Catfishing attack exposes cyber vulnerability of Nato troops
25 February 2019
By carrying out a “catfishing” operation on social media platforms such as Facebook and Instagram, Nato’s Stratcom Centre of Excellence was successful in obtaining not only detailed profiles of more than 150 serving troops during an exercise but was also able to lure soldiers into revealing locations of their bases and even leaving their positions.
The catfishing exercise revealed how easy it is for a hostile entity to fool serving military personnel using fake social media profiles, track troop movements, figure out identities of troops attached to battalions or companies, and communicate with troops to obtain details about their operations and future plans.
“Overall, we identified a significant number of people taking part in the exercise and managed to identify all members of certain units, pinpoint the exact locations of several battalions, gain knowledge of troop movements to and from exercises, and discover the dates of active phases of the exercises,” read an excerpt from a report prepared by Stratcom which will be presented to Congress soon.
According to The Telegraph which accessed the report, the catfishing exercise involved a red team of the Stratcom Centre of Excellence creating closed groups on Facebook and fake profiles and engaging Nato troops in conversations to uncover their identity, locations, and the names of their units.
Through the month-long campaign, members of the red team were able to obtain email addresses, personal phone numbers, and photographs of Nato troops, and by using the “suggested friends” feature on Facebook, were able to identify other troops belonging to the same unit or participating in the same exercise.
The team was also able to obtain other sensitive personal information such as details of married personnel visiting dating sites, an information that could certainly be used by hostile entities to blackmail soldiers and force them into divulging sensitive military secrets.
“The level of personal information we found was very detailed and enabled us to instill undesirable behaviour during the exercise,” the Stratcom report added, indicating that social media continues to be a major threat vector that could be exploited by hostile actors.
Social media a popular vector for trapping military personnel
Even though this was a campaign carried out for the benefit of Nato forces by an organisation connected to Nato, hostile entities have carried out online campaigns in the past to target military personnel and lure them into sharing military secrets.
Last year, a cyber criminal tried to honeytrap a serving RAF airman on Tinder after hijacking the Tinder account of an RAF airwoman. The fraudster was apparently trying to gain sensitive information about the cutting-edge F-35 stealth fighter, 48 of which have been purchased by Britain from the United States for £9.1 billion and a few of which are already in service.
Fortunately, the social engineering tactic failed as not only was the airman not connected to the F-35 programme, the woman whose account was hijacked also learned about the hack and informed her superiors immediately. After investigating the campaign, the RAF issued an internal memo to all servicemen to warn them about the risk posed by social engineering attacks.
In 2015, a British teenager accessed e-mail addresses, phone numbers, and personal devices of former CIA director John Brennan, the former Secretary of Homeland Security Jeh Johnson and former FBI deputy director Mark Giuliano by using social engineering tactics.
During the course of his operation, he not only used information obtained through his social engineering skills to harass his victims and to threaten them, but also to access sensitive details concerning overseas U.S. military operations in troubled countries like Iraq and Afghanistan.