Social engineering is one of the most difficult attack vectors to detect. It’s also one of the oldest technqiues in the espionage handbook. Most of the time in this day and age it’s implemented as spear-phishing or in other ways via email. That’s when you aren’t dealing with highly motivated nation-state actors where money and time becomes less of a problem.
Let’s think like a threat actor for a moment. Who’s going to look the most threatening to an employee? The other, of course. Someone outside the company. That’s why spear-phishing can be so successful - you purport to be someone trusted. Someone that’s a part of the company. However, that leaves tech in the way. That makes it easier to detect, right?
So then.. let’s pivot. How can we become someone trustworthy? Well… What if we only needed to fool one employee - someone that wouldn’t expect it - and use that to get a foot-hold? How about.. HR. HR gets a candidate. On paper, they’re perfect. They came from top schools, they know your stack, the teams that interview them are gung-ho, their references are all gushing about how amazing this individual is. And that’s exactly how we get someone on the inside.
Sound too outlandish? It has happened many times - even in recent years. Alexey Karetnikov had joined Microsoft as a QA engineer in 2010. It was purported that he was there to capture intelligence for the Russian intelligence agencies. He was on the sloppier side and was tracked by the US intelligence agencies as soon as he set foot in the US. He was deported over charges of immigration violations.
The current FBI Director, Christopher Wray, spoke about this as well. In 2020, the Boston FBI field office arrested a researcher that was smuggling vials of biological research back to the Chinese government.
When someone’s as motivated as these folks are and have the backing of a nation state nearly anything is possible. These are just the cases we hear about, too. Jack Barsky is a more famous example of someone that had been a spy for the KGB in New York City for 10 years.
In espionage, reality is often more outlandish than even fiction.