Social engineering is one of those things that seems to lack proper unified definition. Possibly because it means different things, in different circumstances, to different people. However, in the context of information security, the font of all aggregated knowledge (Wikipedia) offers a fairly succinct definition “social engineering is the psychological manipulation of people into performing actions or divulging confidential information.” (Authors Note: Mention of the term information security, may have caused some to stop reading already. For those who have stuck with us – thank you!) In spite of what could at best be considered fragmented understanding, social engineering is something that is discussed constantly in security circles – very specifically with reference to the threat posed by individuals or actors who may be able to manipulate any situation to their advantage when approaching an uninformed target. Indeed, this is what we (and the wider security community) try to mitigate through ensuring that people are informed as much and as well as possible.
This kind of targeting is generally an accepted possibility when it comes to the great majority of victims, however, when the target is an FSB officer, this seems slightly harder to fathom. Indeed, the fact that it was even possible speaks volumes as to the nature of the relationship that Intelligence Officers in the employ of The Kremlin have with their masters… For anyone who may be unaware, attribution of the 2020 attempted poisoning of Alexei Navalny by the Russian Security Service (FSB) was a story broken just before Christmas by Bellingcat and CNN. As ever with stories of this nature – the most notable previous example being the poisoning of Sergei Skripal with the A234 nerve agent – the overriding theme is just how impressive top end investigative OSINT can be. Often achieving the same results and arriving at the same conclusions as the most well-resourced of State-level agencies. Though of course commercial OSINT takes slightly longer, it speaks volumes for the breadth of insight that can be derived from publicly available information. On this occasion however, we aren’t here to talk about the depth of capability that the best OSINT investigators have at their fingertips (that’s a whole series of blog posts all by itself), but rather about how the information that such an investigation generated was used to deliver the next phase – Alexei Navalny’s video of his phone call to his poisoners.
Following the identification of the FSB Officers allegedly responsible for the poisoning (it’s worth noting that the Kremlin hasn’t even bothered denying this one with any commitment beyond denouncing the Navalny video as a “forgery”. Most likely because what goes on in Russia isn’t considered by the organs of State to be anyone else’s business at all.) it was only a matter of time before someone approached the individuals in a bid to glean more information. Traditionally this has been journalists looking for a story but, in this case, it was the victim himself – Alexei Navalny. Navalny managed to convince the FSB Officer in question that he was a senior FSB Official seeking to confirm details of the attack. How does this happen? How does a seasoned, well-trained, FSB Officer fall victim to what is, in essence, a prank call? The answer is simple – environmental conditioning and lack of security awareness all enabled by social engineering. First principles: exploit conditioning in the individual. The Officer in question would have been so keen to please his superior that details were disclosed with minimal verification of the caller’s true identity. Indeed, discussion such activity should never have even been countenanced via unencrypted comms. However, mention of senior Kremlin officials, combined with an apparent lack of understanding of the nature of threat from the FSB Officer in question change the situation rapidly. This is why security awareness is vital, but more importantly this is why people must always understand the nature of the threat rather than simply be given red lines - intelligence-led is much more than a buzz word. Any remaining resistance is then deftly overrun by Navalny – he namedrops other individuals within the FSB Unit to create credibility, he reinforces the seniority of the individuals driving his “report” and he, vitally, gives the Officer the chance to pass judgement on others in the team. Once this information has been shared, the Officer acquiesces and what unfolds is a brilliant example of how leading a horse to water really can make it drink. So how does this link to enduring security? In the days following the release of the call, the Kremlin passed a series of privacy law amendments criminalising the act of revealing personal information about members of any of its security agencies (FSB, SVR & GRU). This is the crux of how the entire investigation unfolded. In the course of the investigation, the data that led to identification of the FSB team targeting Navalny was obtained through dark web data brokers selling breached databases. Indeed, whilst they must be aware that stopping any data breach is nigh-on impossible, in criminalising this act the Kremlin clearly hopes to overtly discourage such activity – no-one wants to end up in a Russian prison… Data aggregation remains the threat, and going full circle, this is why social engineering is fundamentally in information security issue. Without the Navalny call, what the investigation produced remained little more than (very well researched and evidenced) conjecture. However, in applying the information against a target to reveal his actions, Navalny has his smoking gun. Now, take these principles and apply them almost anywhere and opportunities (and perhaps more importantly the threat) are only limited by your imagination and investigative ability… The video itself is required viewing for anyone who would like to see the fruits of OSINT labour being put to work in the mostly extraordinarily effective manner.