Elite hacker groups rarely target small businesses. They tend to hunt bigger game, like military, government, and corporate systems.
But did you know that these elite groups use some of the same tactics that plague small businesses every day?
A perfect example surfaced on Thursday in a report from the FBI and DHS about the cyberattacks on the Democratic National Committee.
Download the full report here: GRIZZLY STEPPE – Russian Malicious Cyber Activity
DNC Hacks used Phishing Emails
The report describes how two hacker groups breached the systems of a “U.S. political party.”
It’s safe to assume the “political party” is the Democratic National Committee, which had its email systems breached multiple times during the U.S. presidential race.
The attacker groups are dubbed APT 28 and APT 29 (for “advanced persistent threat”) and are said to be part of the “Russian civilian and military intelligence services.”
So, how did these elite hackers breach the DNC?
With spear phishing emails.
Spear phishing is a flexible weapon
Yes, the same basic “fake email” tactic that has polluted inboxes for over a decade is the same one used to breach one of the largest political organizations in the U.S.
Phishing emails are so common in cyberattacks that we published an email phishing special report last year to help IT professionals combat them.
Although both APT 28 and APT 29 launched their attacks with phishing emails, their overall strategies varied considerably.
Their two approaches to the DNC hacks illustrate the main ways spear phishing emails are used today.
First DNC Hack: APT 29
The first attack began in summer 2015 when the group known as APT 29 sent spear phishing emails to more than 1,000 addresses.
The emails used a common phishing technique: malicious attachments. The recipients were tricked into opening what appeared to be a harmless file but instead was malware.
Someone at the DNC must have received and open one of the attachments. This allowed APT 29 to do the following:
- Install malware on the victim’s system
- Establish persistence
- Escalate privileges
- Steal emails from several DNC accounts
- Exfiltrate emails to the attackers’ infrastructure via an encrypted connection
This is a perfect example of how a simple phishing email can spiral into a massive data breach like the DNC hack.
Second DNC Hack: APT 28
The second attack began in spring 2016, also with phishing emails.
However, instead of delivering malware, the emails from APT 28 used a different approach: trick users into sharing their passwords.
The emails asked victims to reset their passwords and provided a link to do so. Clicking the link brought victims to a spoofed webmail domain. There they entered their credentials and thereby gave APT 28 the keys to their mailbox.
This likely began a chain of events similar to one described above in the APT 29 hack, but there the report is less specific.
It says only that the stolen credentials provided access “likely leading to the exfiltration of information from multiple senior party members.”
The second DNC hack is an example of how a network can be breached – not with sophisticated malware – but with a simple, deceitful email and webpage.
Tips to Dodge Spear Phishing Emails
The first half of the FBI and DHS report describes the attacks on the DNC and attributes them to Russian-backed groups. The second half shares advice on how to prevent similar attacks.
The tips are pretty helpful and wide ranging – spanning from general network security best practices to protection against SQL injection attacks.
Below are some tips it provides to avoid spear phishing attacks:
SPF email validation
Implement a Sender Policy Framework (SPF) to prevent the spoofing of your email addresses. You can learn how here.
SPF allows you to specify the hosts that are authorized to send email from your domain. This makes it harder for attackers to send emails to your users that appear to come from an internal email address.
Think outside of email
Phishing is not limited to email. Attackers may attempt to call users or message them on social media to get them to share personal or professional details that can be used in an attack.
Teach users to be suspicious of all unsolicited messages, whether online or by phone. Teach them to refuse to provide personal or professional information unless they are certain of the person’s authority to have such information.
Check links and URLs
Teach users how to judge a URL. Explain the basics, such as:
- Difference between domains and subdomains
- Ways attackers create misleading URLs (crafty misspellings, .net instead of .com, etc.)
- Check for HTTPS and other security indicators on pages that request information
Also train users to review links before clicking them. Ask them to over the mouse over links to review the URL before clicking.
Contact senders directly
If users are unsure about the legitimacy of an email, they should contact the alleged sender directly.
Teach them to disregard any contact information in a suspicious email and use only information from trusted sources.
Be sure to use an email filter that prevents spam and malicious email from reaching users. This can stop problems before they start.
Also consider using an email filter that includes a quarantine. This is a safe portal through which suspicious emails can be reviewed without risking compromise.
Patch, patch, patch
As always, patch all systems for critical vulnerabilities. Check for patches and apply them automatically where possible. Prioritize patching software that handles web data, such as browsers, browser plugins, and Adobe Reader.
Email phishing will continue
Phishing emails are sent every day by groups that range from lone-wolves to nationally financed attack teams. Automated systems also pump them out by the millions.
Email is a primary channel through which attackers can breach an organization. A network security strategy is hopeless if it fails to address this problem.
FBI and DHS report: GRIZZLY STEPPE – Russian Malicious Cyber Activity