January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Sept 2016 Digital Edition
Aug 2016 Digital Edition
July 2016 Digital Edition
June 2016 Digital Edition
ICIT Fellow: 'Fake News' is 'Old News' for advanced cyber threats
(NOTE:The Institute for Critical Infrastructure Technology is a non-profit next-generation cybersecurity think tank that brings together the private sector, federal agencies and lawmakers to exchange ideas in support of protecting the country's vital IT infrastructure. This piece originally appeared on the ICIT Blog on Jan.4. Reprinted here with the author's permission. - Editor)
By James Scott
Senior Fellow ICIT
Regardless of your partisan persuasion, your opinion of mainstream media or your opinion of the ‘alt-right,’ one thing is for certain, ‘fake news’ is ‘old news’ when it comes to the weaponization of information by nation states and cyber mercenaries. Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users’ insatiable need to ‘click’ on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc. For cyber adversaries, social engineering campaigns are low risk, high probability of success, low investment, and high reward. Since the attacker only needs one user, out of hundreds or thousands of potential targets within an organization, to respond to the lure, social engineering remains the dominant attack vector used by sophisticated and unsophisticated cyber adversaries alike. In this manner, a single click can deliver a devastating malicious payload that will haunt an organization for years to come.
Advanced Persistent Threat (APT) groups are sophisticated adversaries with access to significant resources that are capable of launching sustained dedicated attack campaigns. APTs have been a prevalent category of cyber-adversary since at least the early 2000s; however, the widespread analysis of APTs did not become prevalent until around 2014, and mainstream media did not discuss APTs until after the late 2014 hack of Sony Pictures .
Social engineering campaigns require interaction with the victim and depend on tempting the target to neglect cyber-hygiene best practices. These attack vectors, which include spear-phishing emails, watering-hole sites, malvertising, etc., aim for the target to either communicate sensitive information via interaction with the adversary or their malware, or via the download and execution of a malicious payload that installs malware on the victim system and establishes a beachhead that the adversary can leverage to laterally move throughout the organizational network and thereby compromise additional systems. Adversaries prefer social engineering campaigns that require the lowest investment of time, attention, and other resources; as a result, attack vectors that utilize un-cyber-hygienic user activities to automatically install malware onto victim systems are typically favored over attack vectors that require the constant attention of the attackers. APTs, cybercriminals, and other cyber threat actors (such as the sample described below) often bait their social engineering lures with news and fake news, which is tailored to their target demographic because news and current events articles are relevant to the widest victim pool across the most sectors. Further, a lure based around real or fake news has a significant chance of undermining targets’ mental defenses and cyber-hygiene training.
Victims are Predisposed to Interact with News Lures
Victims interact with news lures for several reasons, which include a drive to be “up-to-date” or current; a sense of urgency; socio-political polarization; curiosity; or fear. The most effective lures either incorporate a real news article as an attachment, as a malicious link to a compromised site, or as a tantalizing banner bordering an article tailored to the potential victims.
High-Profile Lures Entice Global Victim Pools
News was the most common social engineering lure in 2014. Cyber-adversaries capitalized on high-profile natural disasters, global events, celebrity gossip, and buzz-worthy headlines. The Sochi Olympics, the World Cup, the death of Robin Williams, the leak of celebrities’ private photos from the iCloud, and other stories were used by APTs and cybercriminals to spread malware to victim systems via email, watering-hole sites, and malicious advertisements . For instance, in 2014 the APT known as Naikon or APT 30, beguiled victims with a spear phishing email titled with topics relevant to both the Malaysian Airlines flight 370 and MH17 crash. The emails contained articles loaded with malicious droppers or with a fake video attachment that installed a remote access Trojan (RAT) onto victim systems .
The Naikon group is one of the most active APT groups in Asia. Since 2010, it has launched spear phishing campaigns into organizations surrounding the South China Sea, intent on harvesting geo-political intelligence from civilian and military government organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, and China. The actors speak native Chinese. Based on the choice of targets, the operating language, and the sophistication of the toolkit, there is a distinct possibility that Naikon is a Chinese state sponsored threat group .