T1593.001 Social Media
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.
Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service).1 Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Spearphishing via Service).
Item | Value |
---|---|
ID | T1593.001 |
Sub-techniques | T1593.001, T1593.002, T1593.003 |
Tactics | TA0043 |
Platforms | PRE |
Version | 1.0 |
Created | 02 October 2020 |
Last Modified | 15 April 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G1011 | EXOTIC LILY | EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.3 |
G0094 | Kimsuky | Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.2 |
C0022 | Operation Dream Job | For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.4 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
References
-
Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020. ↩
-
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩