- The Russians used "spear-phishing," which starts with a phony email to a "big fish" who is likely to have access to the most sensitive information.
- Experts say the DNC could have done much more in terms of educating employees about "basic cyber hygiene."
- The Russians were able to keep operating even after the DNC got a security firm involved.
The 12 Russian operatives indicted by the Justice Department waged a campaign of well-executed espionage and novel technical engineering, coupled with rudimentary computer attacks.
That last part is key. Their tools may have been top-notch and their manipulation may have been slick, but the mode of entry was old-school and beatable, according to experts.
According to the Justice Department, the Russians used spear-phishing as one of their primary attack techniques. Spear-phishing refers to an email targeted at an important person — or a “big fish” — who can provide entry to a cache of the most important data. It starts with basic reconnaissance (like looking at Facebook and LinkedIn profiles) to create a portrait of a prominent individual, then using that portrait to create an email that he or she is sure to click on. In the Democratic National Committee hack in 2016, those emails were just spoofed to look like security updates from Google, according to the indictment.
To prevent this type of attack, the DNC could have done much more in terms of “basic cyber hygiene,” according to Amit Yoran, a founding member of the U.S. Computer Emergency Response Team, the arm of Homeland Security that reacts to major cyberattacks in the U.S. Patching systems and using two-factor authentication, which involves verifying a person’s identity using more than simply a password, would have greatly mitigated the damage the Russian agents could do, he said.
Not only does it show how preventable the incidents surrounding the attacks on the DNC could have been but the increasingly integral role private-sector companies have on the front lines of national defense, he said.
The Russians allegedly took a multi-pronged approach to the Democrats’ congressional and presidential campaigns, as well as the elections systems in several U.S. states. According to the indictment, a software vendor was the conduit to one attack against the voting registration system in Florida.
When the DNC realized they’d been hacked, they called in an American consulting firm to help. That company, which was not named in the indictment, removed many instances of malware left on DNC machines by the Russians.
However, that firm didn’t rid the committee’s servers of all instances of the malware, according to the Justice Department. Some malware remained, according to the indictment, and the Russians continued operating. Also, in the process of working on DNC computers, the consulting firm made their presence known to the attackers. Typically, that is not something a cybersecurity response firm wants to do.
The Russians were then able to find “countermeasures” to get around those defenses, prosecutors said.
For corporations watching and wondering what this might mean for the private sector: “At the most basic level, you’ve got to be able to defend yourself,” said Yoran, who now serves as chief executive of cyber-risk management company Tenable. “The rule of law isn’t well established in cyberspace. You’ve got to put in place reasonable protections and reasonable measures.”
Government agencies have increasingly been relying on private companies to both protect against and help assist in mitigating attacks from other nations, said Tom Kellermann, chief cybersecurity officer for security software company Carbon Black and a former information security officer with the World Bank. Kellermann estimated 90 percent of the country’s critical infrastructure is owned by the private sector. “Critical infrastructure” is a Department of Homeland Security term referring to 16 industry sectors including finance, the chemical sector, the communications industry, energy and critical manufacturing.
In early 2017, elections infrastructure was also added to that definition as a result of the attacks from Russia, giving DHS greater agency to assist state governments in readying for the next series of attacks. But in practice, that purview has extended only to the state attorneys general, not the companies supplying them with technology, voting machines, cloud services and databases.
According to people familiar with the matter, during the time revelations were surfacing about the attacks against the DNC, the committee decided to use private firms rather than take assistance from Homeland Security. (A spokesperson for the DNC disputes this, saying they did not hear from DHS until August, and that they provided materials when requested.) Kellermann said that the attacks illustrate how a better partnership between government agencies and the private sector, including better visibility into how attacks are taking place across industries and agencies at once, could help reduce the damage of incidents like this in the future.