Author: Christina Lekati (about Christina)
It was quite some time ago when I received the call.
“Hi. Do you have some time? We are facing a serious problem that involves a social media security breach, but then again not only that. It is complicated. Mr. X referred you to us, since this is a security issue with consequences in our personal and professional lives. We can’t quite define it”.
These cases get me immediately intrigued. I dropped whatever I was doing, thinking that “I’ll just work a little longer tonight”, eager to hear more about the problem. They proceeded by sharing some of the details.
(Information that would identify the clients have been omitted, but the basic premises of the case have been preserved).
The issue was revolving around an executive, let’s call him Peter, with high social media exposure. He was proud of the mission and values of the organization he was working for. As it often happens, a portion of his following did not like what Peter had said. Some of his statements, in combination with the initiation of a specific project he had recently undertaken, hit hard on a hacktivist group’s nerve … and they decided to declare war against him.
The group started with some warnings. They wanted Peter to step down and abolish the new project. Peter didn’t bend to the request. The group decided that since he would not step down and dedicate his time on something else, he should be forced to do that.
In the coming days after the warnings, Peter started receiving a diversity of threats and attacks. His new enemies started attempting account takeovers and disruptions on his social media profiles. Then they created a small army of fake accounts (sock puppets) that repeatedly sent to him abusive content. As their rage was growing, they also developed a couple of social engineering approaches to get past the social media manager, to engage Peter in conversations online, and to establish trust with him, only to harass and threaten him right after that.
At around the same time, Peter and his family members started receiving personal threats through phone calls, messages, and letters. The situation was becoming overwhelming for him. The attacks escalated when the group found out his home address. This is when they started shipping him a plethora of strange packages: personalized flyers and material that had to do with his or his spouse’s funeral service, drug orders, call-girls, pizza and food deliveries throughout the night, and much more.
Peter remained on the project, notified the police, and increased his physical security measures. But at the same time he was becoming fatigued, scared, mentally and psychologically drained, and still had to reassure himself and his worried family that they were physically safe. Also, he could not dedicate the required time to the project.
This had turned from a cyber harassment campaign into a cyber terror campaign.
Similar campaigns have been used in the past to distract and sabotage the performance of popular athletes, to defame and force into resignation executives of large companies, to discourage female candidates from entering the world of politics, and the list goes on. Their families are often targeted, too.
The term “public figures” will be used for all the diverse groups of people who can been targeted with similar attacks: high value/exposure individuals (executives, business leaders, etc.), politicians, celebrities, influencers, and more.
In cases like the one described above, the current terminology related to online abuse does not seem to be sufficient, as they do not take into account the impact of these attacks. There is yet no official definition of a cyber terror campaign. But for the purpose of providing a common understanding on these attacks, let’s define them as “a form of online and sometimes offline abuse whose goal is to terrorize individuals, with the purpose of influencing their behavior towards a specific goal”.
The attackers are groups or individuals. They strategize and execute cyber terror campaigns, and employ elements of cyber stalking, cyber harassment, and threats on the professional and personal level of their targets, to increase their influence and efficiency.
It is worth adding there that social engineering has been defined by Christopher Hadnagy as “any act that influences a person to take an action that may or may not be in their best interests”.
Cyber terror campaigns may remain on the cyber-realm alone. “Trolls-for-hire”, or “Trolling-as-a-service” providers are employed by state-sponsored groups, disinformation agents, even organizations that use illegal means to increase their market share. Organized cyber trolling or cyber harassment campaigns defame/discredit an individual or an organization, cause psychological harm, or influence the behavior of the targets.
Victim Psychology; Death by a Thousand Cuts?
There needs to be a dedicated section describing the impact of these attacks, as one thing becomes clear: when clients facing this problem turn for help to us, it is ineffective to approach the issue in a purely practical or technical manner. Here is why.
There has been a point in our lives, where we had an unfortunate situation which we could not control. We remember situations like that with fear, and the feeling that we are at the mercy of something we cannot fight. It is part of life, and as much as we like to think that we have the power to influence most aspects of our lives, this is not always possible. The cyber terror campaigns are designed to take this sense of control away from us. How? Let’s break it down:
Invading personal space.
First, these campaigns are often extremely intrusive and hard to ignore. Even if one ignores the fact that their social media accounts are now flooded with abusive messages, they still often receive spoofed phone calls or messages on their personal or professional phones, with that same content. Their attackers will eventually find a way to get past any potential gatekeepers. Sometimes, the victims manage to handle these attacks fairly well. But demonstrating good coping mechanisms might also trigger an escalation of the attack methodology. Sooner or later the targets might be called to handle more difficult situations like disturbing package deliveries at home, or home visits. The targets of these campaigns see that their personal space is either under threat, or that it is being violated by unwanted intruders. Even worse, they do not feel like they can do anything to stop these attacks.
Fear of the unknown.
At some point, threat actors will try to convince their victims that they have mysterious superpowers over them. The arts of marketing and persuasion is alive and well in cyber harassment campaigns, and even more so in cyber terror campaigns. Therefore, adversaries try to find ways to hint to their victims that they know more about them that the victims would want them to, that they have access to personal and private information, and that if one day they decide to act upon them, they will be able to cause significant harm. In other words, they try to advertise their powers.
Phrases like “Don’t forget that we know where you live”, “Did you enjoy taking your son Ted to *school name* this morning?”, etc. have this exact purpose; to inspire fear and the sense of being watched by a threat we are powerless against. Victims are often not very familiar with Open Source Intelligence (OSINT) techniques and the critical information they might unknowingly be leaking through their content sharing or media appearances. A public figure’s social exposure will inevitably lead to security and personal information leaks, especially when that person is not aware of essential security guidelines in terms of information sharing, that can be put in place to protect them. Therefore, when their attackers find a dramatic way to state their findings and the victims do not have a real understanding on how this information was found, the targets immediately enter a state of fear and unconsciously assign their attackers powers and capabilities that they might not have. When the fear of the unknown takes over, the perception of the threat aggravates heavily. Adding to that comes the almost automatic inner question: “How far will they go next time?”.
The abusive content the victims receive does its own damage too. Being confronted with hate does not leave anyone unaffected. People cope with abusive messages in different ways, but the common denominator remains: they need to internally somehow process this abuse, because they will get affected by it.
True to the term “death by a thousand cuts”, if the victims do not find a way to mentally cope with these attacks, they are really affected by them. There are multiple thoughts and feelings that interplay in victims’ heads.
Fear and anxiety tend to be the first feelings, and the most dominant ones. Not knowing whether they are in danger and what harm their attackers are capable of, these feelings soon take its toll on the victims. In many cases their fear drives them towards a state of fatalistic thinking in which the individuals adopt the viewpoint that they have no power over confronting the threats that have changed their lives, and therefore taking action against the attackers is pointless. You can imagine that if at that point external consultants or police officers try to offer sound but unempathetic, or purely technical advice, the persons that have entered that stage of fatalistic thinking will just ignore this advice.
And here comes the continuation of my story: When we were invited as external consultants to the case described above, we had to dedicate some time to work through the victim’s mental barriers, to eventually lead him to a state of mind where he could accept practical advice. Not the other way around. And we cannot skip the first step if we want to be helpful.
Guilt is another strong feeling that emerges. Targets of this abuse often feel guilty because they think they are responsible for this harassment, because of something they said or did (even if this is not the case). They feel guilty for the abuse of their family members or friends that are also targeted, or simply suffer due to their proximity to the victim.
The list is longer but all the roads lead to similar results. Some targeted individuals develop depression and ultimately may abandon even their jobs and their public life. Others, unconsciously accumulate an overload of mental burdens that cause them to underperform, to forget significant tasks or deadlines, and to impact in many ways their personal and professional life. Fatalistic thinking often takes the seat behind the wheel.
You may have to deal with a victim whether you work in the field of physical or cyber security, the police, close protection, or other relating fields. It is important to recognize whether the victim has just started to cope with the psychological burdens of these terror campaigns, or whether they have entered an escalated state of psychological distress, and adjust your approach accordingly.
You will have to make sure that you approach them from a place of empathy and understanding. Accusations or beliefs similar to “you willingly took this risk when you chose this profession” or “it comes with the territory” are simply not helping anyone. Phrases like these should not even cross our minds. Harassment is not alright, and it should never come with any territory. As professionals that care about our clients, it is our duty to stand by them, listen to them, and try to help them to the best of our abilities.
Mental and Emotional Support
The first request that we almost always get is to dedicate some time to listen to the recipients of the abuse, discuss with them, and offer them a safe space to process the situation that they are in. Experience has shown that this often is the wisest first step too. By now, and through the support of Cyber Risk GmbH, we were able to develop workshops on emotional support and mindset development for the clients that have suffered from cyber terror or cyber harassment campaigns. It is the step that provides the client with the necessary level of situational understanding, and that sets the foundations of moving into more practical steps later on. Having a background in psychology and having received training on how to set up and handle individual or group therapy sessions, has given me the opportunity to interthread this knowledge into workshops that also involve the practical (and more technical) elements of defending against cyber harassment or terror campaigns. The goal is to ensure that these individuals are receiving the support necessary to remain safe, and continue to operate and reach their performance goals in a focused and psychologically resilient way.
In these workshops we may go through different topics such as:
- Past and current events related to the cyber harassment, and the individual’s experience,
- The impact of these events on current decisions and actions,
- The methodology of terror campaigns,
- Breaking down and demystifying the modus operandi of the attackers,
- Improving the responses to these events and developing coping mechanisms,
- Setting expectations and considering practical steps for future incidents.
This process helps individuals move past fatalistic thinking and towards re-gaining their resilience and power. Psychologically, it is almost like dropping unnecessary weight off their shoulders so that they can start walking better again and being receptive to advice. At the same time, understanding how these campaigns work and their modus operandi, helps participants demystify these attacks and understand them. Knowledge is power and it works in a therapeutic way. It takes away the fear of the unknown, tones down the perceived superpowers of the attackers, and places the events into a more realistic perspective. The participants start developing a sense of control over the personal and professional effects of the cyber harassment they receive.
Social Media Security Training and Operational Security (OPSEC) Hardening
Public figures that feel ready to take action, move into this phase, or combine it with the one below.
In this workshop, participants learn to implement better operational cyber security controls to avoid the escalation of the current attacks or limit future incidents. This does not only include the security hardening of their accounts, but also the types of information they choose to share online. Attackers often prey on information through the social media content (pictures, stories, captions, tags, etc.) of their targets, and they use them to geolocate them, to find vulnerabilities, to identify routines, etc. in order to weaponize them.
During this workshop participants learn to:
- Implement behavioural and technical cyber security controls,
- Prevent sensitive or critical information leaks through their public appearances and content creation,
- Understand their personal vulnerability profile and control/limit the exposure of their weaknesses,
- Understand how open source intelligence works and how they can maintain their privacy despite the demands of their public life,
- and more, depending on the case.
This is an approach that on a practical level, helps them “clean up” the content of any of the media they have control over, be proactive in their future public engagements, and improve their online safety status. On a psychological level, it helps them re-gain their sense of control and power by applying practical measures.
Personal Vulnerability Assessment Through Open Source Intelligence (OSINT)
We conduct our own Open Source Intelligence (OSINT) Analysis on the targets. This assessment includes the identification and analysis of the target’s personal points of vulnerability. We examine potential attack vectors based on how an adversary would exploit the available information. We try to answer questions such as: Are there visible physical locations that the subjects are frequenting or specific routines? Are there visible personal information that can be exploited? How easily can an adversary approach the targets, online or offline? How vulnerable are the targets? And more, depending on the requirements of each case.
We present the findings to our clients, or we may combine it with the training discussed above. We always offer practical advice and action steps in our reports. The goal is to eliminate information that could pose a considerable risk to the individuals, and to inform them on what to expect in potential future threat scenarios.
Most cyber terror- or harassment- campaigns are often being viewed and handled from single-dimensionally perspectives alone (usually only in terms of physical or online security). However, during our engagement with these cases it became apparent that there is a strong interdisciplinary relationship with social and cognitive psychology, for all the reasons that were described above. The social element needs to be part of the solution and empathy also needs to be part of the security professional’s approach. Thankfully, there has been research on the topics of preventing targeted attacks and on identifying red flags that indicate threat actors that only want to cause fear, or the ones that want to cause physical harm. These are very significant topics when it comes to dealing with cyber terror campaigns.
We need to combine effective intelligence analysis and security recommendations with a good understanding and application of behavioural science. The targets of these campaigns need to both be and feel safer, and this can only happen if they are able to move past anxiety and fear, and towards the understanding of the risks and the implementation of proactive and reactive security measures. Our goal is to help them go back to their jobs and their everyday activities without shadows of fear hanging over them, and to help them get back to top performance with a clear mind.
You may visit:
Cyber security is ofter boring for employees. We can make it exciting.
Recorded on-demand training and live webinars.
Engaging training classes and workshops.
Developing the human perimeter to deal with cyber threats.
Short and comprehensive briefings for the board of directors.
Open source intelligence (OSINT) reports and recommendations.
They have the most skilled adversaries. We can help.