Not Your Father’s Honey Trap: Digitizing a Timeless Threat
By TorchStone VP, Scott Stewart
Honey traps, using sexual favors or romantic bonds to obtain sensitive information, is an ancient technique. Perhaps one of the earliest recorded instances of a honey trap dates to 1100 BCE when the Philistines used Delilah’s feminine charms to learn the secret of Samson’s great strength.
But it is almost certain the tactic was used even earlier than recorded history. Espionage has been referred to as “the world’s second-oldest profession” and as such, it is only natural that espionage practitioners would solicit the help of what has been termed “the world’s oldest profession” to help them in their craft.
Although ancient in origin, honey traps continue to work, both in the physical and virtual worlds, and digital honey traps provide practitioners with some advantages over their physical counterparts. Let’s examine how they work.
Classic Honey Trap
The classic form of this old technique involves compromising a target through a single sex act. The target is approached by a desirable sexual partner in a hotel bar after work hours. After a few drinks to suppress inhibitions and critical thinking, they go up to the target’s room and have sex.
Sometimes, the local intelligence service will break in the door during the intimacy to catch the target in flagrante delicto. Other times, the partner leaves and the target never sees them again. At some point, the target is confronted by an intelligence officer who shows them the photographs or videos of the assignation. Yes, the target’s room was thoroughly wired for surveillance, and the honey trapper was instructed to orient the action towards the cameras and to ensure there was identifiable and compromising material on the target. The target’s cooperation is demanded by this second officer—and provided—since the target feels they have little choice.
This technique worked well in the past because the threat of revealing the illicit act to the target’s spouse, family, employer, or even the world at large, presented a significant threat to the target’s way of life and status. In the case of same-sex encounters, once illegal, the leverage was compounded exponentially. People whose positions require them to be seen as pillars of moral rectitude may still be vulnerable to this simple and crude tactic, but given changes in sexual mores, many people are no longer so vulnerable to the classic approach.
For those individuals, more subtle and powerful techniques may be required.
The Strength of Emotional Ties
A target who is blackmailed will feel resentful and trapped and may seek to find a way out of the trap that ensnared them. Therefore, what is a stronger lever than a one-night stand? An ongoing romantic relationship. Some honey traps are long plays meant to sink the hooks deep into the target and ensure continuing compliance. A scheme by which the target develops a strong emotional bond with the honey trapper can result in a relationship that lasts for years or even decades.
East German spymaster Markus Wolf made a career of using male “Romeo spies” to target lonely women (often secretaries, interpreters, and clerks) in the West. In many cases the East German officers maintained their relationships with the women for years, sometimes becoming engaged to them or even marrying them.
This type of honey trap operation is based on universal and enduring human emotion rather than raw sexual attraction. While attraction is somewhat important, and Wolf’s East German service went to great lengths to learn the type of men their targets were attracted to, it requires far greater skill and training to make the target fall in love with the honey trap than it does to merely lure them into a one-night stand.
A well-known and more recent example of this type of honey trap was the Russian intelligence officer known as Anna Chapman, who was born Anya Kushchenko in Volgograd, the daughter of a Russian “diplomat” widely believed to be a former KGB officer.
In 2002 Anna met and married a British citizen named Alex Chapman, who worked at a number of companies including Barclays Bank. Anna divorced Alex four years later but kept the Chapman name. It is not clear whether she manipulated Chapman to obtain information from the companies he worked for, but at the very least, the marriage helped her gain entry into society circles in London—and later, after the divorce—in New York, where she was tasked with developing relationships with people “in policymaking circles.” Chapman and nine other Russian “illegal” intelligence officers were arrested in June of 2010.
As the Chapman case and others, such as the AMSC industrial espionage case, illustrate, physical honey traps are still used effectively, but the internet and social media have provided a whole new dimension to the honey trap threat.
Digital Honey Traps
Catfishing is the use of a fake online persona to trick and manipulate other people. While a lot of attention has been paid to catfishing used in furtherance of romance scams, pig butchering, and sextortion, catfishing has also proved to be a powerful espionage tool.
Catfishing schemes have been used by Iranian intelligence officers and Iranian proxies in an attempt to gather intelligence on the Israeli Defense Forces for many years now, including during the ongoing conflict against Hamas in Gaza. Some of these operations have simply sought to elicit information from soldiers, while others have attempted to manipulate soldiers into downloading malware onto their phones that would allow them to be used to track or eavesdrop on the victims.
Ukrainian women (and hackers posing as women) have also used dating apps to gather intelligence on Russian soldiers by tricking them into uploading photos of themselves that can then be geolocated and used to target their units.
But soldiers and government officials are not the only ones being targeted by digital honey traps. Employees of private companies have also been hit. Perhaps one of the most widespread and best-documented use of catfishing was a campaign run by the Iranian government-linked hacking team that cyber security researchers have named Cobalt Gypsy or Oil Rig.
In April 2016, the hackers established an elaborate online persona purporting to be a British photographer named Mia Ash. Photos of a Romanian photographer were used to create the persona, but today it is possible to create AI-generated photos for this purpose. The hackers established accounts for Mia Ash on LinkedIn, Facebook, and WhatsApp, as well as crafting blog posts linked to those accounts.
According to a report compiled by cyber security firm Secureworks, the hackers then used the Mia Ash persona to reach out to a number of men in Saudi Arabia, the United States, Iraq, Iran, Israel, India, and Bangladesh who worked for technology, oil/gas, healthcare, aerospace, and consulting organizations.
The hackers specifically selected mid-level male employees in technical (mechanical and computer) or project management roles with job titles such as technical support engineer, software developer, and system support. These job titles were chosen because they imply elevated access within their respective corporate computer networks.
One of the targets worked in cybersecurity for the consulting firm Deloitte. After being initially approached on LinkedIn, the hackers convinced the target to continue conversing with the alluring Mia Ash on Facebook. After cultivating a relationship with the target, the hackers eventually convinced him to open a Microsoft Excel file containing malware that allowed them to steal his network credentials. With the credentials, they were able to conduct a major cyber breach.
Advantages of Digital Honey Traps
As seen in the Mia Ash case, digital honey traps have many advantages over physical honey traps. First, it requires no real physical contact with the target. This means that many personas can be created and run by one operator, and many targets can be approached and cultivated simultaneously—all the while protecting the identity of the skilled operator.
Second, anyone can catfish. The technique does not require a physically attractive person. Third, digital honey traps provide global reach.
In the physical world, it would be impossible for a bearded Iranian man named Ali to pose as a female British photographer and approach multiple men in different countries at the same time. But in cyberspace, catfishing allows government operators to use “false flag” approaches to attack multiple targets anywhere on the globe, using any persona imaginable.
Digital honey trap teams are also better positioned to utilize AI tools that can help make their flirtatious banter seem more natural while helping them to pursue even more targets at once.
Finally, while the operators running the personas need to possess good social engineering skills, they do not require technical hacking skills. This means cyber honey trap campaigns only require a small team of technical hackers to design and deploy the malware and exploit the targets after a successful attack. A separate team of analysts can conduct the research required to identify and select the targets, while a third team is tasked to operate the personas.
Combatting Digital Honey Traps
Like any threat, the first step in combatting digital honey traps is awareness. As technical cybersecurity measures become more effective, humans are seen as the weakest link in the cyber security chain. Especially when threats deliberately appeal to their egos and romantic fantasies.
Catfishing is merely another way to target that human link, and employees should be educated about cyber honey traps in the same way they are taught about phishing and business email compromise attacks.
Sadly, in many companies, cyber security is considered an information system problem that only technical personnel can address and thus exclusively the responsibility of the Chief Information Security Officer (CISO).
But since attacks against employees can emanate from many different vectors, including catfishing, the threat they pose necessitates that companies address them in a holistic manner.
Ultimately, protecting against human-targeted cyber attacks is only possible with a well-informed workforce, and by employing a coordinated effort across the entire company.