Employees are unknowingly inviting tech support impersonators into firms, says FBI

Online or telephone IT support scams have been tricking employees into downloading or clicking on malware for years. But according to the FBI, one group that targets US-based law firms has recently found success in person, by convincing firms to allow a supposed IT support person into the building, where they insert a storage device into a victim’s computer and install malware or steal data. This revelation comes from an FBI Flash report this week describing the activities of a gang it calls The Silent Ransom Group (SRG). Other researchers call it Luna Moth , Chatty Spider and UNC3753. Cybersecurity experts, though, aren’t surprised that employees can be fooled into allowing a stranger to touch their computers. “The adversary visiting a location in person with a USB key hacking device of some sort has been used for decades, particularly in the banking industry,” said Roger Grimes , CISO advisor at KnowBe4. “Usually, it isn’t just a direct download of data, but using the USB storage drive to either monitor password typing, to install remote access software that the hacker can use to come back into the environment remotely, or to install some other sort of hacker malware. It’s so common in the banking industry that they have often added and allowed that scenario — a physical attacker — in their regular penetration testing audits, more so than any other industry.” Lance Spitzner , director of workforce cybersecurity training at the SANS Institute, said the tactic of getting into a company to use infected USB drives isn’t new, but in his opinion is relatively rare. It’s more common for a threat actor to mail a drive to an employee. “Having someone physically expose themselves by going into an organization is a risk most cyber attackers are not willing to take,” he said. “The details in the FBI report are pretty limited; I’m guessing if this did happen, an attacker paid someone off to do it for them, perhaps an insider or contractor the company trusted.” The FBI says SRG actors have been running data theft and extortion operations since at least 2022. Despite its name, the gang doesn’t use ransomware encryption, but typically seeks rapid access to victim systems to steal data. Then they use extortion, through threats of public disclosure or sale of stolen data, to try to get payments. Historically, the gang gained access to the victim’s network by sending phishing emails purportedly charging small ‘subscription fees;’ to cancel the fake subscription, the victim was instructed to call the threat actor, who then emailed the victim a link that would download remote access software. New tactic But since the spring of this year, SRG actors have added a new tactic: Posing as an employee from the victim’s IT department. They either directly call or send phishing emails to urge employees to contact an SRG actor pretending to be their firm’s IT support. While on the phone, the SRG actor asks the employee to grant access to a remote desktop session. If that fails, SRG sends a threat actor to the victim’s location to physically access their computer and insert a storage device. The excuse: the so-called IT support person needs to image the device, or to create a backup file to address potential impacts from the phishing email. Once the threat actor obtains access to the victim’s device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption. Their tools include WinSCP (Windows Secure Copy) or a hidden or renamed version of “Rclone” to exfiltrate data. They may also exfiltrate data to internal file sharing platforms such as Google Drive or Microsoft OneDrive. And once it has the firm’s data, the gang will call employees or clients of a victim company to pressure the victim to begin negotiations. The FBI warns infosec pros that indicators of an SRG attack may include new, unauthorized downloads of system management or remote access tools, including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera; unauthorized installation of external hard drives or USB drives on company computers; exfiltration of data to Microsoft OneDrive, Google Drive, or external servers; WinSCP or Rclone connection made to an external IP address; and alerts that data was exfiltrated from the company environment. The primary things employees need to be trained to watch for are visits from unidentified or unauthorized individuals claiming to be IT support and attempting to access computers, and unsolicited phone calls from individuals falsely claiming to work in their IT department. The FBI didn’t respond by press time to a request for information on the number of times the gang had tricked an employee into allowing a personal visit. But the tactic by SRG is new enough that the bureau is asking for a copy of the extortion note, the phone number or email account used by the group, transcripts of communications with the threat actor, and any surveillance videos or photos of individuals posing as IT support. The challenge of security awareness training Since the beginning of the desktop computer age, CSOs, CIOs and IT department leaders have struggled to find effective security awareness training to fight phishing, IT tech scams, and other social engineering attacks. Law enforcement agencies have had some success in taking gangs offline , but they pop up again. The threat actors may also be assisted by the fact that employees often don’t know who their IT support staff are, especially if the firm uses a third party external support company. [Related content : A backgrounder on security awareness training ] Christopher Kayser , head of the Canadian firm Cybercrime Analytics and author of the book Cybercrime Through Social Engineering , said in an interview that often an employee’s first assumption is that an email, text, or voicemail about a serious issue from someone claiming to be from IT is legitimate. After that, threat actors play on an employee’s willingness to act on a supposedly urgent matter, their obedience to management, or their wish to be helpful. “We have a tendency to trust,” he said. It doesn’t help that threat actors are willing to share successful tactics with other groups, he added. Nor, he said, does it help that in some organizations, security awareness training doesn’t extend to the top (CEOs) or the bottom (receptionists). Trust no one To combat IT support scams, employees need to be trained that any email, text, or voicemail purporting to come from IT that asks for action needs to be verified with an IT manager through an approved process, not by replying to the message or calling a phone number given in the suspect communication, Kayser said. Employees also need to be trained to slow down, and not to respond or act quickly on emails, texts, or voicemails that ask for passwords, multifactor authentication codes, or personal information. Spitzner added, “security awareness training is one approach to patching vulnerabilities in humans. You need to teach them about the risks of infected or untrusted USB drives and what drives are authorized. In this case, the problem may have been an untrusted individual gaining access to the victim’s facilities.” Nick Tausek , lead security automation architect at Swimlane, said the Silent Ransom Group’s attack strategy of leaning into trust says a lot about where extortion is heading. “That makes this especially dangerous for law firms,” he said. “Those environments hold sensitive client records, privileged communications, financial details, and case information. If that data is stolen, the damage does not stop at the victim organization. Clients can be pressured, legal strategies can be exposed, and employees can become targets for follow-up scams.” The hardest part is that much of this activity can look normal at first glance, he said. Because legitimate tools used by threat actors don’t always trigger alarms, security teams need faster ways to connect unusual behavior across users, devices, cloud storage, and remote access sessions. “When attackers are moving this quickly, delayed detection gives them the advantage,” he said. Grimes added that defenses should include strong and frequent employee education about physical attacks, disabling USB ports on publicly accessible computers, and other mitigations that prevent the connection of physical storage devices. Microsoft Windows, he pointed out, has had mitigations to prevent the insertion of unauthorized storage devices, including USB sticks, for well over a decade. In addition, the FBI urges physical and IT security leaders to verify the credentials of anyone accessing company spaces, obtaining copies of each visitor’s ID card, as well as limiting access to sensitive data from less secure networks, such as home computers or the public internet, and developing and communicating policies regarding when and how IT support will communicate and authenticate themselves to employees.