The Art of Deception: Exploring the Parallels Between Cyber Espionage and Intelligence Social Engineering
As the digital landscape continues to evolve, witnessing an alarming surge in cyber-attacks, social engineering plays a pivotal role in various malicious activities. This includes phishing, smishing, spear phishing attacks, ransomware attacks, and identity theft. Interestingly, the techniques employed in these cyber exploits bear a striking resemblance to the methods used by intelligence agencies to identify and recruit potential assets or to trick targets into revealing information about their location, plans, contacts, and more.
Though I no longer work for the Canadian Security Intelligence Service, my interest in all things Intelligence-related has remained. Shortly after my retirement, I decided to delve into the world of Cybersecurity. Like many, I realized then—and am even more cognizant now—that the digital world is a burgeoning frontier of potential exploitation for foreign and enemy states. This has been recently highlighted in the data breach of Global Affairs Canada, which I commented on in the CTV interview (add link).
During my career as an Intelligence Officer, my primary role was to identify and investigate threats to national security while simultaneously recruiting human sources to provide information related to these threats. As I continued my educational journey into the world of cybersecurity, I recognized major comparisons between cyber-based social engineering techniques and how national security targets are approached.
Cyber espionage is not that different from the world of real clandestine activities. Both cyber attackers and intelligence organizations lean on the art of social persuasion and manipulation to obtain their goals. This tactic is known as “social engineering,” where, by applying the right amount of pressure in social interactions, an intelligence professional or cybercriminal can get what they want.
With these two easily comparable methodologies in mind, I will delve into the intriguing intersections of social engineering in cyber-attacks and intelligence targeting. This exploration aims to provide a better understanding of why social engineering in the cyber realm and the world of intelligence are successful, based on very similar principles.
What is Social Engineering?
To understand why the techniques discussed in this article work, we must first understand what social engineering refers to. Social engineering involves psychological and manipulative techniques employed by malicious actors to exploit human vulnerabilities. The goal is to persuade individuals to disclose sensitive information, perform actions, or make decisions that compromise security. It involves exploiting human psychology, trust, and social interactions rather than relying on technical vulnerabilities.
These techniques often leverage aspects of human behavior, such as trust, authority, fear, curiosity, or urgency, to bypass security measures and gain unauthorized access to systems, data, or physical locations. Social engineering attacks often target individuals within an organization, seeking to exploit their trust, emotions, or cognitive biases to achieve malicious objectives.
The overarching goal is to manipulate people into divulging confidential information, performing actions, or making decisions that benefit the attacker.
Understanding how Cyber espionage and Social Engineering Interact
Cyber espionage—the digital counterpart of traditional espionage—involves the clandestine acquisition of sensitive information through cyber means. This covert activity shares striking resemblances with the tactics employed in social engineering attacks, where manipulation and deceit play pivotal roles.
In a traditional espionage case, where an intelligence organization is looking to acquire information from a foreign government entity, a group of individuals within the intelligence organization (a targeting cell) would look to identify the “who”—the person within the organization or department who has access to what is being sought. Once this list of potential recruitment targets is identified, a list of potential compromises for each “candidate” is compiled, and a plan to acquire access to the recruitment target is then put into place.
What is Human Source / Target Recruitment?
Human source/target recruitment refers to the strategic and systematic process employed by intelligence organizations and professionals to identify, approach, and develop relationships with individuals who have access to valuable and highly sensitive or classified information. This is known as cultivation and recruitment in the intelligence world.
This process involves careful selection of the target, thorough research, and the gradual establishment of trust. The aim is to recruit human sources, agents, or assets who willingly or unknowingly provide confidential information or assistance to the recruiting intelligence agency.
This can be done through direct and honest identification of the intelligence agency and its goals or through deception, such as a false-flag operation where an intelligence organization represents itself as something it is not. A “honeypot situation” or a business cover are examples of deceptive means to acquire and recruit the target.
Meanwhile, phishing, a prevalent social engineering technique in cyber-attacks, may also be similarly used in the intelligence community’s efforts to recruit sources. Just as cybercriminals craft deceptive emails to trick individuals, intelligence agencies employ subtle persuasion to turn potential assets into access points to information.
As previously exemplified, the same approaches used by intelligence agencies—including false representation under the guise of business, romance, government department, or oversight body—are all used in various iterations for phishing, smishing, or dating site interactions (the digital version of a honeypot situation).
True Life Examples:
The infamous APT29 cyber espionage group, also known as Cozy Bear, is a Russian hacker group believed to be associated with the Russian Intelligence Community. Specifically, the Russian Foreign Intelligence Service (SVR) and the Russian Federal Security Service (FSB). APT29 is known for its state-sponsored activities and exemplifies the fusion of social engineering and cyber-attacks. By employing tailored phishing campaigns, APT29 successfully infiltrated organizations, mirroring the tactics intelligence agencies employ to compromise high-value targets.
As far back as mid-2015, APT29 was orchestrating cyberattacks against the Pentagon. The group is linked to spear-phishing attacks against the email system, which caused the entire unclassified email system of the Joint Staff of the Pentagon to be shut down. This is an example not only of how APT29 was using social engineering to help determine who could have access to information of interest, but because of the discovery of their actions, the secondary result was a denial of access by users to the system. Essentially, this was a form of sabotage.
In 2017, both the Dutch and Norwegian governments identified attempts by the Cozy Bear group to use spear phishing and hacking techniques to acquire access to sensitive, classified, and secret government documentation.
Social Engineering and Intelligence Approaches – A Comparison
As outlined below, there are many similarities between social engineering, target cultivation, and recruitment.
- Target Selection
In spear phishing attacks, cybercriminals methodically select their targets based on various factors, such as job roles, access to sensitive information, or personal vulnerabilities. By doing a deep dive into an organization’s personnel chart, a hacking group can determine who likely has access to human resources or information technology. By then cross-referencing this information with who the immediate or executive bosses are, a spear phishing email can be written and sent to the unsuspecting target—with messaging reflecting an urgency to provide information or access to an account.
Similarly, intelligence agencies identify individuals who may possess valuable, sensitive, or secret information or have access to influential networks. The art of target selection involves a keen understanding of the target’s motivations, vulnerabilities, and potential for exploitation.
Weeks, months, and years go into identifying and understanding the hierarchy of an enemy intelligence organization or a terrorist group. Like any company or corporation, these entities need money, training, facilities, equipment, communications, etc.—and as such, these requirements can be exploited through the personnel who have access to them. With these potential exploitations in mind, an intelligence organization will select the intended target most likely to provide that access.
2. Tailored Approaches
Much like spear phishing, where attackers customize their messages to appear legitimate and appealing to the target, intelligence agencies employ tailored approaches to recruit assets or gain access to targeted groups or individuals.
This involves understanding the recruitment target’s background, interests, and potential leverage points. The goal is to create a compelling narrative that aligns with the target’s motivations, whether it be financial gain, ideological alignment, or a desire for personal advancement.
3. The Art of Manipulation
Social engineering, at its core, is the art of manipulating individuals into divulging sensitive information or performing actions that compromise security. This can be anything from giving up usernames and passwords, providing credit card information, buying and sending gift cards, or paying a fictitious company a large sum of money.
In the intelligence world, a similar art is employed to identify and recruit potential agents or sources. Individuals within the intelligence world are constantly observing body language, trying to build rapport, and probing for information that would allow them better access or more access to the potential source or target of recruitment. Both endeavours rely on understanding human behaviour, exploiting vulnerabilities, and crafting persuasive narratives.
In an email from a cyber hacking group, this could involve invoking a sense of urgency with the dread of having made an egregious error. Take, for example, the spear phishing email to the head of accounting, informing them that a payment to a new client didn’t go out on time, and that the project will not proceed until the payment has been made. Include the fact that the senior executive in charge of the project is going to fire whoever missed the payment, and you have a perfect mix of fear and anxiety that leads to the target sending potentially millions of dollars to a fictitious account.
For an Intelligence professional, the recruitment of a target could hinge on the individual’s concern that an act of terrorism may occur if they don’t provide needed information on the terrorist group’s activities and plans. The fear of knowing that they could have prevented the loss of life for hundreds of innocent people may be the leverage needed for the Intelligence Officer to acquire the information and recruit the target.
4. Exploiting Trust
Both social engineering and intelligence recruitment hinge on trust. Phishing attacks often involve impersonating trusted entities or individuals to deceive targets. This may involve an Intelligence Officer seeking to gain the trust of a potential human source or, if in an undercover situation, manipulating the narrative to get the target to believe their false story.
In the case of phishing attacks, the hacking group may use Artificial Intelligence to simulate the voice and speech pattern of an executive and persuade an employee to provide password and login credentials or reset the password and login for them. The target believes and trusts that the individual calling is who they say they are and they recognize the voice.
Alternatively, an intelligence professional who identifies themselves to a target may share information that only the target would be aware of to legitimize that they have access to information only someone with a high-level security classification would have. The intelligence professional may indicate that they are aware of the target’s affiliation to the enemy intelligence organization or the terrorist group but state that they aren’t interested in them—only the group or another individual. Likely, this is a lie, but that manipulation of trust is used to disarm the target into thinking they aren’t the primary target.
5. Covert Operations
In the cyber realm, attackers operate covertly to avoid detection and maximize the impact of their exploits. Many Cyber espionage groups work in teams to formulate software that can be used to exploit vulnerabilities in a system. Once the software is completed and tested, it is up to other members of the group to identify potential targets and reach out to them to set the trap and collect the spoils.
This can be anything from a spreadsheet document infected with malware and sent to an accounting department with the subject line: “Someone needs to fix this,” to a link to a video with the subject line “My daughter’s piano recital.” Again, we have two variables used in social engineering—one invoking anxiety, and the other invoking a sense of parenthood and pride.
Intelligence agencies follow a similar playbook, with groups of individuals working on various investigations to conduct operations discreetly. As some members work to identify potential asset recruitments, others try to identify groups or individuals who pose a potential threat to national security or who can provide some form of economic, political, or military advantage to their country. This work is done in secret to protect the identity of their assets and maintain the element of surprise.
Seeing the Parallels
The motives of cybercriminals and cyber espionage groups are merging in the muddied waters of intelligence-sponsored cyberattacks. However, having a better understanding of how the techniques of social engineering are used, and coupled with the motivations of foreign enemy state intelligence organizations, demonstrates just how these groups are becoming more intertwined.
As we navigate an increasingly interconnected world, the convergence of cyber threats and traditional intelligence operations becomes more evident. The insights gained from understanding these parallels can serve as a valuable tool in enhancing cybersecurity measures and fostering a deeper comprehension of the multifaceted challenges posed by social engineering.
At the Global Intelligence Knowledge Network, our mission is to shed light on the intricate world of intelligence. Visit our website at www.globalintelligenceknowledgenetwork.com for more in-depth analyses and insights.
