China is increasing efforts to steal IP through online social engineering: companies have to increase employee resilience and awareness
At a meeting of the ‘Five Eyes’ alliance (an alliance compromising intelligence services from Australia, New Zealand, Canada, the UK and the US), Ken McCallum, the Director General of MI5 warned that more than 20,000 people in the UK have been approached covertly online, by Chinese spies, looking to steal UK companies’ Intellectual Property (IP).
McCallum claimed that MI5 had “seen a sustained campaign on a pretty epic scale” with smaller companies, start-ups and individuals being targeted for their technology and other IP. By targeting smaller companies and individuals, Chinese agents are looking to take advantage of those who might not be expecting to be approached and therefore do not have the necessary training or awareness to recognise potentially malicious communication.
The use of ‘social engineering’ tactics are not new, but by approaching via platforms such as LinkedIn—the primary platform in this case—and targeting companies and individuals that are not necessarily expecting to be hit by such attacks, the Chinese are increasing their chances of success. Particularly given their use of the ‘spray and pray’ approach—where bad actors target thousands in the hopes of succeeding with a few, as opposed to focusing on a smaller number with higher quality ‘lures’.
Using LinkedIn also enables bad state actors to use social engineering tactics that are generally no longer successful via email or other traditional communication platforms (like a generic spam email).
LinkedIn works well, because ‘reach outs’ often flatter people, giving them a little bit of an ego boost. The nature of LinkedIn also means that social engineering experts can add people from the same network to suggest that there is a degree of connectivity between them and their ‘target’, which is almost certainly contrived. Additionally, the use of LinkedIn as a platform for job hunting means it’s very likely that bad actors may use recruitment features to further legitimise their communications.
This combination of ‘flattery’ and ‘connection’ means that targets are already in a vulnerable place by the time a direct approach comes. This means that they are more likely to divulge information via messages on LinkedIn than they would in any other aspect of their professional life.
Due to the nature of personal LinkedIn use, companies cannot police employee activity online. However, the nature of the threat means that action has to be taken, and this should be in the form of a cyber security awareness response.
Helping employees and SMEs understand the threat, what it looks like and how to deal with it, especially in environments where they are not expecting threats is important. When it comes to social engineering, education is the key because more often than not, technology cannot identify such approaches.
At PGI we had an incident where a network of inauthentic accounts targeted our organisation. Bearing in mind we are a team of cyber security and digital investigations professionals and we already have an above average level of cynicism, this was still a good opportunity to refresh the whole team on the threat; ensuring they all understood the risk, what the communication looked like, and how to deal with it.
Importantly, we did it informally. Piling on the pressure with constant formal training can result in employees developing ‘security fatigue’. This is where they are so inundated with formal training and security alerts, they become blind to the threat and cannot react to incoming malicious attacks.
By making the education piece part of our weekly newsletters we were able to keep it informal, but effective and people took it up and even enjoyed the learning.
Ensuring employees are up-to-speed with the latest threats will be crucial in the coming months. We are likely to see the threat from bad state actors increasing as we see global factors such as ongoing conflicts and political events influence the decision making of malignant states. Companies of all sizes need to be aware of the threat; it is no longer just governments or enterprise level businesses that are being targeted by other states. It’s a threat that is continuing to grow in regularity and sophistication and everyone needs to be able to combat it.