How a social engineering campaign fooled infosec researchers

Persistence is key

What made this campaign successful, according to SocialProof Security CEO Rachel Tobac, is that the social engineering and rapport building began very early, much earlier than observed in many other campaigns.

"A lot of times you're going to see attackers go straight to the lure, straight to the malware in your typical phishing attack. That's not what happened here. In mid-year 2020, the attackers started building rapport, building reputation with their targets, the security community in general and getting that trust built was something you can see was very important to them."

Tobac told SearchSecurity these nation-state actors used what the social engineering field refers to as the principles of persuasion.

"The first one we saw them leverage would be authority. They built authority on the topic to be able to direct people to their malicious blog. They started with real, authentic content then moved to attack. Secondly, we saw them use reciprocity, which is where they discuss personal details about themselves to elicit personal details about their target," she said. "Then we saw social proof in action where they namedropped the right people on blogs, and they weaponized their blog, which they probably did the entire time. The security community trusted it because it seemed like real content and they weren't going to look to see if they were compromised."

The fourth tactic Tobac observed was commitment and consistency. "This is all about asking seemingly innocuous questions to really build up rapport so by the time they get to the creepy questions it already feels like well, 'I've already been talking to this person for a long time.'"

One example Tobac provided is asking a researcher if they are using Chrome.

"If that person says 'yes', then of course that lure and malware they're going to use is a Chrome zero-day against that target. So, they customize their approach based on the operating system that the researcher is looking into, the field of research to make sure the malware will work on their machine. It's extremely smart."

In general, state-sponsored attacks are generally more intense. One thing makes their attack methodology unique: persistence.

"They really ingratiated themselves and built trust with the security community and researcher community. They had a following of 2,000 across accounts on Twitter. They would signal boost their own work between Twitter accounts. These tweets generated hundreds of likes and retweets before the attackers even went in to direct messaging people. They have a reputation of talking about research and putting out good research."

Reed Loden, HackerOne chief open source security evangelist, told SearchSecurity that the bug bounty platform has never seen security researchers specifically targeted by state actors before to this level of detail and persistence. However, he said, it is not surprising.

"Many security personnel have privileged access due to the need to investigate possible security issues at all levels, so they are in fact excellent targets for state actors," he said in an email to SearchSecurity.

Additionally, social media provides a wealth of information that makes it easier for threat actors to pull off social engineering attacks.

"They are far more successful when they align with a target's interest, and all this information can be found from Twitter or Instagram. Another attack vector comes from what employees inadvertently leak, e.g., a picture of them at work on LinkedIn can give a cybercriminal a perfect guide to what a uniform and badge need to look like," Loden said.

According to Tobac, anyone with the right pretext, the right timing and the right lure can get compromised. "We don't make fun of people for getting social engineered because it appeals to who we are centrally as humans. We just say that's how it goes. Human hackers [are] going to human hack."

This most recent campaign drew extra interest because it is a good example of threat actors taking their time, familiarizing themselves with their targets and patiently developing connections with them, Tobac said.

"Rather than building persistence on a network and waiting quietly on the network, we're really seeing persistence on the social engineering side, rather than the technical side."

Protecting against the human hack

In many cases, security awareness training prepares people for what to expect from a social engineering attack. That may work for traditional phishing emails and lesser impersonation tactics, but when it comes to skilled nation-state actors, it is not enough.

Tim Sadler, co-founder of email security company Tessian, told SearchSecurity that traditional security awareness training is not sufficient.

"In this attack, the cybercriminals used sophisticated impersonation tactics to build trust over time and trick the researchers into unwittingly installing malicious code," he said in an email to SearchSecurity. "Traditional security awareness training wouldn't solve for this. Why? Because many of the telltale signs of a scam, that people are taught to look out for during tick-box training sessions, just weren't present. The other problem is that one-off training doesn't account for the fact that hackers play the long game, using multiple touchpoints to target their victims. How can businesses expect their employees to remember training that was delivered over six months ago, for example?"

According to Sadler, the training needs to evolve to keep up with the evolving threat landscape.

"It should be delivered automatically and continuously, making employees aware of potential threats in-the-moment and advising them on what action to take. Security awareness training should use real-world threats that employees face to provide context. Many of today's security awareness training platforms rely on simulating phishing threats and use predefined templates of common threats. While this is a fair approach for generic phishing awareness, it's ineffective at preparing employees for the highly targeted phishing threats and impersonation scams they are likely to see today."

Tobac agreed that the solution is not more security awareness training, but more examples of how nation-state actors use social engineering. "I would say all security researchers are so aware of the way that social engineering works."

Like Johnson at Fuzzing IO, security researchers can protect themselves by using virtual machines that are isolated from other systems to access resources or open files from untrusted parties. There are other technical tools, including password managers and multifactor authentication, as well as basic best practices such as not reusing credentials on accounts and machines.

"We know one researcher who was compromised mentioned they think the fact that they used similar or identical credentials from one machine on their network to the next, led to that pivoting within the network to another machine. Those are technical solutions you can use, but when you have a nation-state actor, they are going to attempt to persist through whatever technical tools you have," Tobac said.

But none of the technical defenses prevent individuals from falling victim to the con in the first place, which is why social engineering attacks are such a challenge. Being vigilant, especially on machines or user accounts with elevated permissions, is important for all individuals, regardless of their profession, Loden said.

"Even if you're running a fully patched system and browser, zero-day exploits can be used against you. It's best to keep an open eye for paranoia, and perhaps use an unprivileged virtual machine (or a Chromebook or the like) without special access for any type of leisurely surfing, separate from any work systems that might allow a dedicated malicious actor access to a company's internal resources."

Additionally, Loden recommended proactive employee training and routine testing.

"It's on IT and security teams to enable and empower users to both understand how to keep themselves secure and to build a better, more direct and desirable path for them. If an employee gets social engineered, don't blame them. Look in the mirror and understand what caused the employee to cut a corner and how you can encourage them. In practice, this means providing easily usable technical solutions to those researchers to ensure they can better protect themselves from successful social engineering campaigns by segmenting any security research work from day-to-day activities."

Tobac said this attack was a wake-up call for many people. "Ultimately, we're going to see impacts from this attack for years to come."