Death by 1000 paper cuts: how foreign actors are bleeding a cyber-crippled US dry

Dave Piscitello

Numerous US federal agencies that contribute to our national cybersecurity defenses have suffered sweeping job and program cuts. The disruptive effects on the FBI, DOJ, FTC, NIST, and CISA go far beyond the administration’s publicly stated domestic objectives. These cutbacks put the US at a disadvantage in its efforts to mitigate cybercrimes, cyber espionage, and other cyber-enabled attacks by criminal and state (sponsored) actors.

Political pundits at The Bulwark are much better informed than I to examine the broad ramifications of a weakened US cybersecurity presence. I will take you closer to ground zero by sharing three examples of cyber-enabled activities that are real and imminent threats to you, your organization, or your friends and family.

Fake worker scams

North Korea and other Asia-Pacific countries now use AI tools to create “highly qualified candidates” with convincing but fake government-issued IDs, resumes with extensive employment histories, and active social media presences. AI generated resumes don’t trigger the typical checks: they have convincing job histories, few or no grammatical errors, and overall, they present an appealing candidate. While they may not be as complete as covert legends used by intelligence agencies, they have been convincing enough to lure companies into hiring these individuals as remote workers. North Korean agents “in country” have set up laptop farms to house employer issued laptops. These are remotely accessed by the newly hired “US employee”, who works from North Korea. Once hired, the worker may draw a salary until they are discovered, or they may install malware to exfiltrate sensitive information from the company that offered employment. As AI improves, so have these scams. How serious is this threat? Recent analyses speculate that by 2028 one in four job candidates will be fake. These scams will add significantly to the billions lost to online scams that are already reported to the FTC.

Text (SMS) phishing attacks

A Chinese threat group, XinXin uses an advanced infrastructure, LUCID, to launch SMS-based scam/phishing attacks from large mobile device farms. These attacks impersonate government services (e.g., E-ZPass toll system), and numerous postal, courier, or package delivery services. Victims of these scams unwittingly disclose their credit card and personal data. LUCID campaigns deliver text messages via Apple iMessage or Android RCS and bypass telecom filtering techniques to increase success rates. XinXin claims that it can send 100,000 messages daily. These scams are far more successful, widespread, and costly than most Americans imagine.

Deepfake

Threat actors have rapidly adopted AI. They manipulate audio, video, or images to perpetrate fraud, promote discord or dissent, radicalize the disenfranchised, or to inflict cyber-enabled harms through deepfakes. Deepfakes are now used to impersonate CEOs of companies (Ferrari), to incite far-right extremists, to harass women, and to groom or sexually exploit children.

The current wave of AI generated images and videos are already too sophisticated – and numerous – for human detection. The images and videos are convincingly real to the human eye. Credible audio, sufficient to fool even close family members, can be created from small samplings. Many of the cues and telltales that were most frequently used to detect fakery are no longer present. Investigators must increasingly rely on advanced neural networks and diverse datasets for training (deep learning). However, this is an AI arms race where every advancement in AI systems that helps improve detection of AI fakes, also facilitates production of undetectable fakes.

US Cybersecurity needs to expand, not contract

These examples show how cybercriminals and state-sponsored actors are using automation and innovation to conduct cyberattacks with increasing frequency and scale. Adversarial states (e.g., North Korea) use scams and frauds to supplement their GDP. Fortune reports that China, Russia, and Iranian threat actors are “actively seeking the capability to disable U.S. critical infrastructure, including water and wastewater”. Microsoft’s Digital Defense Report 2024 notes that actors in these countries are also acting independently to gather sensitive data, collect intelligence, and extort, defraud, or steal millions.

Intelligence and law enforcement agencies worldwide are engaged in an arms race. Investigators face operations daily at scales we’ve never seen before, necessitating greater global cooperation and data sharing. The US also needs more agents armed with state of the art AI and the experience and expertise to detect and defeat cyber attacks, since they must constantly improve their deep learning capabilities to effectively respond to threat actors who quickly adopt advances in deception techniques while also adapting to successful detections and countermeasures.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) may be whittled in half. Agents at the Federal Bureau of Investigation face cutbacks for doing the jobs they were hired to do. These actions increase cybersecurity risk dramatically at a time when the US may be most vulnerable to cyberattacks.

I’ve had the extraordinary opportunity to work with many agents in several US agencies. They are great – exemplary – at what they do but we need more not fewer men and women in the field to contend with the cyberthreat landscape now facing the US.