Early last week Google’s Threat Analysis Group (TAG) posted a blog outlaying a nation-state attack targeting security researchers. Using social engineering and social media these threat actors were able to create “credibility” within the industry. They claimed false credit for vulnerabilities and interacted with researchers under the guise of wanting to “collaborate” with them on new exploits.
Why would a nation-state threat actor care about security researchers?
As we continue to move more into the digital landscape, security researchers have become the “superheroes” of the modern world. The work that is done by the community not only helps uncover 0-days, but also remediation for threats that already exist. This isn’t exclusive to the private sector either. Many of these talented people’s findings have been assets to national security as well. Because of this, they are very attractive to nation-state attackers. This is why we as a community has to adopt more of a cyber defense mindset. While cyberwarfare has been an ongoing problem, it has become more prevalent in civilian life the last couple of years.
Social Engineering - Exploiting the Human Element
One of the reasons the FireEye and SolarWinds attacks were so shocking was not only the sheer scale of it, but also that they were tech and security companies. We take for granted that even the most locked down of companies, and people for that matter, aren’t impervious to these attacks. These threat actors used multiple social media accounts to propel their own content. What’s more, they used the guise of collaborating as a means to get ahead. Our industry is built on collaboration. We are all more secure when we work together. It’s very common for researchers to collaborate, so this method was extremely effective. Any security professional will tell you the biggest threat to their organization is people. Simple human error, or in this case misplaced trust, can cause unintentional vulnerabilities.
On top of the social engineering – these nation-state attackers had a multi-prong approach. We all talk about cyber defense in depth, and this was an exact 180 of that. The video with the malicious executable code was one way. They also had a backdoor in their blog itself. What’s more – they had multiple channels of distribution. Not only social media platforms, but direct messaging channels such as Telegram were involved in this. This was a very targeted and sophisticated attack plan.
Another side of disinformation
It is common for security researchers and professionals to have secondary or “sock puppet” social media accounts to preserve anonymity online. This is due to the nature of their work, and also general want for privacy. Because of this it can be difficult to tell the difference between a malicious sock and a legitimate one. This particular attack is another example of how disinformation can be a cyber defense problem as we discussed in a previous blog. When it comes to social media, the concept of “trust but verify” is pertinent. Spotting a typical bot can be obvious. But when we’re talking about multiple accounts and account types being run by actual people, they can be harder to spot.
Understanding the nation-state attacker
This exploit is one of many examples of why it is important to have nation-state grade expertise in your back pocket. The nation-state threat actor’s motivations are different, and oftentimes more sophisticated than your typical attacker. For instance, a ransomware builder is typically financially motivated. A nation-state attacker is more threat intelligence and reconnaissance minded. This is why understanding their tactics and techniques can help increase cyber defense. When you know what they are doing, it is easier to spot and thus easier to defend against it.