take a special interest in me.
We are to continue using this method of exchange long term, it is very important that I have as much flexibility in timing my deliveries as possible.
I would like to create a natural legend for my interest in visiting a particular place in the future—reading articles about ten fun things to do in Baltimore this month and 'stumbling' across a beautiful hike close to home, for example. Bad weather on one day might ruin that cover story.
I hope you will forgive my excess caution. I want our relationship to be very successful for us both, and that means that I must be very careful at every step.
Yours truly,
Alice"
He wanted to create plausible deniability, just in case. If only he knew that he was building the case against himself, one email at a time.
Through the summer and fall of 2021, ALICE made additional SD card data drops to his "customer." He thought it was the foreign government, but instead it was the FBI the entire time.
Once, he concealed the SD card in a chewing gum wrapper. Another time, it was inside a Band-Aid left behind in a park.
As the Monero cryptocurrency payments grew, so did the insider's requests for more. And he even took a shot at U.S. security investigators:
"I propose the same payment schedule for the remaining files: 100,000 USD Monero each for the 49 packages... in total $5,000,000 USD Monero.
The amount per transaction is, in part a security measure. As you noted in your letter, US. security forces are lazy. They also have limited budgets.
Bait of $10,000 or 20,000 USD to catch an agent are within their normal activities. $100,000 USD and more? They may offer it, but they will not deliver such a large amount. New reports confirm this is a common tactic used by US. security forces to expose agents. Please do not be offended by this..."
He was wrong on this point because the FBI had handed over $100,000 worth of Monero during the course of this investigation. Once again, he unknowingly told the FBI, "this is how you can socially engineer me." And it worked.
It worked so well that Toebbe wrote about celebrating the success of this scheme to sell U.S. military data:
"One day, when it is safe, perhaps two old friends will have a chance to stumble into each other at a cafe, share a bottle of wine and laugh over stories of their shared exploits. A fine thought, but I agree that our mutual need for security may make that impossible. Whether we meet or no [sic], I will always remember your bravery in serving your country and your commitment to helping me.
Yours truly,
Alice"
To his surprise, the two sides would meet much sooner than expected. And it was not an "old friend" but instead the FBI.
After making another SD card drop on Saturday, October 9, 2021, law enforcement, including the NCIS, arrested him in West Virginia.
Investigators also arrested his wife. Prosecutors say she knew about the scheme and acted as a lookout during the SD card drops at public locations.
That final SD card, by the way, had more Restricted Data related to submarine nuclear reactors, according to the court documents in this case.
You can read the Navy insider threat court documents here.
What would have happened if the foreign government had taken Jonathan Toebbe up on his offer to buy U.S. nuclear propulsion data instead of turning that information over to the FBI?
Is there someone at your agency or your organization who is going rogue right now? What kind of controls would help prevent or detect such activity? Let us know in the comments below.
RELATED:
The 3 Most Common Insider Threats
The IT Director Who Became an Insider Threat
