A recent social engineering campaign with links to North Korea is showing just how complex a social engineering attack can get. As solutions come into being to prevent social engineering, social engineering attacks will get smarter and more complicated at the cost of limiting their scope. This increased minimum will reduce the number of coordinated attacks unless there’s something to gain from it. Most smaller targets will see little change overall, but bigger targets will get more sophisticated attacks. The era of deepfakes and easily spoofed communications has shown the world just how much trust we put in another person’s word.
Social engineering is nothing new by any stretch, but the standard security arms race has reached a crescendo for tension. Smash and grab doesn’t work without a heavy investment in exploits and luck. It’s harder to find a Windows zero-day that works for what you need than to call in as “John from accounting” to get a password. Watch how much (or little) someone is checked when they walk through a controlled entrance with a bright safety vest on. It doesn’t matter how secure your lock is if someone gives away the key first.
Let’s go over current events to see exactly what happened with multiple security researchers, then we’ll cover just how this sort of attack works. We’ll look into the implications of this sort of attack on security across the board. Finally, we’ll see how it can be prevented or at least reduced.
Targeting Security Researchers
Google found that a North Korean sponsored group has been targeting security researchers. The group used multiple social media accounts between Twitter and LinkedIn among others to establish “security researcher” personas. They linked to their blog and posted video “evidence” of exploits they had used. At least one of the videos was fake (the others aren’t confirmed one way or another), but they were enough of a hook to get their target(s) interested.
After an initial outreach, they would invite their mark to collaborate on security research for their blog. They provided a compromised Visual Studio project to create a compromise on the researcher’s system. Their blog also had certain exploits which could compromise visitors.
The threat actors employed a large number of communication channels to worm their way in with their targets. They also created a large network of linked accounts faking a larger social media presence and helping provide a “third party” to dispel scrutiny. This methodology is highly effective and parallels how some (sleazier) social media presences succeed or perform damage control. By coordinating several “different” research groups to confirm results, they could effectively control the narrative enough to hook a more curious mark.
How This Attack Works
Despite the higher risk and large ante, targeting security researchers is a great move for a larger hacking group for several reasons. First, it reduces the complexity of expectation from the researcher. If you’re working with someone to exploit Windows, you’re not going to be surprised when something in the code is extremely suspect. Should you not follow the golden rules of security testing and keep your test and research environment completely separated from your personal environment, you run the risk of letting an exploit in one impact the other.
Secondly, by using a novel social engineering technique to target researchers, they created personas which were believable. The threat actors provided a compelling reason they were reaching out and a believable benefit to the targeted researchers. Adding more personas to support the originals served to control the narrative making their more extraordinary claims more palatable. It’s one thing to claim to have some novel exploit, it’s another entirely when “peers” back it up.
These factors are further compounded by the fact that this attack used so many different avenues to fake authenticity. This attack had a large initial investment to even have a potential chance to succeed. It’s hard to verify a stranger. You aren’t dealing with someone claiming to be “John” down in accounting needing a trivial password, you’re dealing with a whole faked social web.
Add to this that it created an environment that seemed both plausible and believable to reel their targets in. Some of my smaller personal projects get virtually no traffic compared to a low-effort, mediocre security blog and I get continuous interest in collaboration. It’s no real jump in plausibility that a security researcher or group would be interested in collaboration. We aren’t dealing with a first day WordPress blog; it’s an established presence which has worked to generate clout in the industry.
This attack will (or at least ideally should) make technical professionals revisit how much they trust uninitiated communications. Is someone reaching out to you as part of a multi-step attack or are they a genuine user? With social media, it’s easy to fake a presence on the internet that looks legitimate. Add in a novel exploit or two, and you can earn trust and succeed in your goals.
I also expect we’ll see more meta-hacks, that is, hacking to obtain information about hacking. There really wasn’t a losing case for this type of exploit outside of the cost. If our threat actors worked with a researcher but were unsuccessful in compromising them, they got intelligence on what their marks were actively researching. Ideally though, they were able to gain intelligence on everything or at least a large subsection of what their targets had and were using.
Most attacks have some sort of monetary goal, but these threat actors are more interested in gaining access to tools to perform more attacks (for monetary gain or similar). MSP’s and MSSP’s will probably see more attacks like this to gain access to business intelligence, clients, or their internal workings. While some groups will still just want to phish or smash and grab, bigger players will be looking for more.
Breaches at this level are about an overall strategy working towards a larger goal. The standard risk to reward analysis for security becomes a bit too one-dimensional of a metric for safety. What do you have that someone could want and how much are they willing to spend to make it all succeed? You have to pay more attention to the meta-game behind exploits. You may be a small fry overall, but what happens when you serve a vendor that works with a company that is partners with another business that a nation state level group is targeting?
I’m not surprised at all that this happened. While it’s easy to say what you would have done better after the fact, it’s hard to know how to confront the unknown. Simply put, the researchers could have done more to prevent this from being as big of an issue, but it would have required adding an extra layer of tin foil to their hat.
Now that we know this is a valid tactic, it’s a bit less crazy to be a little more paranoid. You have to think of more than just how much you’re worth as a target, but how much is everything you possess or have access to worth? If you run an MSP, what do your clients do and what kind of trade secrets or similar do they potentially have? What access do they have to other clients or customers? The actual client may be near useless when exploited, but the access they have may not.
How do you handle unsolicited communications personally and for your job? Should you trust every potential vendor who wants you to start a Zoom meeting or have you run a demo? A target may be more valuable for their access rather than their actual use so what happens when a threat actor targets an employee personally and they open that compromised email at work? The less access any given element has which isn’t essential, the more resistance there is. A threat actor will prefer the path of least resistance, so what are you doing to make sure you aren’t it?