Kristian Beckers, PhD; CEO; Social Engineering Academy GmbH, Germany

Alejando Quintanar; CTO; Social Engineering Academy GmbH, Germany

Social engineering is the acquisition of confidential, private or privileged information by methods including both technical and non-technical means e.g. such as shoulder surfing, dumpster diving, etc. [1]. Social engineering attacks represent a continuing threat to employees of organizations. With a wide availability of different tools and information sources [2], it is a challenging task to keep up to date of recent attacks on employees since new attacks are being developed and modifications of known attack scenarios are emerging. The latest Data Breach Investigations Report [3] reports another increase of financially motivated social engineering, where the attacker directly ask for some money, i. e. by impersonating CEOs or other high-level executives. However, during the writing of the report, scammers have already varied their approach and also ask for purchase and transfer of online gift cards in order to scam employees. Furthermore, Social Engineering attacks vary with various business scenarios depending on the type of people working in these areas and the context they are surrounded and minds are adapting to. We illustrate the differences on the example of the three scenarios considered in the Phoeni2x project. The first is set in the  health care scenario, the second is a railway scenario and the third one set in the energy sector. 

One might argue since Social Engineering threats are around since the wide-spread adoption of information technologies is this really still an issue today. Social engineering attacks, including phishing, smishing (SMS phishing), and Business Email Compromise (BEC), have seen a marked increase. Verizon’s 2023 Data Breach Investigations Report (DBIR) highlights that BEC attacks now represent over 50% of social engineering incidents, reflecting a significant rise from previous years [3].

In contrast, organizational preparedness is not at par with this situation. Organizational Preparedness: Despite awareness, many organizations struggle with preparedness. In 2022, two-thirds of cybersecurity leaders felt unprepared to defend against common threats, often due to high staff turnover and the complexities of hybrid work environments. This unpreparedness is further complicated by the increasing sophistication and volume of attacks [4].

Scenario: Railway

Recent studies on social engineering attacks in the railway sector over the past five years have highlighted several significant incidents and trends.

Danish State Railways Attack (2022): In October 2022, the Danish State Railways (DSB) experienced extensive disruption due to a cyber attack on their ICT service provider, Supeo. This attack prevented DSB drivers from accessing a critical safety IT system, causing operational delays for several hours. Additionally, there was a ransomware attack on Belarusian railways in January 2022 aimed at disrupting Russian troop movements by encrypting servers and databases [5].

Pro-Russian Hacktivist Attacks: Throughout 2022, pro-Russian hacker groups targeted several railway operators in Eastern Europe. These included attacks on Romanian national operator CFR Calatori, Lithuanian Railways, Latvian operator SJSC, and Estonian Railways. These attacks were part of a broader wave of cyber activity following geopolitical tensions in the region [5]. 

Human Factors in Railway Cybersecurity: Research has shown that human factors play a critical role in the cybersecurity of railways. Signallers, who are responsible for regulating train movements and ensuring safety, face significant cyber-risks due to the increasing automation and integration of digital systems. Human error in this high-stakes environment can lead to severe consequences, emphasizing the need for better training and cybersecurity awareness among railway staff [6].

Middle East Rail Cybersecurity: In the Middle East, social engineering attacks are a significant threat to critical infrastructure, including the railway sector. These attacks often involve phishing and other tactics to gain unauthorized access to systems. The region’s rapid digitization and the strategic importance of its transportation infrastructure make it a prime target for cybercriminals and hacktivists [7].

These studies underscore the importance of comprehensive cybersecurity strategies that include technological safeguards and human factors considerations to protect railway infrastructure from increasingly sophisticated social engineering attacks.

Scenario: E-Health

In the last five years, several studies have examined social engineering attacks in the e-health sector. Here are some significant findings and insights from these studies:

Rising Cyberattacks and Impact: The healthcare sector has seen a significant rise in cyberattacks, particularly phishing and ransomware, which often employ social engineering tactics. In 2022, there was a notable 74% increase in healthcare cyberattacks compared to previous years. These attacks often target collaboration tools like Slack and Microsoft Teams, exploiting the widespread use of these platforms for phishing attempts [8][9].

High-Profile Breaches: Healthcare data breaches have remained a critical issue, with significant breaches reported. For instance, the HHS’s breach portal indicates 701 data breaches in 2022, affecting over 51 million records. This highlights the ongoing vulnerability of healthcare data to social engineering and other cyberattacks [9][10].

Evolving Tactics and AI Integration: Cybercriminals are increasingly using advanced tools, including AI-driven technologies, to enhance their social engineering efforts. Tools like ChatGPT have been demonstrated to generate convincing phishing emails, making it easier for non-native English speakers to conduct sophisticated attacks. This evolution in tactics poses a significant threat to the healthcare sector [8].

Sector-specific Defences: In response to these threats, the healthcare sector has been developing and implementing various defences. These include multi-factor authentication (MFA), employee training programs to recognize phishing attempts, and enhanced monitoring and response strategies. Despite these efforts, the sector remains a prime target due to the high value of medical data [9].

Case Studies and Research: Specific case studies and research papers have detailed the nature and impact of social engineering attacks on healthcare institutions. For example, a comprehensive survey on healthcare systems outlines various incidents and the financial and operational impacts of these breaches. The studies emphasize the need for robust cybersecurity measures and continuous adaptation to emerging threats [11].

Overall, the e-health sector faces a persistent and evolving threat landscape, with social engineering attacks being a major component. Continuous vigilance, advanced cybersecurity measures, and sector-specific defenses are crucial to mitigating these risks.

Scenario: Energy

Overview of Significant Attacks

Colonial Pipeline Ransomware Attack: The Colonial Pipeline ransomware attack disrupted fuel supply across the East Coast of the United States, leading to fuel shortages and increased prices. The attack was carried out through a compromised VPN account without multi-factor authentication. The attack highlighted the vulnerability of critical infrastructure to social engineering tactics [12].

Lithuanian Energy Sector Attacks: Pro-Russian hacktivist groups, such as Killnet, executed DDoS attacks targeting Lithuania’s energy sector. Temporary disruptions in service and increased awareness of politically motivated cyber threats [13].

Russian Scanning Activities: The FBI reported scanning activities by Russian actors targeting U.S. energy companies, believed to be reconnaissance for potential future attacks. Increased alertness and preventive measures in the U.S. energy sector [13].

Defensive Strategies

Advanced Threat Detection Systems: Implementing sophisticated threat detection systems capable of identifying unusual activities and potential breaches early. Energy companies are increasingly using AI and machine learning to detect anomalies in network traffic [3].

Employee Training and Awareness: Regular training programs to educate employees about the dangers of social engineering tactics such as phishing, spear-phishing, and pretexting. Ensuring employees recognize and report suspicious activities can significantly reduce the risk of successful attacks [14].

Multi-Factor Authentication (MFA): Ensuring that all critical systems and user accounts use MFA to add an additional layer of security beyond just passwords. This can prevent unauthorized access even if credentials are compromised [3], [14].

Incident Response Plans: Developing and regularly updating comprehensive incident response plans to ensure quick and effective response to any cyber-incident. These plans should include steps for containment, eradication, and recovery, as well as communication strategies to manage public perception and stakeholder relations [14].

The social engineering defense tools are interactive Cybersecurity & Data Privacy Awareness Trainings with the focus on typical issues present in these scenarios and defenses designed with domain experts. These include trainings with Serious Games including success measurements and improvement statistics, as well as high scores. All these measures can be flexible adapted to newly emerging threats to stop attackers allowing falling through the cracks.  

References

1. Manske, K., 2009. An Introduction to Social Engineering. Information Security Journal: A Global Perspective, 9(5), pp.1–7. 
2. Beckers, K., Schosser, D., Pape, S., Schaab, P.: A structured comparison of social engineering intelligence gathering tools. In: Trust, Privacy and Security in Digital Business – 14th International Conference, TrustBus 2017, Lyon, France, August 30-31, 2017, Proceedings. pp. 232–246 (2017). https://doi.org/10.1007/978-3-319- 64483-7 15 
3. Bassett, G., Hylender, C.D., Langlois, P., Pinto, A., Widup, S.: Data breach inves- tigations report (2020), https://enterprise.verizon.com/resources/reports/ 2020-data-breach-investigations-report.pdf 
4. The 2023 Security Landscape: A Social Engineer’s Take a blog post on the Social Engineer website https://www.social-engineer.com/the-2023-security-landscape-a-social-engineers-take/
5. Newsreport from the Cyber Security Intelligence page https://www.cybersecurityintelligence.com/blog/the-cybersecurity-report-threat-to-railways-6865.html
6. Human factors and cyber-security risks on the railway – the critical role played by signalling operations, emerald insight,  https://www.emerald.com/insight/content/doi/10.1108/ICS-05-2023-0078/full/html
7. Cybersecurity threatscape in the Middle East: 2022-2023, positive technologies, https://www.ptsecurity.com/ww-en/analytics/middle-east-cybersecurity-threatscape-2022-2023/
8. Global Healthcare Cyberattacks Increased by 74% in 2022, The HIPAA journal, https://www.hipaajournal.com/global-healthcare-cyberattacks-increased-by-74-in-2022/
9. Varonis Cybersecurity statistics 2023 https://www.varonis.com/blog/cybersecurity-statistics

10. The impact of Social Engineering on Health Care, HHS, https://www.hhs.gov/sites/default/files/the-impact-of-social-engineering-on-healthcare.pdf#:~:text=URL%3A%20https%3A%2F%2Fwww.hhs.gov%2Fsites%2Fdefault%2Ffiles%2Fthe

11. Nguyen, C., Williams, W., Didlake, B., Mitchell, D., McGinnis, J., Dasgupta, D. (2022). Social Engineering Attacks in Healthcare Systems: A Survey. In: Choo, KK.R., Morris, T., Peterson, G., Imsand, E. (eds) National Cyber Summit (NCS) Research Track 2021. NCS 2021. Lecture Notes in Networks and Systems, vol 310. Springer, Cham. https://doi.org/10.1007/978-3-030-84614-5_11

12. Colonial Pipeline: Everything you need to know, Alfred Ng, Laura Hautala, Steven Musil,  https://www.cnet.com/news/colonial-pipeline-hack-everything-you-need-to-know/

13. The Energy Sector 2022 Cyber Threat Landscape, Sekoia.io Team, https://blog.sekoia.io/the-energy-sector-2022-cyber-threat-landscape/

14. ISACA Cybersecurity Report 2023, ISACA, https://www.isaca.org/resources/research/2023/cybersecurity-report