Cyber Warfare / NATO cyber team uses catfishing to prove a very important point
NATO cyber team uses catfishing to prove a very important point
26 February 2019
TEISS's latest intern Andreas Ejersbo discovers how Nato have used a social media technique called catfishing to educate military personnel.
Nato has run a secret operation, luring their own troops into revealing sensitive information about their operations including battalion locations, troop movements, and personal sensitive information.
The operation used a social media technique known as “catfishing”, where fake social media accounts are asset up with the intent of fooling military personnel. The scheme to con over 150 soldiers was initiated by a secret “red team” based at Nato's Stratcom Centre of Excellence in Latvia.
In the report written by Stratcom, it was not revealed which of the 29 Nato countries had been subject to the scheme, although the report has been presented at an event on social media manipulation at the United States Senate.
The point of the exercise was, according to Nora Biteniece, a software engineer who helped design the project, to answer three questions. “What can we find out about a military exercise just from open source data? What can we find out about the participants from open source data? And, can we use all this data to influence the participants’ behaviours against their given orders?”
The report elaborated how operatives had used catfishing by setting up fake profiles, impersonating military personnel both real and fake, and created closed groups on Facebook to gain as much intelligence on the soldiers as possible. They used Facebook advertising to promote their groups, and when the agents had joined in, they used their fake profiles to ask the soldiers confidential questions about their operations as well as their personal life.
Lord West, the retired Royal Navy senior officer who was a security advisor to former prime minister Gordon Brown, said he hoped servicemen and women would realise the consequences of loose talk online. “Clearly one always has to be aware online who exactly you’re speaking to. People should be very clear in the military that there are certain things you don’t talk about online even to friends, let alone people you don’t know.”
This was clearly not the case here though. Using catfishing, the operatives were able to identify 150 soldiers, gain information on various battalion locations and troop movements, and even gain access to personal information on many of the soldiers which could have been used to blackmail them, had it not been a test operation.
The operatives also tried to gain personal Intel from the soldiers by creating fake Instagram and Twitter profiles. The report detailed how Instagram had been very useful in gathering especially personal data, whereas Twitter had not been giving any results.
The entire mission only cost $60 to carry out. It was carried out over 1 month. One result was to show how slow Facebook can be at shutting down fake pages. Of the three pages the group had created, one was shut down in a matter of hours and two others were closed after two weeks. However, two of the five fake profiles created were never shut down, and neither were any of the closed groups.
"We did this to test social media companies’ statements that they're doing a lot to investigate and protect against malicious activity," co-author of the Stratcom report Sebastian Bay says: "Obviously if it takes two people three weeks to find vulnerabilities within this context, they're not doing enough."
The report concluded that the usage of social media for the purpose of gathering mission sensitive information would be a “significant challenge for years to come”.
One motivation for running the study was the Cambridge Analytica scandal. In addition Mark Zuckerberg’s presentation to the United States’ Congress, where he showed how easy it was to harvest individuals’ data, fuelled the idea. In fact, the decision to perform this secret study was taken to confirm exactly that, say Nato officials.
And just as feared, other not so friendly organisations have started to use social media in military operations. A month ago, it was discovered that Pakistani intelligence agents had used the exact same catfishing method to gain military intel from Indian soldiers. They too had created fake social media personas, in the form of female Indian nurses, to persuade Indian soldiers and make them reveal classified information.
In the Second World War, the allied used the slogan “Loose lips sink ships” to warn people against accidentally leaking military secrets. More recently the US military has adapted this to “Loose tweets sink fleets”. This is a lesson that at least some Nato soldiers still seem to need to learn.
Image under licence from iStockPhoto.com, credit 9632290_400