The breach of an unclassified Pentagon email system by suspected Russian hackers at the end of July was just the latest in a series of state-sponsored attacks on government agencies. Although the Pentagon is back online after immediately disabling the email system in the wake of the attack, the attack has raised concerns about the use of spear phishing in nation-state cyber attacks.
Andre McGregor, director of security at Tanium, told Homeland Security Today “spear phishing is a common tool because it works.” In a spear phishing attack, the hacker creates an email to look as if it came from someone within the company or someone the user is actively in communication with. Once the email is opened, malware is implanted.
“The key here is that, in most environments, if a hacker wants access to a particular set of users or a particular set of data, they do not need to compromise those specific users or assets upfront,” McGregor said. “They can be opportunistic and target anyone else in that same organization.”
“And once the hacker has an initial foothold," McGregor said, "they can move laterally and exploit the trust in the network. Because of that, attackers only need to be good enough to get that initial foothold, and then remain undetected as they move to their actual target in the environment. That gives attackers a lot more leeway in their operations than they’d otherwise need to have.”
McGregor said almost every nation-stated related case he’s investigated with the FBI has started with spear phishing. As an open communications platform, email is almost guaranteed to have fewer protections than most other internal corporate perimeter systems.
Officials believe the advanced nature of the hack strongly suggests a foreign government was behind the attack. Specifically, the tools and techniques used resemble past attacks involving Russian actors. Just as writers have a style, hackers do as well when they write code. However, given the difficulty of attribution, officials cannot confirm with certainty who was responsible for the breach.
“Every author has certain nuances to their language that define their writing style,” McGregor said. “Likewise, malware authors have a certain way they write code. Over time, malware can be linked to the same hackers based on exact or similar programming styles. After awhile, it becomes easy to compare malware used in other intrusions and later link new attacks to previously identified cyber nation-state actor sets. IP addresses, domain names, and malware families tend to be the most common ways to link attribution to a particular nation-state actor.”
While it appears in recent years there’s been an uptick in the use of spear phishing attacks, McGregor said it’s less that there has been an uptick, but rather it’s more that companies are reporting the breaches in accordance with regulations and state laws.
Moving forward, organizations and government agencies can mitigate similar attacks in the future with two real keys: visibility and containment. Agencies need not only the visibility to quickly detect signs of anomalous usage, they also need measures in place for when an attacker does have a foothold.
In terms of containment, McGregor believes it’s important for agencies to accept that there is always going to be a risk of compromise. Consequently, they need security measures in place to contain the spread of an attack once the attacker has been successful in getting that initial foothold.
“There will always be bugs, there will always be exploits, and there will always be user error,” McGregor said.
Homeland Security Today reported last year that more than a decade after phishing became the standard way to access sensitive information and to evade corporate defenses using malware-laden email attachments, a report by McAfee Labs indicated phishing continues to be a heavily used and effective mechanism for exploiting the weakest link in enterprise security: human behavior.
The August 2014 McAfee Labs Threats Report contained the results of the McAfee Phishing Quiz, which tested the ability of business users to detect phishing attacks. Of the 16,000 business users tested, 80 percent failed to detect at least one of seven phishing emails.
The results of the report demonstrated that while technology can assist in detecting malware, ultimately the burden is on the email recipient to detect fraud. Businesses and individuals must begin modifying human behavior — the weak link in security – through better training in how to identify phishing attacks and other cyber criminal opportunities.
Although simple, these attacks are successful and can be extremely damaging. What concerns McGregor about attacks like the one on the Pentagon is that although the target was unclassified information, when put together, a lot of unclassified information can turn into classified information. If a hacker is able to get unclassified information from three or four individuals’ emails, they can get an entire picture of what had been worked on from the classified side.
“We should be concerned that if these high value government targets are being attacked, then what kind of security (or lack thereof) is in place at the rest of the government agencies,” McGregor said. “Federal agencies need to have the latest technology, adequate staff, sufficient funding and flexibility to be able to move as quickly as the private sector and address the 21st century global cybersecurity threats our country faces.”