Large scale, targeted cybercrime on social media has become so mainstream that Russia now uses it to spread malware throughout the United States government.
On May 18th, Time Magazine reported that Russian operatives used Twitter to spearphish and distribute malware to thousands of United States Department of Defense employees. This attack, which occurred in 2017 following instances of alleged election meddling, represents a major advancement in cyber capabilities and an escalation of Russia’s cyberwar against the US. No longer is this a broad, viral campaign to spread propaganda and fake news, but a targeted cyberattack directed specifically against the United States government.
Cybercrime on social media is nothing new, but this is the most well-organized, coordinated attack at the nation-state level we’ve ever seen. Over 10,000 custom phishing messages were sent, each link laced with malware enabling the attacker to access and control the victim’s device. In over a half decade of tracking thousands of advanced social media campaigns, ZeroFox has never witnessed a more systematic and coordinated operation. It’s harbinger of things to come.
The potential damage of the attack takes many forms. One is the most obvious: the traditional network breach, in which sensitive government data is exfiltrated by Russian intelligence agencies, for purposes of cyber espionage, blackmail or public leaks. The even scarier fallout has to do, again, with social media. If Russia had access to post from thousands of Defense Department accounts in one fell swoop, they could go well beyond fake news and misinformation. Russia could engineer an entire fraudulent crisis, reported, corroborated and spread by US citizens. They could announce a fake act of war, sink American stocks, claim the President was assassinated or launch any other nefarious plot they could dream up.
Social media is a incredibly effective attack delivery method for several reasons. Most significantly, social networks are open platforms on which anyone can instantly send a malicious link to anyone else with an account, from the President of the United States to your grandmother. An adversary can footprint an entire organization with nothing more than a LinkedIn search query for “Department of Defense.” Once they acquire their targets, a successful attack can be waged in under 140 characters and less than 30 seconds.
Crafting a targeted phishing message on social media is even easier than it is on email because the victim often broadcasts their personal interests and hobbies. A quick scroll through their historical tweets and other public profile information gives the attacker more than enough intel to craft a message tailored to their victim. This drastically increases the clickthrough rate and thus the effectiveness of the attack. Further, people aren’t yet skeptical of suspicious social media accounts; people have learned to avoid “Nigerian Prince” email scams and email-based malware, but no one thinks twice before clicking their “friend’s” shortened link leading to who-knows-where.
Creating fraudulent accounts on social is also trivial. Security researchers have shown time and again how effective a fake persona can be for infiltrating a group, gaining trust, and disseminating a stealthy cyber attack. This is almost certainly how these Russian operatives conducted their campaign. They created fraudulent accounts that resembled users that employees in the Department of Defense are accustomed to interacting with. They may have impersonated real government workers or invented personas of lobbyists, military members, lonely housewives or even simply attractive DC locals.
As audacious as this attack was, we’re not surprised it took place. In a BlackHat presentation last year, ZeroFox Research created and demonstrated how a bot powered by artificial intelligence, called SNAP_R, could automatically ingest data from a target’s Twitter history, generate a custom spearphishing message and deliver a malicious link. In the study, the ZeroFox link merely redirected to Google, but the proof of concept was clear: social media is ideal for launching targeted cyberattack with very little technical overhead.
As with the WannaCry ransomware last week, this attack is a loud wakeup call for security practitioners at the nation-state level, the enterprise level and even privacy-conscious consumers seeking to protect their devices. Cybercrime has found a new home on social media, where it’s outside the network, uncontrolled, unmonitored and difficult to remediate. Any cybercriminal, be they Russian or American, technical or nontechnical, politically motivated or financially motivated, can create a highly-effective attack campaign in minutes.
To learn more about protecting social media accounts — brand, executive, employees or otherwise — for only $20/month, talk to a ZeroFox expert now.