Get insights straight from the experts on the Microsoft Threat Intelligence Podcast. Listen now.
Simeon Kakpovi initially wanted to be a doctor but soon realized that wasn’t his calling. “I switched my major a few times and ended up in information systems. I landed on cybersecurity because my mentors were in the field.”
As a sophomore at Howard University, he took additional cybersecurity classes at local community college, ultimately leading him to the Lockheed Martin Cyber Analyst Challenge. “They mailed us a thumb drive with 80 gigabytes of data. What happened next is some of the most fun I’ve ever had.”
The challenge required participants to analyze a full cyberintrusion using packet capture and memory files. “Through that process, I realized the big picture of cybersecurity and thought, ‘I would love to do this for a living.’”
That led to an internship at Lockheed Martin and to him co-creating the cyberskilling game KC7. “A lot of cybersecurity classes are taught with acronyms and vague concepts because they don’t have access to actual data. That creates a circular problem because you can’t get the skills until you get the job, but you can’t get the jobs unless you have the skills.”
Today, Simeon leads Microsoft’s team of analysts tracking more than 30 Iranian groups. Though distinct in motivation and activity, Simeon notes all Iranian actors share a common trait: tenacity.
“We’ve consistently found that Iran is persistent and patient, willing to spend effort, time, and resources to compromise their targets. Iranian-linked actors offer a good reminder that you don’t have to use zero-day software exploits or novel offensive techniques to be successful. To compromise email, credential phishing, social engineering, and sheer grit is all that’s required.”
“Social Engineering isn’t always as simple as it might appear. We’ve seen threat actors leverage the personal information people reveal about themselves on social media during social engineering campaigns.”
For example, Crimson Sandstorm uses fake social media profiles (honey pots) targeting individuals based on the jobs they listed on their LinkedIn profile. Then over a period of a few months, they attempt to establish romantic relationships, using intelligence gathered from public profiles to build trust and rapport, eventually sending BEC targets malicious files disguised as videos or surveys. However, because these relationships were developed over long periods of time, targets were more likely to ignore security alerts when they executed the files.
Simon observes that Iranian threat actors are motivated by a wide scope of reasons. “When tracking Mint Sandstorm and attacks on agencies working with governments, sometimes nuclear policy is the driver. With think tanks or academic institutions, publishing information critical of the Iranian government can raise the ire of a threat actor group. That suggests that they may know how the US or other Western countries will position themselves in terms of policy and target individuals with information that’s useful to their government.”
Follow Microsoft