It seems that it is hard to turn on the news without hearing another report about Chinese Hackers. According to some reports, the Chinese have shown time and time again that they are a force to be reckoned with when it comes to cyber warfare. Recent investigations have shown that, perhaps, the Chinese Army is even responsible for many government and corporate secrets being siphoned from U.S. networks.
Mandiant, a cyber security research firm, released a 60-page document last month which details the rampant hacking against U.S. companies from just one group of Chinese hackers in operation since 2006. Their report states that “hackers have stolen hundreds of terabytes of data, including technology blueprints, proprietary manufacturing processes, business plans and partnership agreements.” Dan McWhorter, head of Mandiant’s Threat Intelligence Business Unit said, “They’ve compromised over 141 corporations across 20 different industries and stolen just a wealth of intellectual property…”
How have the Chinese been so successful at ravaging U.S. government and corporate secrets? The answer, according to Mandiant, is Social Engineering.
Jennifer Martinez, from The Hill, reports:
The APT1 hackers were able to crack into American companies’ computer networks and systems by targeting “human weakness,” according to [Mandiant founder, Kevin Mandia]. They would send emails to a company’s employees that appeared to be from someone they knew and the message would prompt those workers to click on a link or PDF file laced with malware. This would allow the hackers to get access to an employee’s computer.
This method of attack should be familiar to all of our readers, it’s called spear phishing. Spear phishing, for the unaware, is a type of phishing attack that’s highly targeted and personalized. The proliferation of social media, and our constant need to share our lives over the internet has made spear phishing one of the most devastating ways to attack a company, government, or organization.
Here’s how it works: Jack the IT Director for Company Corp, is also an soccer coach for his son’s school team. Jack used his work email one day on prosoccertips.com/forum/ to share some of his knowledge in soccer and mentor other coaches. Hackers perform information gathering on Jack and find he coaches for Logan Elementary Soccer Team and is in charge of the game scheduling. Hackers craft a very specific email, perhaps forged to be from one of Jack’s player’s parents about a scheduling conflict and included a PDF of a “calendar” with some “details”. The hackers ensure to send the email during normal business hours. Jack receives the email at work and, since he recognizes the recipient, and is heavily involved in coaching soccer, everything seems legit, and he clicks on the PDF. Owned. Now the hackers have remote control of Jack’s computers and network… and all the company data.
Time and time again we hear reports of these attacks working. Social engineering depends on the trust between two people and the busy schedule of most. Blending those two things together means there is higher risk for falling for one of these attacks. At the end of the day it is not just the Chinese employing these techniques but anyone who employs social engineering.
For us at Social-Engineer.Org, stories like this solidify our belief that Social Engineering is still the biggest threat today. Without education and the proper systems in place it will be impossible to defend. Stay safe. Till next time.