The Psychological Underpinnings of Modern Hacking Techniques

COMMENTARY

The landscape of cybersecurity is not just a battleground of code and firewalls; it's also a realm where psychological tactics play a crucial role. A prime example of this is the September 2023 MGM Casino hack, attributed largely to social engineering — a method that manipulates human psychology to gain access to confidential information or secure systems. Social engineering, while seemingly modern, has roots that stretch back decades and has been a tool for adversaries in various guises.

During the early 1990s, when I began my tenure at the National Security Agency (NSA), the emphasis on understanding and countering influence operations was intense. We were drilled in recognizing and mitigating the psychological tricks and social engineering tactics that could be used against us. Yet, despite this training, we observed seemingly innocuous local businesses, like a pizza shop offering discounts to NSA employees who showed their badges, which could be easily replicated and used for coercive purposes. This incident underscores the simplicity yet effectiveness of social engineering, relying on human vulnerabilities rather than technological vulnerabilities.

Fast forward to the present, and these rudimentary tactics have evolved into sophisticated strategies, as demonstrated by the MGM Casino hack. The attackers didn't solely rely on advanced technology; instead, they leveraged psychological manipulation, exploiting human trust and curiosity to breach defenses.

Attacks Get More Sophisticated

The MGM Casino incident offers a stark illustration of the sophisticated nature of modern social engineering attacks. In this case, a collective of cybersecurity experts named Scattered Spider, hailing from the US and the UK, adeptly manipulated MGM's help desk personnel. They convinced these employees to reset passwords and multifactor authentication (MFA) codes for select high-value targets within the organization. This breach granted them access to the personal social media accounts of the targeted employees, which they exploited to infiltrate MGM's managed IT service, Okta, subsequently installing an identity provider to generate single sign-on (SSO) credentials for themselves.

This strategy not only compromised Okta but also extended to MGM's Microsoft Azure cloud environment, endangering a multitude of digital assets. In response, MGM took swift action to disconnect the affected servers and phase out Okta and the compromised accounts. Despite these efforts, the attackers had already exfiltrated extensive data and secured ongoing access to MGM's cloud services.

Moreover, the tactics have expanded globally, with instances like the ongoing Chinese government's alleged scraping of LinkedIn profiles. This operation aimed to identify individuals in positions of trust, especially those with administrative privileges, to exploit and leverage their status for espionage or cyber intrusion. Such actions highlight a transition from direct human interaction to the exploitation of digital footprints where the psychological principles of trust and authority are manipulated at scale.

The February AT&T outage exemplifies the evolution and impact of these tactics. During the outage, companies were prompted to disable their MFA systems, like DUO Mobile and Authenticator, to maintain operational continuity. The push for disabling these features created a vulnerability as hackers, recognizing an opportunity, launched brute-force attacks targeting known administrative users. This incident illustrates how psychological manipulation (in this case, creating a sense of urgency and fear of operational disruption) can lead to the compromise of critical systems.

Factoring in the Human Element

Altogether, the incidents described above underscore a critical lesson: While technology advances, the human element remains a constant and exploitable vulnerability. It is often this human element that becomes our weakest link, ultimately paving the way for hackers to gain access to our critical information systems and data. Understanding and mitigating the risk associated with these manipulative strategies is of paramount importance and should be included in security awareness training for our employees and staff. Awareness is the first line of defense, and educating ourselves and our teams about common social engineering tactics, such as phishing, pretexting, baiting, and more can help individuals recognize when they are being targeted. 

We should also encourage a culture where we question any unexpected requests for information, even when those requests appear to be coming from within the organization itself. Implementing strict verification processes at all levels can significantly reduce the risk of falling victim to these types of attacks. Before sharing any insights or sensitive information, we need to verify the identity of the requestor through multiple channels and ensure that these individuals have a lawful business purpose in accessing this information or data.

For businesses, this means we need to establish and enforce strict access controls while simultaneously enforcing the principle of least privilege to limit the information a hacker may obtain through these tactics. We should further foster an environment whereby employees feel comfortable and unhindered reporting these types of security issues.

Lastly, it's helpful to engage with cybersecurity professionals who can evaluate your current security posture to help you develop a comprehensive cybersecurity approach that incorporates and addresses both the technical defenses and the human element. The psychological tactics employed by hackers today are not new; they are simply adapted for the digital age, exploiting the same human weaknesses that have always existed.

As we move forward, understanding and mitigating these psychological vulnerabilities is as crucial as bolstering our technological defenses. The MGM hack, the LinkedIn scraping incident, and the AT&T outage serve as stark reminders that, in cybersecurity, the human mind is both a battlefield and a gatekeeper.