The Target? You. Image Source: Wikimedia Commons
- “….<the Russian operatives> were dedicated to targeting military, political, governmental, and non-governmental organizations with spearphishing emails and other computer intrusion activity.”
- “….used various online personas, including “Kate S. Milton,” “James McMorgans,” and “Karen W. Millen,”
- “….sent spearphishing emails to members of the
Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign”
- “….. altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link. Those instructions were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and their co-conspirators stole the contents of the chairman’s email account, which consisted of over 50,000 emails.“
- “… created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails, LUKASHEV and his co-conspirators embedded a link purporting to direct the recipient to a document titled “hillary-clinton-favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU-created website“
- “…used an email account designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties. The spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo.
That last one strikes close to home for me as it is a technique I have used successfully when conducting “white-hat” phishing exercises for MSI’s clients.
The indictment makes it clear that we are very much in a “cyberwar” right now and that the targets of greatest opportunity in that war are not information infrastructure – but people. You and I, feverishly pounding away at a keyboard in an attempt to meet some deadline (like writing a blog post?). Or, even better and more dangerous, responding to emails with a mobile device while we sit waiting at a stoplight. None of us, of course.
Many of you likely regard yourselves as targets of little interest in any cyberwar attack. And that may be true for you specifically, but is it true of your family members and friends as well?
Perhaps one of them works for an HVAC vendor that does work for government?
The point is that everyone is connected via some device and everyone shares infrastructure (cloud storage?) with others. Any person in that chain of connectedness is a potential stepping stone to items of real interest to an attacker.
Phishing has become the primary attack vector and the target can be anyone who is connected to someone else with access to sensitive information. It’s low cost and relies on information about us that we and those who know us have freely given up,
And… it just works. Those Russian operatives know that, and so should you.
Everyone is now a potential target in this new type of warfare
What to do?
- Make sure you, your family members, and your co-workers have a basic understanding of phishing and what to look out for.
- If your company provides training on phishing awareness, take it seriously. If it has none, lobby for it.
- If you are in management, realize that your employees are the new attack surface. Make sure they are trained to detect phishing and are willing to report it – even if they think they may have been successfully phished. That last is important. Your company will be the real loser if employees are afraid to speak out. Do not rely on magic-bullet technology alone to address what is fundamentally a problem in human behavior. . Conduct periodic tests to see how aware your people really are. No punishment – education!
- Use Multifactor Factor Authentication (MFA)! If an attacker obtains your traditional login credentials (login/password) and that’s all you use, they have you. Multifactor authentication requires the addition of “something you know” or “something you have”. Typical examples involve login sequences that require you enter a one-time code texted to your phone (“something you have”). Adding that extra factor complicates the whole phishing process and may even render it futile. All modern infrastructure supports some form of MFA.
- Keep your work environment separate from your home environment. Consider segmenting your home network. A unique “work” wifi environment, with separate IP addressing, used only for your work (no family members, guests, or IOT devices) may be a good place to start.
- https://blog.google/technology/families/be-internet-awesome-helping-kids-make-smart-decisions-online/ – phishing training for kids
- https://en.wikipedia.org/wiki/Multi-factor_authentication – Multifactor
- https://support.google.com/accounts/answer/1085463?hl=en – Google MFA