From Federal Hill, federal contractor patrols social networks for spies

Left to right, Sean Wen, business developer/marketing ZeroFOX, and Saad Manzoor, cyber analyst, eat breakfast in the office kitchen.
Left to right, Sean Wen, business developer/marketing ZeroFOX, and Saad Manzoor, cyber analyst, eat breakfast in the office kitchen. (Kim Hairston, Baltimore Sun)

For years, the group of hackers took on assumed names on popular sites such as Facebook and LinkedIn to lure their targets — defense and other government workers here and abroad.

Sometimes they used profile pictures of attractive young women in their effort to connect with the largely male bureaucracy.


The security company iSight Partners outed the operation last spring and tied it to Iran. But little has changed in the months since, according to iSight researcher John Hultquist. The group reorganized and appears still to be active today.

"We think that this problem is only going to grow," he said.


Foreign spies and terrorists have long lurked in cyberspace to gather information, probe for vulnerabilities and mount attacks against the United States and other governments. But they are now turning increasingly to social networks, which Americans use every day to share baby pictures and career news, to cause havoc online.

A startup in Federal Hill is engaging them on the battlefield.

From its offices on Light Street, ZeroFOX has designed a system to patrol LinkedIn, Facebook, Instagram and other social media sites for actors seeking to worm their way into the networks of the military, the government and other organizations.

"Social has become the new playground," said Evan Blair, the company's chief operating officer.


An attacker can lurk in an individual's network in hopes of gathering sensitive information. Or the attacker can abuse the trust most people have in their friend groups and professional contacts to trick the target into downloading software that gives the attacker direct access into his or her computerand those it connects with.

Government agencies have spent billions of dollars building up their defenses against cyberattacks. But social networks often fall outside all those layers of protection, which can leave the agencies all but helpless.

As Hultquist put it: It doesn't matter how big your castle is, nor how deep your moat, if an enemy can persuade someone inside to open the gate and let down the drawbridge.

An attacker might impersonate an important-sounding person, real or fabricated, and send out requests to connect. Or the attacker might pose as an attractive young woman.

Blair's team aims to help organizations keep attackers out of their members' networks before they can insinuate themselves and build power.

"Once I network with one, my ability to network with No. 2, No. 10, No. 100 is even easier," he said.

ZeroFOX's digs opposite Cross Street Market, with movie posters on the walls and games scattered about, look more like the workplace of a Silicon Valley startup than a buttoned-down defense contractor. But the company counts former Director of National Intelligence Mike McConnell among its board members, and it is courting government business.

The State Department hired ZeroFOX in December to protect dozens of its social media accounts.

A spokesman for the department, which shut down its unclassified email system briefly in November after a cyberattack, said the deal made sense because hackers who target the government are increasingly using social media.

ZeroFOX's contract with the State Department calls on the start-up to monitor Facebook, Twitter, Google+ and other networks, and to alert officials to "anomalous and malicious" activity.

ZeroFOX says it also works with the Department of Defense. Blair declined to comment on the details of its work, but said members of the military can be vulnerable to snooping or fraud launched against them online.

A Pentagon spokeswoman said she could not confirm that ZeroFOX works for the Defense Department. She said all department employees with access to its computer networks are trained in the dangers posed by social networks.

Blair described the 21st-century equivalent of "Loose lips sink ships": A spy could befriend a U.S. soldier on Facebook, and then use information he intended for his family back home to build up a picture of troop locations, strength, actions and plans.

"A lot of clandestine action and intelligence-gathering occurs just by being in your network," he said. "We can identify when that sergeant says something he shouldn't be saying [and] immediately feed that alert back."

The group uncovered by iSight appeared to be following a very sophisticated version of the playbook. Members posed online as journalists, government officials and defense contractors on sites including Facebook, LinkedIn and Google+.

In at least one instance, Hultquist said, the group created an account for a female military officer, just one of many examples of hackers using physical attraction in an attempt to lower their targets' defenses.

If "an extremely attractive female is trying to friend you out of nowhere," Hulquist said, it's often a good indication that you have become someone's mark.

The Iranian operation ran for years, according to iSight, making connections on social networks before sending links to sites designed to harvest login information — a type of attack known as phishing.

The group halted its activities after iSight published its report, but Hultquist said it now seems to be back up and running.

"It didn't take long for them to re-emerge," he said.

The attack late last year on Sony Pictures Entertainment demonstrated the chaos online attackers can cause. A group that called itself Guardians of Peace — and which the U.S. government believes is tied to North Korea — stole emails, scripts and whole movies from the studio and forced it to shut its networks down.

Adm. Michael S. Rogers, the head of the National Security Agency, told lawmakers in November he anticipates a serious cyberattack against the infrastructure of the United States.

"It is only a matter of the 'when,' not the 'if,' that we are going to see something dramatic," he said.

Security researchers have spent years exploring the ways such an attach might be launched. Shawn Moyer, a researcher based in St. Louis, was one of the first to spot the potential vulnerability of social networks.

Moyer declined to comment specifically on ZeroFOX but questioned how much more technology could do to protect people.

"If an individual behind a computer made a concerted effort to impersonate a person, that's going to be difficult," he said. "It's very difficult to differentiate between a real person and a real person pretending to be another person."

Moyer described setting up a LinkedIn account for a well-known computer security professional — and even received a request from the the man's sister to add him to her network.

After one presentation, Moyer said government employees boasted that military and intelligence agencies wouldn't be vulnerable to such simple attacks — a boast Moyer took as a challenge.

The winning formula ended up being a dash of sex appeal combined with a dollop of greed: On LinkedIn, he created Amber Norton, a recruiter seeking to hire people with high-level security clearances.


And sure enough, he said, it wasn't long before he had gathered personal information on a number of people with ties to national security.