The 12 Russian operatives indicted by the Justice Department waged a campaign of well-executed espionage and novel technical engineering, coupled with rudimentary computer attacks.
That last part is key. Their tools may have been top-notch and their manipulation may have been slick, but the mode of entry was old-school and beatable, according to experts.
According to the Justice Department, the Russians used spear-phishing as one of their primary attack techniques. Spear-phishing refers to an email targeted at an important person — or a “big fish” — who can provide entry to a cache of the most important data. It starts with basic reconnaissance (like looking at Facebook and LinkedIn profiles) to create a portrait of a prominent individual, then using that portrait to create an email that he or she is sure to click on. In the Democratic National Committee hack in 2016, those emails were just spoofed to look like security updates from Google, according to the indictment.
To prevent this type of attack, the DNC could have done much more in terms of “basic cyber hygiene,” according to Amit Yoran, a founding member of the U.S. Computer Emergency Response Team, the arm of Homeland Security that reacts to major cyberattacks in the U.S. Patching systems and using two-factor authentication, which involves verifying a person’s identity using more than simply a password, would have greatly mitigated the damage the Russian agents could do, he said.
Not only does it show how preventable the incidents surrounding the attacks on the DNC could have been but the increasingly integral role private-sector companies have on the front lines of national defense, he said.