Thanks to the traditional role of phishing in widespread email scams, there is a general tendency to equate it with clearly fraudulent and obnoxiously implausible emails. While this misperception has not evolved, phishing campaigns have.
Once a threat that went hand-in-hand with spam email, phishing is now increasingly integrated into highly tactical, customized campaigns deployed to penetrate nation-state defenses. That’s because although phishing may be the simplest mode of compromise, used even by the lowest-skilled cybercriminals, it can also be alarmingly effective. So today, sophisticated nation-state groups integrate phishing as a core component of their statecraft, with motivations ranging from financial gain to data theft to election interference.
Approximately 70 percent of breaches associated with state-affiliated actors involve phishing, according to the Verizon 2018 Data Breach Investigations Report. Phishing played a major role in the Democratic National Committee hacks of 2016, according to this year’s indictment of the Russian intelligence officers alleged to be responsible. In the last few years, phishing has become a core component of the election interference playbook. This is true not only in the U.S., as we saw this summer when Senator Claire McCaskill (D-MO) revealed that her campaign was the target of a phishing attack, but also in elections in Taiwan, France, Iran and Cambodia, to name a few.
Nation-states also incorporate phishing for other geopolitical and financial objectives. Prior to CyCon (produced by NATO and the U.S. Army Cyber Institute), malware-laden invitations were sent to plant malware on victims’ computers. The Iranian-linked APT33 has been targeting energy companies within the Gulf Cooperation Council through phishing emails, following the U.S. withdrawal from the Joint Comprehensive Plan of Action (a.k.a. the nuclear deal). North Korea-linked Lazarus Group continues to target the financial sector, and recently allegedly stole $13.5 M from an Indian bank. The initial mode of compromise for the Lazarus Group is frequently a phishing email. And OceanLotus, linked to Vietnam, uses spear-phishing techniques to lure victims into downloading malware, often to expand surveillance in the interest of the Vietnamese government.
While phishing campaigns traditionally are synonymous with email, social media is also a popular medium for using fraudulent information and lures to convince victims to click on a link to input credentials or download malware-embedded files. These attacks can be very targeted, such as Iranian-linked Cobalt Gypsy, which has created fake personas to connect with individuals in the Middle East and United States. Once the connections are made, over time, individuals are convinced to download malicious files onto corporate computers. These kinds of social media-enabled attacks have doubled in the last year, and are proving an effective way to steal financial information and credentials, or to deploy malware.
Given the limited resources required and the potential for high returns, nation-state tactics are diffusing out to criminal groups as well. Today’s criminal phishing campaigns are much more sophisticated than the scams of yesteryear (although those certainly still exist). From real-estate scams to ransomware attacks, criminals have upped their game when it comes to launching realistic and credible phishing attacks. These attacks generally target corporations, and often blur the line between criminal and state-sponsored activity.
Nation-states and criminal groups will continue to deploy phishing campaigns, quite simply because they’re effective and defenses have not adjusted. On the one hand, there certainly is value in continuing to educate the workforce and populations. In Latvia, for instance, there is a national campaign to educate the populace on the full range of cyber-enabled threats, including phishing campaigns. While this is important, humans have been the scapegoat for far too long when it comes to vulnerabilities.
Fortunately, this is starting to change as novel deployment of extant technology is starting to counter phishing without requiring major changes in human behavior and user experience. For instance, new forms of encryption, computer vision and machine learning are all showing potential to counter the onslaught of phishing attacks. Additional technological creativity is required to adjust the risk calculus and make these impacting campaigns more costly for attackers. Until then, phishing will remain a top tactic of choice, including for the most sophisticated nation-state threats, who have their eyes set on an ever-expanding target set.
(Andrea Little Limbago is the Chief Social Scientist at Endgame, directing and contributing to the company’s technical content. She has a background in quantitative social science and direct operational support, and writes extensively on the geopolitics of the cyber domain, policy, and data science.)