CISA sent out a warning about a Russian advanced persistent threat (APT) called Star Blizzard warning about their long-game social engineering tactics.
They create fake email and social media accounts, contact their potential victims, talk about a non-threatening subject to gain the victim’s confidence, and wait to launch their malicious attack. I call this long-game social engineering.
In the course of my 35-year computer security career, I have had the unfortunate opportunity to be the target of more than a few APT long-game social engineering campaigns from different nation-states…mostly from the Russians and Chinese, but I am sure other countries have tried.
I do not know why I have been targeted by professional nation-state hackers. Perhaps it is just a normal expectation after writing for decades on how to fight cybercrime. Perhaps it is because I have frequently publicly criticized various nation-states (e.g., Russia, China, Iran, Korea, etc.) for their cybercriminal activity. Their crime today goes far beyond traditional nation-state activities, focusing on causing operational interruption of regular businesses, privacy invasions, and intellectual property theft.
Perhaps it is because I worked for Microsoft and other cybersecurity organizations in the past, and by compromising me, they can figure out what me or my organization is up to. I do not know. All I can tell is that for sure I have been targeted by multiple nation-state actors over the years (some identified in the press or by the Department of Justice later on).
I do not think I have ever successfully been compromised by them (although no one can disprove a negative). Most have been easy to spot. Some harder. Either way, when they begin asking me to click on links, open documents, or start asking me to talk about particular non-public vendor technologies, I get suspicious.
Defenses
The number one thing we can all do is to create awareness around APT and long-game social engineering. Not all long-game social engineering is because of nation-states. Some “regular” scams looking for big payoffs typically do the same.
I regularly tell people (see the graphic summary below) to be highly suspicious of any new message asking you to do something you have not done before.
That advice works for 99% of social engineering and phishing attacks, but does not work with long-game social engineering. The whole point of long-game social engineering is to establish an existing relationship that ends up creating unwarranted trust that the attacker can later abuse. With long-game social engineering attacks, the eventual malicious request does not seem so unexpected. That is the entire reason they use this strategy.
So, make yourself and your users aware of long-game social engineering strategies. I am pretty much suspicious of any new email or social media connection that seems to want to get overly chummy right away. Especially if they are being too complimentary about my writings or work. It is great to have fans, but just know that I am always suspicious.
I am even more so if their profile picture is super attractive and they are overly flirty. I do not know if I have ever had someone actually flirt with me via email or social media, but I treat all such communications as suspicious.
I have had a few APTs offer to meet me in person in a city I will be traveling to next. Besides my wife not being especially thrilled to know I have “fans” who are excited to meet me, I do not expect anyone who likes my work in cybersecurity to be so impressed they are willing to spend hundreds of dollars to meet me. It screams desperate and not in a good way. It could be someone just wanting to have an affair, but I have a healthy level of skepticism, and just figure they are an APT scam and leave it at that.
Note to future APT: I think I would be more susceptible to long-game social engineering if the person was super unattractive. I treat all super attractive people as potential spies.
I think the key question I ask when someone is complimenting my work is, have they actually read or seen my work? The APT fake profiles always compliment my work in an general way, but I can tell they really have not read it or do not understand it. Today’s regenerative AI is going to make APT far better at stating the right things, about the victim’s work or career, but so far, I can tell the difference between a real fan complimenting my work and an APT attack pretending to like my work.
Another tactic APTs try is saying hello to you with an initial interest in your hobby. They do not say they love your professional work, they say they love your chess game, your comic book collection, or also enjoy running marathons or scuba diving. But after they get you talking about your hobby, they switch up to something in your professional work. They hope that their interest in your intense hobby is enough to get your guard down.
The process of not being social engineered is to be aware of different types of attacks…in this case, long-game social engineering, and being aware of common tactics. In this case, it is unexpected contacts from people, often ultra attractive, who compliment your work or hobby, before trying to get you to click on a link or document, or to reveal some confidential information. It goes without saying that you should never send embarrassing information or pictures to people you have never met in person. That has been used against many victims who got overly trusting with a complete stranger they had only met online.
When someone reaching out to me has those previous signs, I will usually go research their account. How long has it been around? What is the number of connections? What is the posting history?
You cannot usually find how long someone’s email address has been around, but I will do a Google or Bing search on their email address and see what comes up. Real email addresses that have been around for a while will have previous email threads that show up. Fake email addresses either return nothing or return other similar language that was sent in their contacts to me. Sometimes, the exact same phishing message they tried to phish me with is returned.
If the account has a picture, I will do reverse image searches using Google, Bing or some other dedicated site, like Pixsy. Real people will show up several times with the same name, often with different, but similar looking images (like what would be expected over time). Fake accounts usually do not return anything or return shockingly different names.
If they claim to work for a particular company, I will call that company on a known good phone number and ask if the particular person works there. I have defeated a lot of regular phishing scams this way.
Be suspicious if they want to get you off the email channel or social media site quickly. I do not have real people trying to switch me to WhatsApp within 15 minutes of meeting me, but I do with fake accounts all the time. They are trying to get you to a service that has less protection and less tracking.
I have had APT several times offer me fairly good money to reveal information about my company or do something unethical, that if publicly discovered, would ruin my career. About ten years ago, a foreign “headhunter” offered me money to secretly place Russian company names and products in my writing without telling my employer (she called it “organic marketing”). I declined and told her it was unethical.
A year or two later, several other writers for popular computer magazines were discovered to have been doing that same “organic marketing”. The same headhunter had recruited them. I am sure they were otherwise good people and writers, but their writing careers were ruined and everything they had previously written was removed off the Internet. Gone with one mistake. Act ethically. Act as if whatever action you do may be revealed publicly, because it may. APTs are trying to get unethical leverage on you.
I am very suspicious of anyone who sends me unrequested links or documents, especially when they appear to be hosted on strange, unexpected locations. It is harder to spot this when the person you have been conversing with for weeks or months does it more casually and not right away. But in the APT cases I have had, I was already suspicious, and their unexpected offer for me to open new content just pushed my APT radar over the top.
Long-game social engineering is more popular than ever. Everyone should be aware of it and be suspicious of overly favorable and flirty contacts. Sure, they may just be a regular person trying to push a normal relationship, but having a healthy level of skepticism and being aware of their tactics will help you avoid trouble in the long run if you are ever targeted by an APT. It happens enough that CISA put out a warning document.