Ex-IDF cyber chief on Iran, Scattered Spider, and why social engineering worries him more than 0-days

Interview Scattered Spider and Iranian government-backed cyber units have more in common than a recent uptick in hacking activity, according to Ariel Parnes, a former colonel in the Israeli Defense Forces’ cyber unit 8200.

Both the financially motivated crew and Tehran’s APT groups excel at social engineering attacks, and are proof positive that cybercriminals don’t necessarily need to use zero-days to inflict damage.

“One of the famous cases in Israel was with an insurance company,” Parnes, co-founder and COO at cloud threat detection and response firm Mitiga, told The Register. 

He’s referring to an Iranian hack-and-leak operation in late 2020 against Israeli insurance company Shirbit, which insured employees of Israel’s Defense Ministry — although it’s worth noting that Scattered Spider also had a more recent run of digital intrusions into American insurance firms.

An Iran government-backed group “stole data, leveraging social engineering and one day vulnerabilities,” Parnes said. After stealing the Shirbit files, which included Israelis’ private information, the crew dumped them all online.

“The power of the attack, more than anything else, was the psychological impact of it,” Parnes continued. “It’s the fact that they were able to get their hands on sensitive data from citizens of Israel, some of them working in the government, and then they amplified that through social media and other tools. This is their modus operandi. It’s not just about the real impact, but rather the amplification of it.”

While their cyber campaigns against Israeli targets haven’t slowed in the subsequent years, Iranian groups have also used these same tactics against Western organizations and government officials: spear-phishing intent on stealing credentials, social engineering including setting up fake LinkedIn personas, breaking into US water and fuel systems and then doing nothing with the access — but then making it into a big deal on social media.

You don’t need to be a superpower, you don’t need to be the NSA with zero days, you just need to have the skills to understand how the organization that you’re targeting operates

“And now generative AI introduces capabilities in being able to master social engineering, both in quality and quantity,” Parnes said. “If you’re an attacker and you have your target, let’s say, a bank in the US, you need to do reconnaissance, gather intelligence on the target, and then build an attack that is relevant to the audience. Generative AI saves years of investment in the reconnaissance phase.”

AI-based systems can generate complete reports about targeted individuals, their interests, memberships in personal and professional organizations, colleagues and friends — all from scraping potential victims’ social media pages, he opined. 

“And that allows me to be significantly more effective in this first step than if I needed to do all of that manually,” Parnes said. 

Plus, AI makes it much easier to craft phishing emails, phony documents, and even spoofed websites that look and sound real. “So it makes this attack significantly more scalable — Google said Iranian threat actors were using Gemini for these purposes,” he added. “This is what worries me more than zero-days.”

“You don’t need to be a superpower, you don’t need to be the NSA with zero days, you just need to have the skills to understand how the organization that you’re targeting operates, who the actors are, what processes and procedures understand people, understand language, understand culture, and this is it.”

Scattered Spider, perhaps even more so than Iranian spies, has mastered social engineering and they’ve got a built-in advantage when it comes to attacking American and British orgs because they are native speakers, who know the language and the culture.

“Scattered Spider is an example of how powerful social engineering can be,” Parnes said, adding that he wouldn’t be surprised to see some level of collaboration between the financially motivated gang and Tehran’s state-sponsored crews along the lines of Iran’s Pioneer Kitten working with ALPHV/BlackCat and other ransomware-as-a-service gangs.

Plus, there are already indications that state-linked attackers are adding ransomware to their toolkits.

“Scattered Spider harvests identities, and they sell them to whoever wants to buy them, so Iran threat actors could use them in their campaigns,” Parnes said. “It all ends up in Iranians being able to do much more with their rather rudimentary capabilities.”

Neither Iran nor Scattered Spider “have the most advanced cyber weapons,” he added. “But maybe they don’t need it.” ®

READ MORE HERE