Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering

Conference:  Black Hat USA 2022



When a job offer looks too good to be true… it probably is. As the COVID-19 pandemic has led workers to rethink their careers and long-term goals, threat actors have exploited it as an opportunity to fulfill strategic objectives. Over the past two years, PwC's Global Threat Intelligence team has tracked nation state threat actors as they socially engineered employees at high-profile companies over email, social media and beyond, enticing them with promising job opportunities - only to infect them with malware and disappear.In this talk, we unmask how ongoing operations by advanced persistent threats based in different countries (North Korea and Iran) are using recruitment themes to compromise victims. We draw the profiles of three different threat actors that conduct such operations: North Korea-based Lazarus Group and Black Alicanto; an emerging Iran-based intrusion set which we call Yellow Dev 13; and a threat actor targeting former intelligence officers. Phishing is the oldest trick in the book, but this presentation holds the mirror up to threat actors' faces: the ways they use job themes for phishing, from fake career websites to recruiter personae, become the CV we read to learn their capabilities (their tools, techniques, and procedures); the targets they choose become their cover letters, revealing their intelligence requirements and strategic objectives, from counterintelligence to cryptocurrency theft.Ultimately, this talk will leave attendees with different insights depending on their role. Business executives will get an overview of the threat landscape and why their organization might be targeted. Defenders will gain actionable intelligence on how to recognize and defend from, activity by advanced persistent adversaries. Ethical hackers might encounter a few tricks to try - and mistakes to avoid! - in phishing exercises and adversary emulation. As for the general audience, they might never open a document or link from a recruiter again.



Post a comment

Related work

Conference:  Black Hat Asia 2023
Authors: Yue-Tien Chen, Zih-Cing Liao

Conference:  Defcon 31
Authors: Thomas Chauchefoin Vulnerability Researcher @ Sonar, Paul Gerste Vulnerability Researcher @ Sonar

Conference:  RSA Conference 2023
Authors: Eric Goldstein, Major General William Hartman