4.1 KiB
Technique T0097.100: Individual Persona
-
Summary: This sub-technique can be used to indicate that an entity is presenting itself as an individual. If the person is presenting themselves as having one of the personas listed below then these sub-techniques should be used instead, as they indicate both the type of persona they presented and that the entity presented itself as an individual:
T0097.101: Local Persona
T0097.102: Journalist Persona
T0097.103: Activist Persona
T0097.104: Hacktivist Persona
T0097.105: Military Personnel Persona
T0097.106: Recruiter Persona
T0097.107: Researcher Persona
T0097.108: Expert Persona
T0097.109: Romantic Suitor Persona
T0097.110: Party Official Persona
T0097.111: Government Official Persona
T0097.112: Government Employee Persona -
Belongs to tactic stage: TA16
Incident | Descriptions given for this incident |
---|---|
I00068 Attempted Audio Deepfake Call Targets LastPass Employee | “While reports of [...] deepfake calls targeting private companies are luckily still rare, LastPass itself experienced a deepfake attempt earlier today that we are sharing with the larger community to help raise awareness that this tactic is spreading and all companies should be on the alert. In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp. As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally.” In this example attackers impersonated the CEO of LastPass (T0097.100: Individual Persona, T0143.003: Impersonated Persona), targeting one of its employees over WhatsApp (T0043.001: Use Encrypted Chat Apps) using deepfaked audio (T0088.001: Develop AI-Generated Audio (Deepfakes)). |
I00069 Uncharmed: Untangling Iran's APT42 Operations | “[Iranian state-sponsored cyber espionage actor] APT42 cloud operations attack lifecycle can be described in details as follows: - “Social engineering schemes involving decoys and trust building, which includes masquerading as legitimate NGOs and conducting ongoing correspondence with the target, sometimes lasting several weeks. - The threat actor masqueraded as well-known international organizations in the legal and NGO fields and sent emails from domains typosquatting the original NGO domains, for example aspenlnstitute[.]org. - The Aspen Institute became aware of this spoofed domain and collaborated with industry partners, including blocking it in SafeBrowsing, thus protecting users of Google Chrome and additional browsers. - To increase their credibility, APT42 impersonated high-ranking personnel working at the aforementioned organizations when creating the email personas. - APT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate and relevant events and conferences. In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did not identify malicious elements in the files, suggesting they were used solely to gain the victim’s trust.” In this example APT42, an Iranian state-sponsored cyber espionage actor, created a domain impersonating the existing NGO The Aspen Institute (T0143.003: Impersonated Persona, T0097.207: NGO Persona). They increased the perceived legitimacy of the impersonation by also impersonating high-ranking employees of the NGO (T0097.100: Individual Persona, T0143.003: Impersonated Persona). |
Counters | Response types |
---|
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW