Social media use has skyrocketed in recent years and connected the world in ways unimaginable in the past. Families, friends, professionals, political movements, and corporations all use social media to maintain contact around the globe, share ideas, unite against oppressive regimes, or enhance a company’s brand recognition. Facebook's billion and a half users now comprise a larger population than any country on the planet, and, if Twitter were a country, its 300 million users would rank it fourth in population, just behind the United States.
Like many technological advances, however, social media has been used for ill as well as good, as evidenced by terrorists’ use of networking sites to spread jihadist propaganda and attract new recruits. Terrorists, however, are not the only bad actors exploiting social media for nefarious purposes. The electronic barrier between interlocutors inherent in social media is ideally suited for deception and is routinely exploited by bad actors of every stripe to harm their unsuspecting targets.
Social networking sites provide excellent opportunities for intelligence services to identify, assess, and cultivate relationships with potential spies inside governments and private industry. The virtual interaction in social media is ideal for “false flag” espionage, i.e., operations designed to deceive a target into believing he is in contact with another nation or entity. The informality of social networking also encourages users to drop their guard and reveal seemingly innocuous information. Opinions and comments expressed on their accounts provide insight into beliefs, political views, and attitudes toward work and employers. Postings on a user‘s activities yield insights on habits and interests. In the past, an intelligence officer would spend months trying to gather these types of information that enable him to assess his target’s access, attitudes, potential vulnerabilities—in short, everything to determine if he might induce his prey to spy. Now this treasure trove of data is available with a few keystrokes on social media sites.
The intelligence officer also uses this information to craft a false identity that shares common interests with the target and enables him to cultivate a relationship. The online persona also eliminates the painstaking requirements and potential pitfalls of traditional false flag operations, airtight documentation, in-depth knowledge of one’s false background, and the supposed common interest with the target—all the meticulous details required to convincingly pass as something other than an intelligence officer.
Intelligence services often exploit these false flag social media operations to launch technical attacks against a target—after all, they mastered the art of "social engineering" long before the term was coined to describe manipulation of people to facilitate computer attacks. Connections established and fostered through social media relationships build trust that allows intelligence services to dupe targets into accepting “spear phishing” and other ruses to trick them into opening infected emails that steal their network credentials and facilitate cyber theft of secrets.
Russian intelligence, in particular, has relied on false flag operations for centuries. In the cyber realm, once a Russian intelligence officer identifies a target, he then fabricates a profile that will appeal based on common interest, usually not related to the target’s work and access to secrets so that the contact appears non-threatening. He may establish a connection with the target directly or, to enhance his credibility, he may instead develop a relationship with a friend or follower of the target who shares the same interest and, later, he uses this unwitting intermediary to establish his bona fides. Once the relationship with the target matures, the Russian intelligence officer sends him a "phishing" message with a link or attachment. With one simple click by the credulous target, Russian intelligence gains access to his computer holdings. The tactic works. Russian intelligence reportedly used social media accounts in its phishing email attacks that penetrated the Pentagon in 2015.
The Russians, of course, are not the only social media exploiters. In 2012, China used a brazen variation of the false flag ruse by opening a bogus Facebook account for NATO Chief Admiral James Stavridis to establish credibility with high ranking NATO military targets, dupe them into accepting contact requests, and then steal their personal data.
Iran ran an extensive social media operation to spy on military and government officials in the U.S., UK, and Israel. In 2014, a private security firm, iSight Partners, discovered that Iranian cyberspies devised fake personas as journalists, government officials, and defense contractors to lure targets in those countries.
The Iranians reinforced the credibility of their phony profiles by creating a fictitious news website, newsonair.org, to feed their targets content. Like the Russians and Chinese, the Iranians also sent their targets phishing messages to gain login information and infiltrate malware to drain more data. Over 2000 targets connected with the bogus users. In November 2015, the Iranians played a variation on this tactic by using social media accounts of government employees to establish contact with State Department officials involved in Middle Eastern affairs.
Government officials are not the only targets of social media espionage. Foreign intelligence services, as well as criminals and business competitors, use the same methods to loot corporate trade secrets. Cyberoam, an Indian security company, conducted an experiment to illustrate the threat. After discovering from publicly available information that the financial director of a target company was divorced, Cyberoam devised a false female profile on Facebook, complete with an attractive photo. The fictitious woman “friended” the divorced executive and cultivated the online relationship to the point where she eventually elicited sensitive company information from him.
The threat of this digital espionage requires both government and industry to educate employees about the security pitfalls of social media. Company prohibitions against using social media at work are unrealistic and impractical. Such a draconian approach would harm morale and not prevent lapses since employees could freely use social media anywhere outside the office. A more effective approach would require mandatory awareness training as part of employee security briefings, supplemented by periodic reminders of the social media threat and illustrated by case studies. Some suggested points of this training would include discussion of types of information employees should avoid online, warning about connecting with persons without authentic profiles, and using privacy settings to share only with trusted connections. Employees should also be instructed on building social media profiles that will not attract the attention of a foreign intelligence service or other cyber predators.
With these few and relatively inexpensive measures, companies and their employees can reap the enormous benefits of social media and at the same time minimize the threats from malicious actors of every stripe.
