Advertisement

Social engineering attacks surged this past year, Palo Alto Networks report finds

Unit 42 said social engineering — the method of choice for groups as diverse as Scattered Spider and North Korean tech workers — was the top initial attack vector over the past year.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Palo Alto Networks headquarters in Silicon Valley; Palo Alto Networks, Inc. is an American multinational cyber security company. (Getty Images)

Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 

More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report

Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data. 

Scattered Spider, a threat group Unit 42 tracks as Muddled Libra, has infiltrated more than 100 businesses since 2022 — including more than a dozen this year — to extort victims for ransom payments. “We’re constantly engaged with them. It’s just been one after another is what it feels like to us,” Michael Sikorski, chief technology officer and VP of engineering at Unit 42, told CyberScoop.

Advertisement

Attacks and intrusions linked to Scattered Spider and the vast North Korean tech worker scheme composed a high percentage of the incident response cases Unit 42 worked on last year, accounting for roughly an equal number of attacks, Sikorski said.

North Korean nationals have gained employment at hundreds of Fortune 500 companies, earning money to send their salaries back to Pyongyang.

While the North Korean insider threat is linked to a nation state, it is a financially motivated social engineering attack, he said. This forked attribution and objective underscores how boundaries between geopolitical and financial motivations are blurring.

Other nation-state threat groups are using social engineering, too, but a financial payout was the primary driver in 93% of social engineering attacks in the past year, Unit 42 said in the report.

Social engineering attacks are also the most likely to put data at risk. These attacks exposed data in 60% of Unit 42 incident response cases, 16 percentage points higher than other initial access vectors, the report found.

Advertisement

Attackers are focused on accessing the data they want, and oftentimes this makes help desk staff, administrators and employees with system-wide access a key target. “Those people often have the privileges to everything that the attacker wants — the cloud environment, the data, the ability to reset someone’s multifactor so they can reset it and register a new phone,” Sikorski said.

Scattered Spider has consistently engaged in “high-touch social engineering attacks against those specific individuals,” he said.

Unit 42’s annual study includes data from more than 700 attacks that the incident response firm responded to in the one-year period ending in May, spanning small organizations and Fortune 500 companies. Nearly three-quarters of the attacks targeted organizations in North America.

Latest Podcasts