- Gareth Shaw, Founder of Pera Prometheus Consulting Ltd
Table of Contents
In May 2024, the UK Ministry of Defence (MOD) faced a significant social engineering attack targeting its payroll system, compromising the sensitive data of up to 270,000 serving personnel, reservists, and veterans. This exposed personal identifiable information, including names, bank details, and some addresses.
Attackers, believed to be state sponsored, exploited a third-party contractor’s system by impersonating trusted entities to trick employees into granting access to the payroll database. Although not confirmed, it is suspected that this breach is linked to a Chinese hacking group.
To their credit, the MOD swiftly contained the damage and notified affected personnel. However, this incident highlights the threat social engineering presents at every level, with significant impacts to an organisations business operations and reputation.
Pera Prometheus, an expert consultancy for Defence industry-related businesses, aims to explore the social engineering aspects of the threat and propose approaches to mitigate it. Further guidance can be found on National Cyber Security Centre (NCSC) website.
What is Social Engineering and Why is it Dangerous?
Social engineering is among the most innovative forms of cybersecurity and information security attacks, invariably combining technical, physical and psychological manipulation to achieve results through hacking the human not just the technology humans use.
Unlike technical cyberattacks targeting system vulnerabilities, social engineering seeks to take advantage of human behaviour, some ingrained within us over our entire history as a species, and errors in the implementation of procedure and policy.
For the Defence industry, a successful social engineering attack, as we have seen, can result in a compromise of intelligence, identifiable information and even lead to mission failure. Moreover, a successful compromise could be exploited over a long period of time without information owners even being aware.
Common Social Engineering Threats to Defence Networks and Personnel
Despite Defence and many of its suppliers maintaining more robust security mechanisms and procedures than their commercial counterparts and sub-contractors, they are as susceptible to social engineering attacks as anyone else. All that is required, in many cases, is a more innovative and inventive approach to achieving social engineering success. The Defence Industrial Base is a prime target for social engineering attacks.
Here are just some of the many threats:
- Phishing Emails: Threat actors pretend to be MOD officials or contractors, sending fake emails to trick employees into sharing passwords or downloading harmful software;
- Social Media Tricks: Criminals use public social media profiles of Defence workers to create convincing fake messages or pretend to be trusted contacts;
- Phone Scams (Vishing): Scammers call, posing as IT support or government officials, to convince people to share sensitive information or install malicious software;
- Insider Risks: One of the biggest threats, social engineers manipulate unhappy or unaware employees to leak secret information or damage systems;
- Indirect Supply Chain Attacks: Supply Chain vulnerabilities are one of the biggest concerns for Defence. The complex and layered nature of a supply chain lends itself nicely to attempts to compromise its integrity as management and monitoring of its security is hard to achieve. . Hackers focus on smaller sub-contractors, who lack the ability and knowledge to maintain a sufficiently vigilant stance, breaking into their networks and communities of trust, thereafter attempting to compromise their ‘upstream’ clients.
Securing the Supply Chain
Defence Condition (DEFCON) 658 and Defence Standard (DefStan) 05-138 have been developed by MOD and the Defence Cyber Protection Partnership (DCPP) to raise the bar, with regard to securing Defence Cyber supply chain security.
DefStan 05-138 is about to be ‘upgraded’ from issue 3, to issue 4, to align with the NIST Cyber Security Framework. This is in response to the increasing threat and has been covered in our Blog – Cyber Security Model & DEFSTAN 05-138 in Defence Industry
By implementing the security controls required by the Cyber Security Model, you are in effect laying the foundation for the security culture your business and defence need to operate a safe and secure business that does not present an easy opportunity for a malicious actor to compromise UK national security.
Preventative Measures to Combat Social Engineering
Defending against social engineering requires a multi-layered approach combining awareness, technology, and protocols. Fostering a security culture within the organisation is integral to this. Below are some key preventive actions:
- Verify Before Acting: Confirm the legitimacy of emails, calls, or messages using known contact details. Legitimate entities won’t request sensitive data via unsolicited channels;
- Scrutinise Emails and Links: Check for spelling errors, suspicious sender addresses, or unusual requests – any of these can indicate a social engineering attempt. Hover the mouse pointer over email links, to verify their legitimacy;
- Secure Social Media Profiles: Limit personal information shared online and adjust privacy settings to restrict access to trusted contacts;
- Implement Multi-Factor Authentication (MFA): Add an extra security layer to protect accounts even if credentials are compromised;
- Report Suspicious Activity: Forward suspicious emails to the relevant IT department, the Warning and Reporting Point (WARP) or the NCSC’s Suspicious Email Reporting Service;
- Keep Systems Updated: Regularly patch devices and applications to close vulnerabilities exploited by social engineers;
- Train Staff Continuously: Conduct regular cybersecurity training to teach personnel how to identify and respond to social engineering tactics. This is the best countermeasure.
Ensuring your personnel have a high level of security awareness can pay dividends to your overall security posture. People tend to know when something doesn’t feel right, especially with a little guidance, and giving them the confidence to react to suspected social engineering incidents will only enhance your organisations security – Security and Business Resilience through Awareness.
Pera Prometheus Perspective
Businesses and personnel within the defence supply chain face heightened social engineering risks that can compromise their systems and MOD partnerships.
Pera Prometheus advocates a proactive approach to developing a mature security culture, developed through an appropriate mix of leadership, security exercises, training and awareness to the threat which promotes an ethos of vigilance across a business. Vigilance is key to being aware of social engineering attempts to compromise the organisation.
Pera Prometheus can support your requirements for embedding cybersecurity into organisational culture through regular employee training, implementing security policies and procedures, conducting internal physical security tests, and maintaining business continuity plans. It is of particular importance to the wider defence supply chain that Defence suppliers should conduct frequent audits of their networks and third-party vendors to prevent supply chain attacks.
Businesses need to understand that security, whether physical or digital, is not an option but a necessity. This security mindset must be driven by senior leadership and not treated as an afterthought. Professional support should be sought, if in doubt.
We believe: Information Assured, Business Secured
Read more: Social Engineering: Understanding Cybersecurity’s Human Element
