In recent months, federal investigators have linked a number of hacking incidents into the U.S. government to a single Russian hacker group. These incidents go at least as far back as sensitive information gleaned during the 2016 presidential campaign; the most recent discovery led the administration to accuse the Russian government of attacking the national energy infrastructure.
A striking detail is how often the method of attack was phishing, where users are sent malicious links that take them to fake login screens set up to trick targets into entering their passwords, thereby unknowingly granting attackers access to their accounts. A study by the security software company PhishMe found that 91% of cyberattacks start with a phishing link, while a separate report by Frost & Sullivan noted that nearly 1 in 10 recipients of a malicious link click through and enter their credentials. Login credentials are valuable information — once hackers have access to an email account, the information that passes through that account usually affords access to a raft of other email accounts. Not only do people often reuse login passwords, but often sites will send password resets to email accounts.
We've given advice on numerous occasions on how to protect your privacy online. Yet it seems that those working with sensitive information are no better briefed on the hallmarks of a phishing link than the rest of the population — nor are they any more resistant to the social engineering tactics (emotional manipulation using seasonal cues or personal details) through which phishing works.
Government agencies are one of the most frequent targets of hackers, yet many sectors lack clear cybersecurity plans, and across the board, security awareness training for employees is the most underspent sector in the cybersecurity industry.
Here are the biggest Russian hacks into U.S. government computers from the last couple of years. The majority directly targeted employees.
1. Major hack across the U.S. energy sector
Entry points: phishing screens, spear-phishing emails, "watering holes" where malware is planted in a trusted site
Last July, Russian hackers gained remote access to energy-sector networks in North America and Europe, where they were able to observe communications and collect information about the control systems. The cybersecurity company Symantec first reported the massive breach of dozens of company networks in the energy industry, in which attackers targeted the smaller ancillary companies that service the major corporations responsible for the energy supply. This strategy, which focuses on the less-secure networks of smaller companies to gain information and help get access to larger, better-secured businesses, is a common one, said Mark Orlando, chief technology officer for cyber services at Raytheon. Once inside the corporate networks of these small businesses, the hackers were able to glean details that they used in spear-phishing emails — phishing emails that specifically target individuals using personal information. These emails included resume attachments, policy documents and an invitation to a company party; users who opened a file ended up downloading malware that exposed their computer and network. In a twist, some of these documents were programmed not to download, with the email containing a link to click instead — which led the recipient straight to malware.
Other types of cyberattacks included "watering hole" attacks, in which attackers found out which sites the employees of small energy companies trusted and visited, then embedded these with malware; straightforward phishing screens that imitated trusted login forms to feed users' passwords directly to the hackers; and disguising malware as legitimate software updates.
2. Multiple attacks on U.S. infrastructure
Entry points: malware, spear-phishing
In addition to the large-scale attack on the energy sector, U.S. officials recently announced that hackers backed by the Russian government are targeting key national infrastructure facilities, including water grids and nuclear plants. In a joint alert, the Department of Homeland Security and the FBI said that the targets were "U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors." As with the attack on energy companies, the hackers devised a multi-stage intrusion into smaller businesses' networks, planting malware and launching spear-phishing campaigns to steal employees' login credentials in order to launch highly customized hacks into larger companies.
The U.S. telecoms infrastructure is at risk for a hack too — Senator John McCain said last June that "the Kremlin has been trying to map U.S. telecoms infrastructure," including monitoring Kansas' fiber-optic network and completing the development of "a cyber weapon that can disrupt the United States power grids and telecommunications infrastructure." Russia-based groups are known to have tested cyber-weapons on Kiev, Ukraine, disrupting the country's electricity supply.
3. 2016 presidential campaign server hacks
Entry point: phishing emails
The influence of Russian hackers on the 2016 presidential election is the subject of ongoing federal investigations. In the months leading up to November 2016, the Russian hacker group known as Fancy Bear attacked the computers of the Democratic National Committee, publicly exposing research on the opposition, private emails of Democratic politicians and internal memos. According to CNN, the first breach occurred in September 2015, when a single computer was hacked to transmit information back to Russian sources. Half a year later, Hillary Clinton's campaign chairman, John Podesta, received a phishing email — which he responded to, giving hackers access to his account and the tens of thousands of emails sent by other members of the DNC. These emails were published by the whistleblower site WikiLeaks in the run-up to the election and included damaging content that revealed that the DNC was not impartial in its support of Democrat candidates Clinton and Bernie Sanders. There is evidence that the Russian hackers also breached the servers of the Republican Party, but the accessed documents were not released publicly. The CIA later determined that the goal of the DNC hack had been to help Trump win the presidency, rather than to simply erode confidence in the U.S. electoral system.
4. Voter registration rolls in 2016 election
Entry point: details remain classified by the Department of Homeland Security
Earlier this year, it was revealed that Russian hackers accessed voter registration rolls of seven states prior to the 2016 presidential election — though officials say that no votes were altered. Jeh Johnson, the secretary of the Department of Homeland Security at the time of the 2016 election, confirmed that scanning and probing of the registration databases took place and originated from the Russian government. In all, 21 states were targeted, and intelligence analysts believe that Alaska, Arizona, California, Florida, Illinois, Texas and Wisconsin had been breached — but California and Wisconsin deny having been targeted.
5. U.S. defense workers' email hack
Entry point: phishing emails
The same hacker group that meddled in the 2016 political campaigns also later targeted 87 people working in the defense and aerospace industries by sending phishing links to gain access to their personal emails, mostly Gmail accounts. These people were involved in work on missiles, drones, rockets, fighter jets, cloud-computing platforms or other sensitive activities, according to the Associated Press, and their emails could potentially have exposed some of the U.S. military's most advanced defense programs, compromising the nation's security, said Charles Sowell, a former senior adviser to the U.S. Office of the Director of National Intelligence in an interview with CNBC. Fancy Bear hackers sent about 19000 lines of email phishing data to employees of small defense companies as well as giants such as Airbus Group, Lockheed Martin and General Atomics, with about 40% of targets clicking through — though not all took the critical extra step of entering their credentials at the fake login screen.
6. U.S. Senate email attack
Entry point: spear-phishing via fake websites mimicking U.S. Senate email system
In the second half of 2017, Fancy Bear appeared to step up hack attempts on U.S. government computers. Also attributed to the group is an attack targeting members of the U.S. Senate, using spear-phishing techniques to target users directly with personal details. Part of the attack involved setting up fake websites that mimicked the U.S. Senate email system in an attempt to capture users' credentials. Official reports haven't confirmed whether the attacks were successful in breaching Senate email accounts, but according to Newsweek, cybersecurity software company Trend Micro said that the level of detail and complexity of techniques the attackers used suggested they were a large, well-funded group and that the attacks were likely "an attempt to influence public opinion." Other cybersecurity and intelligence experts have linked Fancy Bear to the Russian government, noting that the group is likely acting on direction from the Kremlin.
Yet to come…
As the 2018 midterm elections approach, 57% of U.S. voters believe that Russian hackers will interfere in the event. According to Newsweek, a top House Democrat believes the government is underprepared to deal with a major threat to the legitimacy of the midterm elections. Congressional investigators are also "increasingly worried" about Russian influence on these elections through its hacker groups as well as the production of fake news and political ads that are thought to have influenced the outcome of the presidential election two years ago
[Hacker in front of digital Russian flag via BigStockPhoto]
From Carl Chappell on April 12, 2018 :: 10:49 am
There is a lot of ‘opinion’ in this article presented as fact! Maybe you should stick to covering tech products!
Reply
From Josh Kirschner on April 12, 2018 :: 11:28 am
Hi Carl,
Which areas do you see as opinion presented as fact? I think it’s pretty clear where the source of each of the statements made in the article come from, and the reader can make their own determination whether they consider that source to be authoritative or not. However, we only included sources for this article which we believe to be authoritative and, in the case of secondary sources, were examples of stories that were widely reported in multiple secondary sources based on primary source information.
And this is very much a technology story. The strong political overtones in the attacks don’t negate the technology basis of what’s happening. Especially given that the methods used by the hackers were very similar to the phishing and other exploitation methods that you and I face every day reading our email, visiting websites, etc. There are lessons to be learned all around, here.
Best,
Josh
Reply