How a teen used social engineering to take on the FBI and CIA

Of all the adversaries facing the US in cyberspace, there is one that the FBI and CIA often seem to struggle to contain.

It’s not a nation state hacking group such as Fancy Bear, APT 1 or Lazarus Group, but a group whose resourcefulness, determination, and ability to think creatively can prove to be every bit as big a handful – teenagers.

Teen hacking is as old as the hills of course and yet real-world examples keep coming, particularly court cases involving young males from the UK and US.

The latest relates to the appropriately-named Kane Gamble, who last October pleaded guilty to leading the ‘Crackas With Attitude’ (CWA) group that launched a series of innovative attacks on senior US government figures between June 2015 and his arrest in February 2016.

At last week’s sentencing hearing at the Old Bailey in London, the court heard how Gamble (then 15) first targeted then-CIA director John Brennan, accessing his email and iCloud accounts, and hoaxing his home phone number.

Next on the list were then-FBI deputy director Mark Giuliano, special FBI agent Amy Hess, secretary of homeland security Jeh Johnson, deputy national security adviser Avril Haines, and senior science and technology adviser, John Holdren – to name only a few.

Motivated by politics, Gamble was said to have leaked documents from Brennan’s email account, as well as 3,500 names, email addresses and contact numbers for US police and military personnel in a file stolen from Giuliano.

He listened to numerous voicemails, sent text messages from Jeh Johnson’s phone, and even remotely accessed his internet-connected TV to post the message “I own you.”

What stands out is not only the campaign’s success but a disarmingly simple MO that holds a big warning for organisations everywhere.

Far from using advanced hacking, Gamble simply phoned up help desks for broadband services and utilities using public numbers, convincing staff they were speaking to the target as a way of gaining access or resetting accounts.

The security that should have stopped the group – answering personal security questions – didn’t.

As prosecuting QC John Lloyd-Jones put it:

The group incorrectly have been referred to as hackers. The group in fact used something known as social engineering, which involves socially manipulating people – call centres or help desks – into performing acts or divulging confidential information.

If a few teens can talk their way into the accounts of high-profile targets such as the head of the CIA, what chance would the average organisation or citizen stand?  It’s a chink in the armour of authentication every organisation should assess.

Two Sophos experts recently spoke about the threat of social engineering in a Facebook Live chat. It’s worth a watch to learn more about the problem, and find out how to fight back against social engineers.