By Csaba Fenyvesi and Ana Miletic
At first glance the connection between the social media and critical infrastructure is not so obvious. But if we define critical infrastructure as all the physical and IT-based devices, networks and services, which are invaluable to modern society and think how the lives, health and wellbeing of the citizens of our modern society would be impacted in case of their corruption, malfunction or destruction through for example cyber attacks against ICS systems – the connection is more clear. Nuclear plants, electric grids, water supply, healthcare, aviation – just some of the examples against which malicious users who have emerged from the dark web to organize themselves in closed social media groups can prepare and execute specialized attacks, including IEDs, and even turning industrial assets into IEDs, right in front of our eyes.
Social media is a vital part of our daily lives. People are more and more living their social and private lives in cyberspace, forming connections and maintaining personal and business relationships on the internet. The enormous amount of data and information are shared every minute. All of this data can be collected, analyzed, evaluated and used with different goals. And social media has numerous malicious users, whose sole purpose is preparing and executing specialized attacks against critical infrastructure using the personal and work-related data shared by social media users employed by critical infrastructure entities. Human habits of changing their passwords every once in a while, and using the same ones on and off their workplace makes it easier for the malicious users to penetrate accounts and use that access to execute the attacks.
It is crucial for the relevant bodies – governments, law enforcement agencies, financial companies, production facilities – to be aware of this risk and regularly monitor the cyber world where this threat can occur in order to guarantee the smoothness of its operations. Using adequate Cyber Threat Intelligence (CTI) software can greatly contribute to discovering the potential data and information leakage, providing the opportunity to react fast and prevent cyber or IED attacks.
Due to the rapid expansion of these social media sites and their business model, every online community and mobile application is a paradise for data mining. As these platforms contain an enormous set of data, researchers and intelligence organisations must steer the focus of their analytics in this direction.
Security-minded data collection can take two directions regarding critical infrastructure on social media sites. One of the ways is attacker-based and focuses on gathering intelligence on enemy actors and their methods, tools and motivation. The other one is defense-based and focuses on the infrastructure itself and its employees.
In the case of attacker-specific data collection, it is necessary to recon the platforms and groups (forums, chats, social sites) which provide relevant and actionable intelligence about our scope. This stage of data collection focuses on the identification of data sources and the creation of the methods and technology of data mining.
Once the “where?” and “when?” is established, the focus shifts to “what?”. When the scope is attacker-specific, then both open and private groups, forums and posts may contain widely available, open-source information about the methods, techniques, motivation of malicious actors, and sometimes clues about their plan and identity (especially correlating between platforms). Closed groups and posts with restricted publicity can usually contain more details regarding vulnerabilities, data leaks and sensitive information, but they are harder to get inside. Because of this, the method of data mining should include infiltration techniques into these groups.
If the scope is not just data collection, but also data validation, then closed-source information gathering is necessary as well. To gain access, there is a need to use fake profiles, which are harder to create and maintain than the basic data collector ones, as they need to look sufficiently old (no one trusts a recently created an empty profile), reliable and competent and they should also have some street credit (i.e. connection with other members of the target society). Well designed and properly camouflaged, thoughtfully placed honeypots can largely enhance our efforts.
Targeted data collection within social platforms can provide valuable intelligence about malicious groups and criminals and their motivation, tools, techniques and procedures which can target critical infrastructure. This information can be generic, by only using open-source techniques, but mixing it with closed-source gathering, we can lay our hands on more specific information, even from first hand.
Social platform intelligence gathering is not exclusively available to the defense sector, but the attackers can also use it for their purposes, as usually, the employees of the various organizations of the critical sectors are living their daily cyber-lives there. Due to the immense amount of data available about these institutions and their employees, it is the utmost interest of the security community to create defense-based data collection projects with a scope of vulnerabilities regarding the human profiles which contain sensitive information.
While malicious actors usually use fake profiles and hide their real identities, ordinary people are using social media for their original purpose: sharing. Due to this, a criminal can map the targeted person’s whole profile and network and also create a psychological map of the motivators and de-motivators of the person itself. In the hands of a skillful social engineer, these are the bases of various attacks and phishing campaigns. Also, shares themselves can be quite risky for the organization. Videos and pictures can contain personal and sensitive information, which unwillingly help and orient a possible attacker.
The information on social media is not always direct. General data leaks can contain sensitive information about employees (e.g. email addresses, passwords, documents) and disclosed vulnerabilities that could be related to systems and services in the critical infrastructure (e.g. OS and application vulnerabilities). It is important to detect these prematurely, thus avoiding possible threats in the future.
Critical infrastructure is not just about the infrastructure itself, but also about the people operating it. Information about them is both precious to the attackers and the defenders, as their personal information, pictures and videos can help to orient and plan an attack against the institutions. Having these facts in mind, we can declare that the complex and holistic defense of critical infrastructure is not just about defending the infrastructure itself, but gathering intelligence via various social platforms in order to create a shield around the employees should be of equal importance.
As a finish line, here are some examples that show how tactile the issue is.
Researchers from Tempest’s Threat Intelligence team have detected a new phishing campaign targeting Facebook users in Brazil and Mexico. In the campaign, sponsored ads offered discount coupons for a large fast-food chain in order to spread a malware which, according to the research, is divided into three modules: a file capture and credential theft module, a malicious extension to Google Chrome and a Remote Administration Tool (RAT), used for screen overlay to commit bank fraud.1
A convincing new Facebook scam has emerged that appears to be tricking even the most vigilant of users. Cybercriminals have created an almost exact replica of Facebook’s “Log in With Facebook” pop-up window to dupe users into handing over their credentials. Single sign-on, or SSO, is a feature that enables users to use one set of login credentials, typically Facebook or Google, to log into another third-party website. Rather than create separate passwords for multiple accounts, users can conveniently use the same login details to gain access to individual sites. Using HTML coding, the crooks have been able to realistically reproduce the single sign-on prompt to encourage as many people as they can to enter their details. The next stage is to prompt the user into visiting a malicious website that has already been embedded with the code. Upon selecting a login method, the fake login prompt is presented and it’s so convincing that the user can interact with it, drag it and dismiss it in the same way they would a legitimate prompt. As soon as the user fills out their username and password, the details are sent straight back to the attackers and they can take immediate control of the individual’s Facebook account.2
According to multiple sources, attacks on the industrial infrastructure are on the rise. “Malicious activity targeting industrial control systems (ICS) affected 47.2% of computers protected by security firm Kaspersky Lab in 2018.”3 Attack on ICS can heavily affect critical infrastructure – think of oil and gas facilities, electrical grids, water supply…
As highlighted in the review of the recent cybersecurity conference held in New York City, provided by Greenberg Traurig, “what to do” is not the only crucial point, “what not to do” is equally important. The panel agreed on the necessity for regular risk and vulnerability assessments “because attackers can change the code of their ransomware variant weekly (if not more often), performing only an annual vulnerability assessment could be sorely lacking in value.”4 Further to this, as stated in the report, providing training to the employees on how to deter phishing and sharing information regarding breaches among organizations is of high importance.
It is time for the corporations and regulatory organizations to take this risk extremely seriously and invest much more effort into preventing the damage. We have to realize that social media partly lost its original mission and developed a dark side and we have to act accordingly.