The Psychological Underpinnings of Modern Hacking Techniques

The tactics employed by hackers today aren't new; they're simply adapted for the digital age, exploiting the same human weaknesses that have always existed.

Tara Lemieux, CMMC Consultant, Redspin

May 6, 2024

4 Min Read
Pencil sketches a silhouette of a head in red on a background of 1s and 0s
Source: Brain light via Alamy Stock Photo

COMMENTARY

The landscape of cybersecurity is not just a battleground of code and firewalls; it's also a realm where psychological tactics play a crucial role. A prime example of this is the September 2023 MGM Casino hackattributed largely to social engineering — a method that manipulates human psychology to gain access to confidential information or secure systems. Social engineering, while seemingly modern, has roots that stretch back decades and has been a tool for adversaries in various guises.

During the early 1990s, when I began my tenure at the National Security Agency (NSA), the emphasis on understanding and countering influence operations was intense. We were drilled in recognizing and mitigating the psychological tricks and social engineering tactics that could be used against us. Yet, despite this training, we observed seemingly innocuous local businesses, like a pizza shop offering discounts to NSA employees who showed their badges, which could be easily replicated and used for coercive purposes. This incident underscores the simplicity yet effectiveness of social engineering, relying on human vulnerabilities rather than technological vulnerabilities.

Fast forward to the present, and these rudimentary tactics have evolved into sophisticated strategies, as demonstrated by the MGM Casino hack. The attackers didn't solely rely on advanced technology; instead, they leveraged psychological manipulation, exploiting human trust and curiosity to breach defenses.

Attacks Get More Sophisticated

The MGM Casino incident offers a stark illustration of the sophisticated nature of modern social engineering attacks. In this case, a collective of cybersecurity experts named Scattered Spider, hailing from the US and the UK, adeptly manipulated MGM's help desk personnel. They convinced these employees to reset passwords and multifactor authentication (MFA) codes for select high-value targets within the organization. This breach granted them access to the personal social media accounts of the targeted employees, which they exploited to infiltrate MGM's managed IT service, Okta, subsequently installing an identity provider to generate single sign-on (SSO) credentials for themselves.

This strategy not only compromised Okta but also extended to MGM's Microsoft Azure cloud environment, endangering a multitude of digital assets. In response, MGM took swift action to disconnect the affected servers and phase out Okta and the compromised accounts. Despite these efforts, the attackers had already exfiltrated extensive data and secured ongoing access to MGM's cloud services.

Moreover, the tactics have expanded globally, with instances like the ongoing Chinese government's alleged scraping of LinkedIn profiles. This operation aimed to identify individuals in positions of trust, especially those with administrative privileges, to exploit and leverage their status for espionage or cyber intrusion. Such actions highlight a transition from direct human interaction to the exploitation of digital footprints where the psychological principles of trust and authority are manipulated at scale.

The February AT&T outage exemplifies the evolution and impact of these tactics. During the outage, companies were prompted to disable their MFA systems, like DUO Mobile and Authenticator, to maintain operational continuity. The push for disabling these features created a vulnerability as hackers, recognizing an opportunity, launched brute-force attacks targeting known administrative users. This incident illustrates how psychological manipulation (in this case, creating a sense of urgency and fear of operational disruption) can lead to the compromise of critical systems.

Factoring in the Human Element

Altogether, the incidents described above underscore a critical lesson: While technology advances, the human element remains a constant and exploitable vulnerability. It is often this human element that becomes our weakest link, ultimately paving the way for hackers to gain access to our critical information systems and data. Understanding and mitigating the risk associated with these manipulative strategies is of paramount importance and should be included in security awareness training for our employees and staff. Awareness is the first line of defense, and educating ourselves and our teams about common social engineering tactics, such as phishing, pretexting, baiting, and more can help individuals recognize when they are being targeted. 

We should also encourage a culture where we question any unexpected requests for information, even when those requests appear to be coming from within the organization itself. Implementing strict verification processes at all levels can significantly reduce the risk of falling victim to these types of attacks. Before sharing any insights or sensitive information, we need to verify the identity of the requestor through multiple channels and ensure that these individuals have a lawful business purpose in accessing this information or data.

For businesses, this means we need to establish and enforce strict access controls while simultaneously enforcing the principle of least privilege to limit the information a hacker may obtain through these tactics. We should further foster an environment whereby employees feel comfortable and unhindered reporting these types of security issues.

Lastly, it's helpful to engage with cybersecurity professionals who can evaluate your current security posture to help you develop a comprehensive cybersecurity approach that incorporates and addresses both the technical defenses and the human element. The psychological tactics employed by hackers today are not new; they are simply adapted for the digital age, exploiting the same human weaknesses that have always existed.

As we move forward, understanding and mitigating these psychological vulnerabilities is as crucial as bolstering our technological defenses. The MGM hack, the LinkedIn scraping incident, and the AT&T outage serve as stark reminders that, in cybersecurity, the human mind is both a battlefield and a gatekeeper.

About the Author

Tara Lemieux

CMMC Consultant, Redspin

Tara Lemieux, known as "The Queen of CMMC," brings 35 years of expertise from the Department of Defense, USIC, and National Security sectors. An internationally recognized cybersecurity virtuoso, she's at the forefront of deciphering and addressing the cyber threat landscape. Tara’s proficiency in cryptography, authentication, cloud security, and malware defense is unparalleled. With a niche in Hacking and Exploit Technologies, her grasp on Advanced Hacking Techniques is profound. She has notably contributed to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Process and actively shapes CMMC protocols as a working group member, and author of “So, You’re Planning an Assessment?” She teaches courses for CMMC Certified Professionals (CCPs) and Assessors (CCA), bolstering her status as a leading educator in the field. Her credentials are further backed by her roles as a Lead Auditor for ISO standards and as a CCA and CCP showcasing her holistic command over cybersecurity and compliance.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights