Advanced Persistent Threats put Your Users in the Front Line

Posted on |

In the hyperconnected age of the internet, businesses are increasingly drawn into the geopolitical games of nation states. Sophisticated state-sponsored adversaries may pre-position for future cyber conflict in utilities, power, telecoms and technology companies; or execute operations that steal intellectual property or money, or perhaps simply aim to punish criticism of the dear leader. One element these attacks tend to have in common? They exploit the human user to gain access to systems, networks and data: our minds are the gateway.

Many Advanced Persistent Threats (APTs) use now-conventional spearphishing methods. The FIN7 threat group targets and steals payment card data from systems, amongst other operations. In 2017, FireEye reported that FIN7 sent spearphishing emails to personnel responsible for filing United States Securities and Exchange Commission (SEC) across multiple financial institutions. Messages were sent from a spoofed SEC email address. These were titled ‘important changes to form 10.K’ – an actual key item of documentation their targets were likely to have an interest in. Helpfully, the attackers attached a ‘new template’ for this form.

Chinese state-linked APT41 uses a variety of user-focused deceptions to target intellectual property across a number of industries. Typical spearphishes have spoofed credible messengers such as well-known industry representatives. But APT41 also made emotional appeals, including targeting Hong Kong Occupy activists during pro-democracy protests, with emails titled ‘help’. Making timely use of current events has also become a habit for this APT. For instance, prefiguring the types of scams that arrived with Covid 19, in 2015, APT41 targeted a Japanese media organization with a lure document on ‘Prevention of Middle East Respiratory Syndrome (MERS).’ Again, this targeted fear: respiratory infections and a potential pandemic were salient to targets in the Asia-Pacific region at that time, due to first-hand experiences with the SARS and avian flu outbreaks.

The APT Wizard Spider , which includes the Trickbot ransomware that targets banks amongst its many exploits, adopts a more scattergun approach that uses spam emails. But these are tailored to the audience at a basic level – personalising individual first and organisation names against details harvested from the target email address. An example email:

‘Dear [NAME], I am a new employee in [ORGANISATION]. I will process complaint on you till 2pm. Complaint report #10/13/20 or online preview in PDF [MALWARE LINK]’

This content abuses some key psychological principles. Let’s take each element of the example above:

  • I am a new employee…’ – this alleviates suspicion (‘they’re a newbie: so this is why you don’t recognise their name!’)
  • I will process complaint on you…’ – stimulates fear and anxiety: your emotions are being targeted. Your reflective, rational thinking that ‘should know better’ may be sidelined;
  • ‘…till 2pm’ – a time limit – even a nonsensical out of context one such as this, introduces a scarcity effect, again inviting an instinctive, non-reflective response.

But some recent attacks add further degrees of sophistication. The Silence APT targets banks and other financial institutions. Silence sends reconnaissance emails first, which look like ‘mail delivery failed’ messages to users. This stage allows those behind the APT to collect valid email information allowing them to mimic (spoof) real identified users within a targeted organisation – using these accounts to exploit collegial trust and send real identified colleagues live phishing emails containing malware.

The conclusion is that any organisation within an important supply chain or that owns something worth stealing is a target by nation state actors – and not only. An organisation’s IT users are in the front line. But research suggests that showing individuals the persuasive tricks of professional manipulators makes them subsequently more resilient to them. The question is: Do your organisation’s users understand not only what targets them, but why such deceptions so often work?

Leave a Reply

Your email address will not be published. Required fields are marked *