By James Scott, Senior Fellow ICIT
Regardless of your partisan persuasion, your opinion of mainstream media or your opinion of the ‘alt-right,’ one thing is for certain, ‘fake news’ is ‘old news’ when it comes to the weaponization of information by nation states and cyber mercenaries. Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users’ insatiable need to ‘click’ on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc.
For cyber adversaries, social engineering campaigns are low risk, high probability of success, low investment, and high reward. Since the attacker only needs one user, out of hundreds or thousands of potential targets within an organization, to respond to the lure, social engineering remains the dominant attack vector used by sophisticated and unsophisticated cyber adversaries alike. In this manner, a single click can deliver a devastating malicious payload that will haunt an organization for years to come.Advanced Persistent Threat (APT) groups are sophisticated adversaries with access to significant resources that are capable of launching sustained dedicated attack campaigns. APTs have been a prevalent category of cyber-adversary since at least the early 2000s; however, the widespread analysis of APTs did not become prevalent until around 2014, and mainstream media did not discuss APTs until after the late 2014 hack of Sony Pictures .
Social engineering campaigns require interaction with the victim and depend on tempting the target to neglect cyber-hygiene best practices. These attack vectors, which include spear-phishing emails, watering-hole sites, malvertising, etc., aim for the target to either communicate sensitive information via interaction with the adversary or their malware, or via the download and execution of a malicious payload that installs malware on the victim system and establishes a beachhead that the adversary can leverage to laterally move throughout the organizational network and thereby compromise additional systems.
Source: “Fake News” Is “Old News” for Nation State and Mercenary APTs