Since time immemorial, attackers have always viewed social engineering as an effective means to gain entry to an organization's network. The 2021 Cyber Security Statistics report by PurpleSec found that 98% of cyberattacks involved social engineering in some form. However, these techniques can be detected by identifying the use of inaccurate language in attackers' messages and the spurious domain names of the senders. When their cover gets blown by such minute details, attackers resort to geotargeting.
Threat actors are pushing the envelope for granularity in their social engineering traps; malware campaigns are customized based on the targets' region and preferences. Gone are the days when geotargeting was specifically used to design marketing campaigns. Optimizing geographical and cultural aspects, and the usage of grammatically accurate language make phishing traps more believable and indistinguishable from genuine marketing pushes.
Let's look at how emulating cultural-specific behavior works. Sweden has been a frequent target of vishing, a voice-based phishing technique in which the attackers pose as the representative of a reputed company in order to dupe victims out of sensitive information. The reason this particular attack method is so effective in Sweden is because, according to the World Value Survey, Sweden comes second, right after Norway, when it comes to imposing trust on their fellow people.
Additionally, location-based targeting allows attackers to maximize their yield per victim. Threat actors have a chance to gain higher financial gains by unleashing ransomware and other profit-driven acts like banking cybercrimes on victims belonging to wealthier countries.
One of the main factors contributing to the rise of geotargeted cyberattacks is the weaponization of cyberattacks. Cyber warfare has propped up as a convenient, relatively cost-effective, and stealthy way to destabilize the critical infrastructure and control systems of a country's supply chain, such as power grid structures and nuclear reactors.
State-sponsored threat actors leverage geolocations to inflict large-scale APT and DDoS attacks on target countries, thereby causing damage to their critical assets. With nation-state attacks on the rise, a new study. by Trellix and Center for Strategic and International Studies suggests that nearly nine in ten organizations believe that they experienced a nation-state cyberattack in some form.
Attackers can zero-in on their victims using geolocation data gleaned from the computer's IP address or by analyzing the victim's language settings. With this information, attackers can target a select number of devices using compromised traffic direction systems (TDS) to launch their malicious campaign. Using IP address lookup, the TDS routes the launch of customized malware to the systems and infrastructure belonging to a particular region.
These techniques come in handy during the execution of nation-state and financial cybercrimes where threat actors have to direct their attack at victims associated with the target sector or region. Attackers also use geolocation APIs to determine whether a device will be attacked or not.
Recently, it was found that a particular strain of malware enabled attackers to extract geolocation data by grabbing the Basic Service Set Identifier (BSSID) of infected computers, which can be leveraged to perform attacks in the future. BSSIDs refer to the physical MAC addresses of the wireless routers or access points used by systems to connect to the internet. This code was discovered by Xavier Mertens, a security researcher with the SANS Internet Storm Center.
Ransomware programs use geolocation to tailor the language and content of the ransom messages displayed to victims. Ransomware-as-a-Service (RaaS) groups double up as nation-state actors and use geolocation lookup to filter out and attack select nations. For instance, the Locky ransomware contained a hard-coded configuration value that is invoked to disable its encryption once the malware recognizes that the infected PC's locale is set to Russia or has Russian as the system's language.
The ability of ransomware to be region-specific is also apparent when considering the country-wise distribution of attacks by malware families, some of which include:
Like any cyberattack, geolocation-based threats can be mitigated by incorporating best practices in day-to-day operations. Whenever a user comes across an email containing one or multiple links, they must sandbox the email, i.e, opening the contents of the mail in an isolated environment of the network, before proceeding to access any links. On the ground level, users must keep their applications and systems up to date to patch any known systemic vulnerabilities. It's also essential to create backups of sensitive files, so that the effects of a ransomware attack can be neutralized to a considerable extent.
Creating a no-go list: Organizations must monitor the implications of any geopolitical tensions faced by the respective nations they are operating from. This will help them in informing their security frameworks and location-based IP blocking strategies to filter out network traffic and IP addresses belonging to particular groups or regions that can potentially inflict nation-state cyberattacks.
Using contextual policies: As an extension of the above point, company networks must also authenticate users by weighing location-based factors, so that organizations can ensure their users are not subjected to networks in no-go zones. Therefore, creating an exhaustive risk profile atop user identities is necessary when it comes to evaluating such contextual factors.
Intervention of regulatory bodies: Be it the GDPR, HIPAA, PCI DSS, or any data regulatory framework concerning a region or sector, their primary function is to define PII and the steps that must be taken to protect it. Keeping that in mind, companies must get users' consent and give notice prior to offering their PII to affiliates and partners.
Companies must ensure that users are aware of the data being collected on them and know if it will be potentially sold to third-parties. Users must be given the option to opt-in, recall, and opt-out of a particular service that involves their geolocation data. Compliance failure by organizations must be followed by penalization and corrective measures.
Patch management: Organizations must deploy software patches regularly, as it has become a prerequisite to ensure better network security. By mitigating software gaps, the attack surface can be considerably reduced. The code integrity and security posture of third-party solutions and geolocation-based applications should also be considered.
Now more than ever, cyberwarfare and nation-state threats have many overreaching effects, and cyberhealth has emerged as a diplomatic issue that spans across countries. As geopolitical tensions prove to be fodder for rising cyberattacks, cybersecurity must be seen as a key environmental, social, and governance (ESG) concern. Nations must take digital well-being as a top priority and must come together to resolve this issue, as cyberattacks can have dire consequences on a country's operations.
2020 Zoho Corporation Pvt. Ltd. All rights reserved.