Blog | Insights and Updates

By Nathan Santiago

One of the oldest forms of offensive intelligence practices as well as the one that is the most taught defensively is the art of social engineering. As the logical preventative methods and general awareness of this threat have increased, so have the attack vectors used by malicious actors. In the 1970’s, Kevin Mitnick performed his first ‘hack’ against the Los Angeles Rapid Transit District (RTD) bus system by realizing that the only materials he needed to unlock free transportation were simply a specialty ticket punch and a pad of blank transfer scripts. Mitnick spent a lot of time riding the bus in his youth purchasing tickets for 25 cents and the return ticket or transfer ticket for an additional 10 cents. One day when he while riding the bus, he figured out how the punches were spaced and oriented on the transfer tickets to determine the date and direction of the route each ticket granted. Once he understood how the tickets were read, all that was needed were the physical materials to write his own passes and ride for free.

Kevin Mitnick performed his first social exploitation on the bus driver by convincing him that he simply wanted a punch to make “the interesting shapes that the punch made” on a cardboard school project, to which the bus driver obliged. Once he had the address of the store which sold those punches, he convinced the cashier at the checkout counter that the punch was a Christmas gift to his father who was also a bus driver. He now possessed the exact punch used by all of RTD and only needed a pad of blank transfer tickets to begin writing his own bus passes as a 12-year-old boy. Mitnick capitalized on the inherent laziness of people and took to his first dumpster dive at the bus depot where he found exactly what he was looking for, a pad of blank transfer tickets.

By deceiving two unrelated parties and using critical thinking to figure out how to find and mark blank transfer tickets, Kevin Mitnick gained unlimited access to the Los Angeles RTD bus system at 12 years old. While this was a simple attack that was not intentionally malicious, the ability of modern malicious threat actors to aggregate information and orchestrate a deceitful narrative has greatly increased since the 1970’s. Through strategic development and the prolificity of technology in our day-to-day lives, it is easy to find out the daily routine and social or professional connections of almost anyone without breaking a single computer or privacy law. However, once an attacker knows enough about a target to perform a directed social engineering attack, or ‘spear phish’, it can be difficult for even trained users to identify this as fraudulent and malicious activity.

Modern Examples of Social Engineering

Recently, over 100 Ukrainian government devices were compromised in a mass phishing campaign where threat actors posed as Ukrainian Secret Service personnel to target government employee accounts:

“On Aug. 12, Ukraine's Computer Emergency Response Team (CERT-UA) discovered a mass distribution of emails carrying malicious software posing as the country's Security Service (SSU). The emails contain a link to download a file called "Document.zip" that, once clicked on, triggers a download of the MSI-file. This file launches a malware called ANONVNC that, when opened, allows attackers to gain unauthorized access to a victim's device. CERT-UA has identified more than 100 affected devices within central and local government bodies and urges everyone to be cautious and attentive. It recommends that users contact CERT-UA if suspicious of any activity” (DarkReading).

This attack was the result of a sophisticated phishing campaign launched in July 2024 by an attacker group which is currently being tracked as ‘UAC-0198’ by the Computer Engineering Response Team of Ukraine (CERT-UA). They believe that this attack was a subsequent part of a recent series of attacks in which the threat actor groups are being tracked as ‘UAC-0102’ and ‘UAC-0057’, all of which aimed to compromise user accounts and install backdoors on government systems. In a public announcement, on the Ukranian state website, the CERT-UA team said the following:

“It is appropriate to assume that the objects of interest of UAC-0057 could be both project office specialists and their "counterparts" from among the employees of the relevant local self-government bodies of Ukraine” (CERT-UA).

In the attack tagged to UAC-0057, CERT-UA recorded a surge of documents being distributed which contained macros intended to launch the PICASSOLOADER malware which would act as a conduit to deliver a Cobalt Strike Beacon to a victim’s computer.

“Cobalt Strike is a powerful tool that is used to replicate the tactics and techniques of long-term embedded attackers in red teaming engagements and adversary simulations. Known for its signature payload, Beacon, and its highly flexible C2 framework, Cobalt Strike is ideal for performing post-exploitation tasks and can be easily modified with custom scripts, adjustable attack kits, and user-created extensions” (Cobalt Strike).

Unfortunately for the victims, the Cobalt Strike Beacon uses malleable C2 settings which allows attackers to manipulate communication patterns, making their traffic appear legitimate. By disguising GET and POST commands over HTTP/HTTPS or utilizing DNS Tunneling, the malware greatly reduces its visibility to detection systems. This technique complicates efforts to identify malicious activity, as the traffic blends in with regular network communications.

UAC-0102 performed a series of phishing attacks which propagated malicious HTML attachments that would mimic the login page to the popular Ukranian email provider UKR.NET in an effort to steal user’s login credentials. According to CERT-UA, the attackers targeted the accounts of government employees in a similar fashion as the most recent attack by UAC-0198, although the final payloads varied from attack to attack.

The true identity of the attackers has not been confirmed, and CERT-UA has not released any official declarations, it is suspected that these attacks have been carried out by subsidiaries of the Russian state-sponsored group known as Sandworm. These groups targeted the Ukrainian email provider UKR.NET due to the fact that many public email providers do not employ the same email scanning services that corporate or government email providers use. Per the Bilateral Security Agreement Between the United States of America and Ukraine, CERT-UA has provided the file, network, and host indicators of compromise to the USA and other allies to add to malware detection and prevention services.

While Ukraine has ultimately been the primary target of these specific attacks, phishing-based data breaches happen around the world on a daily basis. Fortunately, most of the major email providers in United States use anti-phishing services to detect these fraudulent emails and scan attachments for malware signatures prior to allowing a user to download or access them, but threat actors have become increasingly stealthy and newly created malware will not have a recognizable signature until it has already caused a breach and been reported.

Defense Strategies

Defense against these threats requires a multi-layered approach that combines technical defenses, user education, and organizational policies. Per the National Institute of Standards and Technology (NIST) guidance, organizations should perform the following to protect themselves against phishing-related data breaches (NIST):

NIST Recommendations:

• Teach employees how to spot and report a phishing attempt.
• Recognize that phishing can occur via text messages, phone calls, or social media.
• Deploy and maintain antivirus software.
• Utilize email filters and security technologies.
• Enable multi-factor authentication (MFA).

The first line of defense against social engineering and phishing attacks is user awareness. Despite being common in almost any modern organization, specialized and current cybersecurity training is essential for equipping individuals with the knowledge and skills needed to recognize and avoid phishing attempts. Employees should be trained to identify common phishing tactics, such as urgent requests, suspicious URLs, and unexpected attachments from seemingly familiar or authoritative sources.

Should an employee feel as though they have fallen victim to a phishing attack, they should immediately report it to their direct manager and security administrator, so that the proper recovery actions can take place. If the security administrator is unavailable, the next best option is to disconnect the compromised device from any organizational networks in an attempt to isolate the system and prevent the propagation of malware.

Phishing attacks are not solely limited to email, they can be delivered as links or pop-up ads in text messages, social media, or websites. These social engineering attacks can also be performed in person, over phone calls, or any other means of communication that are not computer-based as we observed in the story of Kevin Mitnick. During any communication with an unfamiliar or suspicious party, it is best to be overly cautious in your reaction than not.

Cybersecurity education should highlight the importance of verifying the legitimacy of communications. If an employee receives and email that appears to be from a known contact but contains unusual language, images, or an unexpected attachment, they should not reply or interact with the original message in any way, rather, they should verify the authenticity of the message through alternative means such as a phone call, organizational messaging ping, or as a separate email to the sender. This simple verification step can prevent many impersonation-based phishing attempts from being successful.

One of the most effective wats to protect against phishing attacks is to deploy and maintain up-to-date anti-virus software on your system. As the end goal of a phishing attack is to install malware on the victim’s computer, these technical controls add an extra layer of defense against any malicious links or attachments that a user may be tricked into opening. For an additional layer of security, installing host intrusion detection software (HIDs) or network intrusion detection software (NIDs) can alert you if there is a suspected intrusion so that the proper actions may be taken.

Email filters can be another excellent form of protection against phishing attempts. Many email services offer configurable filters that can help prevent phishing attempts from reaching a user’s inbox, preventing any opportunity for the user to be tricked into clicking malicious links or attachments. Email security technologies such as Domain-based Message Authentication (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) can further enhance email security by verifying the origin of emails and rejecting messages that appear to be spoofed.

Additionally, utilizing services that provide a file scanning function can add a layer of protection by searching for discovered malware signatures. However, this is not a foolproof strategy as new forms of malware are created daily, and may not be included on the specified signature lists, so it is important that these services are kept up-to-date. The best option is to not click on any links or attachments unless you are absolutely sure of the origin and validity of the sender.

Enabling multi-factor authentication (MFA) is another great way to secure accounts in the event that users fall for a fraudulent HTML site such as the ones used by UAC-0102. Should their credentials become compromised, the attacker will still be unable to access their account since a second form of verification such as a smartcard, hardware security key, third-party MFA application, or biometric scan will be required prior to access being granted for the service. NIST advises against use a phone call or SMS-based form of MFA as it is relatively easy for attackers to spoof your phone number with mobile providers in an attack known as a SIM-swap.

Defending against social engineering and phishing attacks requires an in-depth layered approach that combines user education, technical defenses, and organizational policies. By creating a culture of cybersecurity awareness, implementing robust technical measures, and preparing for potential incidents, organizations can significantly reduce their attack surface to these increasingly sophisticated threats. In the constantly evolving landscape of cyber threats, a proactive and multi-layered defense strategy is the best way to protect sensitive information and maintain the integrity of critical systems.

Sources:

• “Best of Kevin Mitnick: My First Social Engineering Hack” - Cybercrime Magazine
• "Hackers Posing as Ukraine’s Security Service Infect 100 Govt PC" - BleepingComputer
• "Ukraine CERT: Phishing Campaign Poses as Nation’s Security Service" - Dark Reading
• "Ukraine Warns of New Phishing Campaign Targeting Government Officials" - The Hacker News
• "Cybersecurity Alert: Phishing Attacks Targeting Ukrainian Organizations" - CERT-UA
• "Product: Cobalt Strike" - Cobalt Strike
• "Bilateral Security Agreement Between the United States of America and Ukraine" - The White House
• "PicassoLoader Malware Used in Ongoing Cyberattacks" - The Hacker News
• "Hackers Spread Malware Allegedly on Behalf of the SBU" - National Coordination Center for Cybersecurity
• "Phishing" - National Institute of Standards and Technology