The dust is beginning to settle after the U.S. federal criminal indictment of 12 Russian military intelligence officers who are alleged to have conspired to hack into systems of the Democratic Congressional Campaign Committee (DCCC), Democratic National Committee (DNC), and volunteers of the Hillary Clinton campaign. As the implications of the indictment are becoming better understood, it’s now a good time to take a step back and look at what the 29-page indictment has to teach us about enterprise information security.
While the attackers who targeted the DNC and the DCCC proved themselves adept and were able to persist within those networks once they gained a foothold, the indictment also shows that the targeted organizations most certainly did not make the attackers’ job difficult.
In fact, the attack techniques detailed within the indictment relied on the same tactics security professionals see widely used every day. Here they are:
It (most always) starts with phishing
These attacks, like so many others, didn’t require sophisticated technical feats. Not at all. The alleged attackers sent bogus emails that were designed to trick their targets into revealing their usernames and passwords.
Previously, in the fall of 2016, news broke that the attackers targeted Hillary Clinton campaign chair John Podesta with a phishing attack. The subject line of the email: “*Someone has your password*”. The email claimed that an unauthorized party tried to sign into Podesta’s Google account. The fraudulent email also claimed that Google thwarted the attempt and it advised Podesta to change his password. The email provided a link to do so.
This is the same type of attack we see launched against users every day.
Unfortunately, a help desk staff advised Podesta that it was a legitimate email. Podesta’s email password was soon updated using the bogus website, which captured the new credentials. This was the same way the DNC emails were compromised.
Once the attackers had access to the endpoints, they installed malware that enabled them to capture keystrokes and spy on endpoint activity. The attackers then deployed X-Agent malware and, according to the indictment, X-Agent was installed on a minimum of 13 DNC and DCCC computers.
Not just phishing, highly-targeted spear phishing
This level of spear phishing, the targeting of known individuals with maliciously crafted emails to trick users, include some of the most common types of attacks. In fact, surveys commonly peg spear phishing as a component of most attacks. About three-quarters of enterprises say they are regularly targeted by spear phishing. I’d argue it’s much closer to 100 percent.
Where do attackers get the information they use in their spear phishing attacks? Everywhere. They will grab information from public sources such as LinkedIn, Facebook, Twitter, Wikipedia, corporate bios, blogs, and news reports, among others. They then use this information to trick the user into accepting the email, clicking on a link, or providing information.
Third-party security matters
According to the indictment, the first endpoint compromised with the X-Agent malware was a computer at the DCCC. With that malware in place, according to the indictment, the attackers then captured screenshots, collected keystrokes, and stole credentials. The stolen credentials were used to break into the DNC network. According to the indictment, they accessed 33 separate systems of the DNC.
"To enable them to steal a large number of documents at once without detection, the conspirators used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks," the indictment said. "The conspirators then used other GRU malware, known as 'X-Tunnel,' to move the stolen documents outside the DCCC and DNC networks through encrypted channels," the indictment stated. In April of 2016, the attackers allegedly compressed gigabytes of data from DNC systems.
Such attacks on third-party vendors are a common means to enter a target organization. Attackers will gain entry onto contractors, suppliers, partners, and others as a way to move laterally. According to a recent survey by the Ponemon Institute, 56 percent of respondents reported having a data breach or other such incident caused by a third party. We’ve pointed out numerous times how many successful attacks rely on the weakness of third-party providers.
The malware proved persistent
In the spring of 2016, the DNC and DCCC hired a cybersecurity firm to investigate and to help clear malware infections. However, when the FBI was investigating by the fall that same year, it became clear that X-Agent persisted on the system. The DNC, however, told Politico that while the malware remained present, the DNC did not believe that there was any successful communication or data exfiltrated from the rebuilt network.
What it means for your security program:
What are the main lessons here? The first is that staff will fall for phishing attacks and there’s not much that can be done to eliminate or significantly lower the risk. Still, many experts will advise that employees be trained to recognize phishing emails and not click on them. And when they do identify such emails to forward them to the appropriate team for analysis.
There may be some value in this advice, but the fact is that some of your employees are going to click on these types of emails, open the links, and provide information. It’s just going to happen. To the extent training can reduce employees from doing such, there is some value in the training – but you are not going to be able to mitigate the risk of this happening to a reasonable level. So you need technical controls to mitigate this reality.
Your organization must try to block phishing emails from getting to your users in the first place. Of course, that won’t always work, and spam and phishing emails will slide through occasionally. Some form of strong two-factor authentication can help reduce risk, too. This way, when someone on staff does hand out their credentials to a bad actor, it won’t be enough on its own to compromise their account. None of these steps are going to alone, or collectively, eliminate the phishing threat, but they can help to mitigate it.
Next, organizations need to work to identify and block the malware form getting onto their endpoints. Of course, this won’t always work and some malware will slide on through the defenses, so it’s important to always be on the lookout for indicators of compromise and be able to identify and block data exfiltration attempts.
Finally, keep an eye on all third-party provider security. Be sure to monitor network connections and user accounts, know where shared data resides, and build basic security hygiene into contractual agreements such as proper breach notification and data breach response.
You should continue to educate staff about the threats out there, why and how everyone plays a role in security, and to remain alert for any suspicious activity. But, ultimately, it will be technological controls that win the long game.
Perhaps the most important lesson form the Mueller indictment is that competently executed, relatively low-tech attacks still work against organizations. Fortunately, there are steps organizations can take to make the attackers have to work much harder to succeed.