PsyOps in Cybersecurity and the New Challenges of Regulatory Compliance

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Ariel Parnes of Mitiga takes us on a journey into the world of PsyOps and the role it currently plays in cybersecurity.

As we navigate the complex terrain of modern cybersecurity, the emergence of psychological warfare tactics in cyber-attacks is becoming a critical concern. The behavior of the notorious ALPHV/BlackCat and Scattered Spider ransomware groups during their recent attacks against MGM Resorts International and MeridianLink is a stark reminder of this evolving threat. Cyber-criminals are no longer just exploiting technical vulnerabilities– they are now masterfully manipulating human psychology, laws, and regulations to achieve their nefarious goals.

PsyOps in Cybersecurity and the New Challenges of Regulatory Compliance

The Emergence of PsyOps in the Cybercrime Landscape

Psychological operations, commonly referred to as PsyOps, are tactics used to influence, persuade, or intimidate targets to achieve specific goals. Originating in military contexts, these operations leverage psychological principles to affect the perceptions, emotions, reasoning, and behaviors of individuals or groups. In the realm of cybersecurity, PsyOps are calculated maneuvers cyber-criminals use to manipulate their victims. The effectiveness of PsyOps lies in its ability to exploit vulnerabilities in human cognition and decision-making, making it a potent tool in the arsenal of modern cyber warfare.

The use of PsyOps in cyber-attacks has a storied history, evolving alongside the digital age. Historically, cyber-criminals have employed a variety of intimidation tactics to manipulate and coerce their victims into compliance. In the early days of ransomware, attackers primarily relied on system downtime or data loss to pressure victims into paying ransoms. However, as cybersecurity defenses improved, attackers adapted by incorporating more sophisticated psychological strategies. This evolution saw the emergence of threats to publish sensitive stolen data if ransom demands were not met— a tactic that exploits concerns over reputation damage and regulatory repercussions. In many instances, attackers are not only encrypting data, but they are also threatening to release data publicly, thereby amplifying the psychological pressure on the victims. This approach has proven effective in creating a sense of urgency and helplessness, often leading to quick capitulation by the targeted organizations.

Reaching New Heights of Complexity and Impact

In September 2023, a cybercrime gang known as Scattered Spider launched a ransomware attack on MGM Resorts, leading to a large shutdown of computer systems at casinos and hotels across the U.S. and compromising sensitive customer data. In this large-scale attack, the tactics deployed included a sophisticated psychological strategy consisting of publicly releasing details about the intrusion. While little is known about the accuracy of the information shared, it is clear that the move was designed to exert pressure and manipulate public perception, thereby maximizing disruption and leveraging their position, either in this specific cyberattack or in future ones.

With the U.S. Securities and Exchange Commission’s (SEC) new regulation mandating public traded companies to report material cyber-attacks within a narrow window of just four business days, the landscape of cybersecurity disclosure has been significantly altered.  Designed to promote transparency and protect investors by ensuring they are promptly informed about cyber incidents that could potentially impact their investment decisions, the SEC rule is intended to foster a secure and resilient digital environment for the corporate sector. Companies would be compelled to be more transparent, upholding accountability and responsiveness in their handling of cyber threats. However, this rule inadvertently offers cyber-criminals a new weapon in their psychological arsenal. Attackers can now use the tight disclosure timeframe to create urgency and panic, forcing companies into hasty decisions that may include capitulating to ransom demands.

An Unprecedented Manipulation of Regulatory Mechanisms

The recent cyber-attack on MeridianLink, a publicly traded company offering digital solutions to financial organizations, is a striking example of this new trend. The ALPHV/BlackCat ransomware group, known for its sophisticated extortion tactics, claimed responsibility for the breach. In a bold and unprecedented move, the group filed a complaint with the SEC against MeridianLink for allegedly failing to comply with the SEC’s four-day rule for disclosing material breaches. This complaint, filed after the group reportedly breached MeridianLink’s network and stole sensitive data without encrypting systems, shows the new dimension of cyber extortion. The attackers used the SEC’s own platform to exert additional pressure on MeridianLink, a strategic manipulation of regulatory mechanisms to further their criminal objectives. This incident not only underscores the evolving nature of cyber threats but also highlights the potential for regulatory processes to be exploited by cyber-criminals in psychological warfare campaigns.

To counter these sophisticated threats, organizations must prioritize rapid investigation and a comprehensive understanding of attacks as soon as they are detected. Regular and thorough tabletop exercises that include psychological operations scenarios are crucial for preparing and testing response strategies. Additionally, investing in capabilities for swift investigation and response is essential. This approach enables organizations to counter misinformation with accurate information, maintain control of the narrative, and make informed decisions under pressure.

The landscape of cybersecurity is evolving rapidly, with PsyOps emerging as an effective tactic in the arsenal of cyber-criminals. The cases of MGM Resorts and MeridianLink serve as stark reminders of this reality. In this new era, organizations must be agile, well-prepared, and proactive in their approach to cybersecurity. The ability to quickly understand and respond to attacks is no longer just a defensive measure; it is a critical component of an effective cybersecurity strategy in the face of these psychological warfare tactics.