Cyber Terror Campaigns Against High Value Individuals & Public Figures

It was quite some time ago that my phone first rang to bring me in contact with this issue.

“Hi. Do you have some time? We are facing a serious problem that involves some social media attacks, but then again not only that. It is complicated. Mr. X referred you to us since this is a security issue but at the same time a psychological one. We can’t quite define it”.

These cases get me immediately intrigued. I dropped whatever I was doing thinking “I’ll just work a little longer tonight”, eager to hear more about their story. They proceeded by sharing some of the details.

(Information that would identify the clients has been omitted, but the basic premises of the case have remained the same.)

The issue was revolving around a public figure, -let’s call him Peter- with high social media exposure. Public appearances and social media engagement were an integral part of his work demands, which fit quite well with his expressive personality. He often had a lot to say about his work’s mission and values, which was benefiting his organization too. As it often happens, a portion of his followers had opposite beliefs to his. Some of his statements, in combination with the initiation of a specific project he had recently undertaken, hit hard on a hacktivist group’s nerve…and they decided to declare war against him. The group was rather rigid in their approach too, as they started with a few warnings, but escalated very quickly. Originally, they simply wanted Peter to step down and abolish the new project. Their reasons were ideological, but ideology is a tricky thing to change or even, attack. Therefore, Peter didn’t bend to the request. The group quickly decided that since he wouldn’t decide to step down and dedicate his time to something else, he would then have to get his hands full with “different problems”.

The attacks

This is exactly what followed. In the coming days after the warnings, Peter started receiving a diversity of threats and attacks. His new enemies started attempting account takeovers and disruptions on his social media profiles, which mostly failed. Then they created a small army of fake accounts (sock puppets) that would repeatedly send out to him abusive content. As their rage was growing, they also developed a couple of social engineering approaches to get past the social media manager, engage Peter in conversations online and establish trust with him, only to harass and threaten him in hurtful ways right after. At around the same time, Peter started receiving personal threats through spoofed phone calls, messages, or letters. The situation was already becoming overwhelming for him, but the group’s rage was not over. The attacks escalated more once that group found out his home address. This is when they started shipping him a plethora of strange packages: personalized flyers for his or his spouse’s funeral service, drug orders, call-girls, numerous pizza deliveries throughout the night, and more.

Peter remained on the project, notified the police, and increased his physical security measures. But at the same time he was becoming fatigued, scared, mentally and psychologically drained, and still had to somehow reassure himself and his worried family that they were physically safe. The project development suffered, too.

This had turned from a cyber harassment campaign into a cyber-terror campaign.

Peter — and others like Peter, have not been the only victims of such campaigns against them either. Similar cyber harassment & cyber terror campaigns have been used in the past in various other cases: to distract and sabotage the performance of popular athletes, to defame and force into resignation executives of large companies, to discourage female candidates from entering the world of politics, and the list goes on. They are particularly prevalent among women who have power or high exposure. Their families are often targeted, too. The news has covered plenty of similar stories and we are encountering them through our work, too.

The term “public figures” will be used for all the diverse groups of people who have been targeted with similar attacks: high value/exposure individuals (executives, business leaders, etc.), politicians, celebrities, influencers, and more.

Cyber-Terror Campaigns

In cases like the one described above, the current terminology relating to online abuse does not seem to be sufficient, as they do not take into account the severity of the intention and impact of these attacks. There is yet no official definition for a cyber terror campaign. But for the purpose of providing a common understanding on these attacks, let’s define them as “a form of online and sometimes offline abuse whose goal is to terrorize individuals, with the purpose of influencing their behavior towards a specific goal”. The attackers might be organized groups or (less often) individuals. They will strategize and execute cyber terror campaigns and may employ elements of cyberstalking, cyber harassment as well as threats on the physical and personal sphere(s) of their targets in order to increase their campaign’s influence and efficiency.

One infamous such case that was made public and was thoroughly covered by the media, involved two very bitter, former eBay executives. According to the charging documents, these two members of eBay’s leadership had taken serious issue with a couple that was criticizing the company through their newsletters. The targeted couple was the editor and publisher of a newsletter covering various e-commerce companies, including eBay. The executives, enraged by what they were reading in that newsletter, decided to employ a three-layered campaign targeting and terrorizing the couple. Their goal was to force that couple to stop including in their newsletter posts about eBay. But their terror campaign went too far. They started by sending private and public Twitter messages with abusive content and threats, but soon they escalated towards shipping the couple packages with disturbing content such as boxes with live cockroaches, a funeral wrath, and more. Eventually, they also travelled to the victims’ house to install a tracking GSP on their car and they purchased tools intending to damage their property. As Andrew E. Lelling, the United States attorney for Massachusetts said in a news conference “it was a systematic campaign, fueled by the resources of a Fortune 500 company, to emotionally and psychologically terrorize this middle-aged couple in Natick with the goal of deterring them from writing bad things online about eBay.”

The four executives have by now pleaded guilty and have been convicted for the crimes involved in this campaign.

What is interesting is that this case was classified under the “Cyber Crime” section in the United States Attorney’s Office — District of Massachusetts (where the case was tried). Yet it was a rather multi-dimensional campaign with one focus: to terrorize its victims to the point of driving their actions towards a specific goal.

(Source: https://www.justice.gov/usao-ma/pr/two-former-ebay-executives-indicted-connection-cyberstalking-campaign)

It is worth adding here that social engineering has been defined by Christopher Hadnagy as “any act that influences a person to take an action that may or may not be in their best interests”. There is a good component of social engineering and weaponized psychology playing into these terror campaigns.

Cyber terror campaigns may as well remain on the cyber-realm alone. “Trolls-for-hire”, or “Trolling-as-a-service” are now being employed by state-sponsored groups/organizations and disinformation firms with similar goals- to influence their targets’ behavior. Organized cyber trolling or cyber harassment campaigns are also being executed by smaller, independent groups, or persisting individuals. Their goal remains the same: to either defame/discredit an individual or organization, cause psychological harm, or influence their behavior.

Victim Psychology; Death by a Thousand Cuts?

There needs to be a dedicated section describing the impact of these attacks because one thing needs to become clear: when clients facing this problem turn for help to us, it is ineffective to approach the issue in a purely practical or technical manner. Here is why.

There has been a point in everybody’s life where they fell victim of a fear or unfortunate situation that was extending beyond their own control. It is part of life, and as much as we like to think that we have the power to influence most aspects of our lives, this is not always possible. Still, we tend to seek control, because it soothes our fears and makes us feel powerful and safe.

Cyber terror campaigns are made to take this sense of control away. How? Let’s break it down:

Invading their (personal) space.

First, these campaigns are often extremely intrusive and hard to ignore. Even if one ignores the fact that their social media accounts are now flooded with abusive messages, they still often receive spoofed phone calls or messages on their personal or professional phones, with that same content. Their attackers will eventually find a way to get past any potential gatekeepers. Sometimes, the victims manage to handle these attacks fairly well. But demonstrating good coping mechanisms might also trigger an escalation of the attack methodology. Sooner or later the targets might be called to handle more harassment approaches through personal and disturbing package deliveries, or evening home visits (like the pizza deliveries or call girls mentioned above). Since our phones and homes are both areas of our physical realm and are very personal to us, the targets of these campaigns tend to feel that their personal space is either under threat or that it is being violated by unwanted intruders. Even worse, they do not feel like they can do anything to make it stop.

Fear of the unknown.

At some point, threat actors will try to convince their victims that they have mysterious superpowers over them. The arts of marketing & persuasion is alive and well in cyber harassment campaigns, and even more so in cyber terror campaigns. Therefore, they try to find ways to hint to their victims that they know more about them than the victims would want them to, that they have access to personal and private information, and that if one fine morning they decide to act upon them, they will be able to cause significant harm to them. In other words, they try to advertise their powers over their targets. Phrases like “Don’t forget that we know where you live”, “Did you enjoy taking your son Ted to *school name* this morning?”, etc. have this exact purpose; to inspire fear and the sense of being watched by a threat they are powerless against. Victims are often not very familiar with Open Source Intelligence (OSINT) techniques and the critical information they might unknowingly be leaking through their content sharing or media appearances. A public figure’s social exposure will inevitably lead to security and personal information leaks, especially when that person is not aware of essential security guidelines in terms of information sharing, that can be put in place to protect them. Therefore, when their attackers find a dramatic way to state their findings and the victims do not have a real understanding on how this information was found, the targets immediately enter a state of fear and unconsciously assign their attackers powers and capabilities that they might not have. When the fear of the unknown takes over, the perception of the threat aggravates heavily. Adding to that comes the almost automatic inner question “How far will they take it next time?”.

Abusive Content

The abusive content the victims receive does its own damage too. Being confronted with hate does not leave anyone unaffected. People cope with abusive messages in different ways, but the common denominator remains: they need to internally somehow process this abuse because they will get -in different extents- affected by them.

Mental state

True to the term “death by a thousand cuts”, if the victims do not find a way to mentally cope with these attacks, they soon take over them. There are multiple thoughts and feelings that interplay in victims’ heads:

Fear & anxiety tend to be the first feelings and the most dominant ones. Not knowing whether they are in danger and what harm their attackers are capable of, soon takes its toll on them. In many cases, their fear drives them towards a state of fatalistic thinking in which the individuals adopt the viewpoint that they have no power over influencing the risks that have entered their lives and therefore taking action against them is pointless. You can imagine that if at that point external consultants or police officers try to offer sound but unempathetic, or purely technical advice, the person that has entered that stage of fatalistic thinking will just dismiss them.

And here comes the continuation of my story again: When we were invited as external consultants to the case described above, we were asked to dedicate some time to first work through the victim’s mental barriers and state of mind to eventually get him to reach a state of mind where he can accept practical advice. Not the other way around. And we cannot not skip the first step if we want to be helpful.

Guilt is another strong feeling that emerges. Targets of this abuse will feel guilty for thinking that they caused this harassment by something they said or did (even if this is not the case). They will feel guilty as a result of the abusive content they read. But they will also feel guilt towards their family members or friends that might either be targeted for similar levels of abuse too or simply suffer the effects of the target’s harassment simply due to their proximity to them.

The list is long but all the roads lead to similar results: Targeted individuals may develop depression and ultimately abandon both their jobs and their public life. Others, unconsciously accumulate an overload of mental burdens that cause them to underperform, forget significant tasks or deadlines, and ultimately, negatively impact their personal or professional lives. The feeling of powerless and fatalistic thinking often does take the seat behind the wheel. What originally was a feeling of lost control, transcends into reality in different ways.

Jesy Nelson from Little Mix on the online abuse she received: “I felt a rush of anxiety because I’d never experienced anything like that in my life. I felt like I was heartbroken. I remember ringing my mum and saying: ‘Mum, I want to go home, I don’t want to do it.’’ She started battling with her mental health and missing or canceling professional appearances in an effort to stop triggering online abuse. She eventually quit the band and left the public eye as a result of the online abuse.

You may encounter a similar case whether you work in the field of physical- or cyber-security, the police, close protection, or other relating fields. It is important to recognize whether the victim in your case has just started to cope with the psychological burdens of these terror campaigns, or whether they have entered an escalated state of psychological distress, and adjust your approach accordingly.

You will have to make sure that you approach them from a place of empathy and understanding. Accusations or beliefs similar to “you willingly took this risk when you chose this profession” or “it comes with the territory” are simply not helping anyone. In my opinion, phrases like these should not even cross our minds. Harassment is not alright, and it should never come with any territory. As professionals that care about our clients, it is our moral duty to stand by them, listen to them, and try to help them to the best of our abilities.

Our Approach

1. Mental & Emotional Support

The first request that we almost always get is to dedicate some time to listen to the recipients of this abuse, discuss with them and offer them a safe space to process the situation that they are or have been in. Experience has shown that this often happens to be the wisest first step too. By now, and through the support of Cyber Risk GmbH we were able to develop separate workshops on emotional support and mindset development for the clients that have suffered from cyber terror or cyber harassment campaigns. It is the step that provides the client with a necessary level of situational understanding, and that sets the foundations for moving forward into more practical actions later on. Having a background in psychology and having received training on how to set up and handle individual or group therapy sessions has given me the opportunity to interthread this knowledge into workshops that also involve the practical (and more technical) elements of defending against cyber harassment or terror campaigns. The goal is to ensure that these individuals are going to receive the support necessary to remain safe and continue to operate and reach their performance goals in a focused and psychologically resilient way.

In these workshops, we may go through different topics such as:

- Discussion of past & current events relating to cyber harassment & the individual’s experience

- The impact of these events on current decisions & actions

- Explaining the methodology of terror campaigns

- Breaking down and demystifying the modus operandi of the attackers

- Discussions & advice on improving their responses to these events and developing coping mechanisms

- Setting expectations & starting to consider practical steps for future incidents

This process helps individuals move past fatalistic thinking and towards re-gaining their resilience and power. Psychologically, it is almost like dropping unnecessary weight off your shoulders so that you can start walking better again and being receptive to advise. At the same time, understanding how these campaigns work and their modus operandi, helps participants demystify these attacks and understand them. Knowledge is power and it works in a therapeutic way. It takes away the fear of the unknown, tones down the perceived superpowers of the attackers, and places the events into a more realistic perspective. The participants start developing a sense of control over the personal and professional effects of the cyber-harassment they receive.

2. Social Media Security & Operational Security (OPSEC) Training & Hardening

Public figures that feel ready to take action move into this phase or combine it with the one below.

In this workshop, participants learn to implement better operational cyber security controls to avoid the escalation of the current attacks or limit future incidents. This does not only include the security hardening of their accounts but also the types of information they choose to share online. Attackers often prey on information through the social media content (pictures, stories, captions, tags, etc.) of their targets, and they use it to geolocate them, find vulnerabilities, identify routines, etc. in order to later weaponize them.

During this workshop, participants learn to:

- Implement behavioral & technical cyber security controls

- Prevent sensitive or critical information leaks through their public appearances and content creation

- Understand their personal vulnerability profile and control/limit the exposure of their weaknesses

- Understand how open source intelligence works and how they can maintain their privacy despite the demands of their public life

- …and more, depending on the case.

This is an approach that on a practical level, helps them “clean up” the content of any of the media they have control over, be proactive in their future public engagements, and improve their online safety status. On a psychological level, it helps them regain their sense of control and power by applying practical measures.

3. Personal Vulnerability Assessment Through Open Source Intelligence (OSINT)

We conduct our own Open Source Intelligence (OSINT) Analysis on the targets. This assessment includes the identification and analysis of the target’s personal points of vulnerability. We examine potential attack vectors based on how an adversary would exploit the available information. We try to answer questions such as: Are there visible physical locations that the subjects are frequenting or specific routines? Is there visible personal information that can be exploited? How easily can an adversary approach the targets, online or offline? How vulnerable are the targets? And more, depending on the requirements of each case scenario.

We present the findings to our clients or we may combine them with the training discussed above. We always offer practical advice and action steps in our reports. The goal is to limit or eliminate information that could pose a considerable risk to the individual and to inform them on what to expect in potential future threat scenarios.

Epilogue

Most cyber terror- or harassment- campaigns are often being viewed and handled from single-dimensionally perspectives alone (usually only in terms of physical or online security). However, during our engagement with these cases, it became apparent that there is a strong interdisciplinary relationship with social and cognitive psychology, for all the reasons that were described above. The social element needs to be part of the solution and empathy also needs to be part of the security professional’s approach. Thankfully, there has been research on the topics of preventing targeted attacks and on identifying warning behaviors and red flags between threat actors that only want to cause fear VS the ones that want to cause physical harm. These are very significant topics when it comes to dealing with cyber terror campaigns and conducting vulnerability assessments.

We need to combine effective intelligence analysis and security recommendations with a good understanding and application of behavioral science. The targets of these campaigns need to both be and feel safer, and this can only happen if they are able to move past anxiety and fear, and towards the implementation of proactive and reactive security measures. Our goal is to help them go back to their jobs and their everyday activities without shadows of fear hanging over them and to help them get back to top performance with a clear head.