Amidst the recent nonstop news cycles, you may have missed the most recent published reports in which the Democratic National Committee aired out yet another round of malicious Russian cyber activity targeting DNC email accounts during November 2018. This news comes on the heels of the US, United Kingdom, and Dutch governments issuing a joint statement airing out a detailed account of malicious Russian GRU cyber activity during December 2014 – May 2018.
The corresponding indictment detailed the malicious efforts of Russian agents to hack anti-doping agencies, sporting federations, industrial manufacturer Westinghouse Electric Corporation (WEC), and the international Organization for Prohibition of Chemical Weapons (OPCW). Most of the techniques in these attacks are widely utilized, both by APTs as well as hundreds (if not thousands) of organized criminal gangs around the world.
The breadth of attacks shows that the GRU is not just interested in disrupting geopolitics but rather has equal interest in manipulating the enterprise as well. This article will highlight 3 practical takeaways relevant to corporate IT and Cybersecurity teams. These takeaways focus specifically on the remote hacking and account access techniques leveraged by the GRU, which corporate IT / Security teams are much more likely to encounter than the “on site” hacking techniques that are referenced in the indictment.
By far the most common technique leveraged in these attacks was good old spear phishing: messages that attempt to resemble emails from trustworthy senders in order to trick recipients into clicking hyperlinks in the messages. These links often direct recipients to spoofed websites (webmail login pages, VPN login screens, password reset pages, etc) and enabling attackers to harvest their credentials. These are not your ‘Nigerian Prince’ caliber of spam/phishing emails – we’re talking highly tailored phishing emails crafted specifically to fool a handful of targeted individuals, leveraging detailed research on those individuals (via social media and other publicly available information), the functional teams they work in, the executives they report to, and of course the company they work for.
Let’s examine the Westinghouse attack, in which the GRU targeted employees working on “advanced nuclear reactor development” technologies. After doing initial technical reconnaissance on WEC employees and IT infrastructure, attackers:
registered a fake domain and website, https://webmail.westinqhousenuclear.com to mimic a legitimate WEC domain. Spear phishing emails were sent to at least five WEC employees, designed to appear as routine emails from the Westinghouse.com Microsoft Exchange Server. Upon clicking an enclosed link, users were directed to the spoofed domain where their login credentials were stolen and saved. Once stolen credentials were determined to be authentic by the conspirators, victims were then re-routed to the original, legitimate WEC network so that they were unaware that the theft of their passwords had occurred.
Similarly, in attacks on the World Anti-Doping Association (WADA), hackers registered the domain “wada.awa.org” and uploaded a spoofed version of WADA’s legitimate website (wada-ama.org). Attackers then:
sent spearphishing emails to eleven WADA employees, appearing to be from the WADA Chief Technology Officer, which prompted the employees to click on the link to authenticate their WADA email accounts.
It’s not shocking to see spoofing and spear phishing being leveraged in these attacks. What is shocking is how overwhelmingly effective it was. This was not a case of the proverbial “one employee who will click on anything”. A number of the half dozen WEC employees targeted handed over their credentials. Four out of 11 targeted WADA employees similarly clicked the link in a spoofed email they thought was from their Chief Technology Officer, subsequently handing over their account login credentials to attackers.
These anecdotes highlight the efficacy (and risk) of modern spear phishing / spoofing attacks, and make clear the need to invest in technologies and training to defend against these attacks. Some enterprises have attempted to combat spoofing/impersonation attempts by using DKIM (DomainKeys Identified Mail). DKIM can work well when deployed, but is incredibly cumbersome to deploy and difficult to use. Consequently, despite being a powerful solution DKIM has not be widely deployed across enterprises.To this end, I recommend deploying technology solutions that are turnkey to deploy and similarly free employees of the burden of evaluating the authenticity of each individual message that appears in their inbox.
The majority of techniques referenced in the indictment involved stealing employee user names and passwords (either via a spoofed login page, or via malware/key loggers) and subsequently using those credentials to remotely login to the victim’s account from another country. This is indicative of the threat landscape corporate IT and Security teams face every day – stolen passwords being re-used by attackers to gain remote access to mailboxes, corporate systems, and file servers. For example, after stealing login passwords of WADA employees via the spoofed CTO phishing email, attackers accessed the email accounts of four WADA employees using those stolen passwords.
CIOs and CISOs should realize that good old fashioned password theft and re-use can pose a significant risk to their organization. I recommend companies deploy solutions that keep accounts secure even when employee user names and passwords are stolen. Consider solutions that rely on end-to-end encryption instead of passwords, for example. Alternatively, companies can deploy 2FA, with the caveat that SMS-based 2FA can be bypassed and 2FA hardware keys are cumbersome to deploy and maintain in an enterprise context.
Cyber attackers often find a number of ways to use your vendors and business partners against you. One simple way they do this is via spoofing a vendor login page for a technology product used by your company. For instance, upon learning that WADA used a particular CISCO VPN product, attackers spoofed emails that appeared to be from a WADA IT Manager, asking employees to update their Cisco client (which in tern prompted them to enter their credentials). IT and Security teams should assume that with basic reconnaisance, attackers will have a relatively thorough picture of some if not all of the technology solutions used by your company. Armed with this information, it is quite likely attackers will incorporate spoofed versions of familiar vendor interfaces into spear phishing attacks.
I recommend that corporate IT / Security teams should incorporate this type of attack vector into their security training programs. Better yet, companies can altogether protect themselves against compromised vendor/partner email accounts by making secure email solutions available to the 3rd parties with which they work.
Although the Russian GRU makes for an effective ‘boogeyman’, many of the corporate IT and Security teams we speak with perceive there is a low likelihood of their company becoming a high value target for the GRU (or similar nation state actors). While this logic makes sense, what’s they’re missing is the ease with which copy cats (ranging from organized criminal gangs to script kiddies) can replicate the spear phishing / spoofing playbooks proven to work by the GRU.
Given the ease of executing these attacks at a distance and the limited skills and time required to implement them, I recommend that corporate IT and Security teams prepare their organizations to deflect the accelerated pace of highly targeted attacks on employee mailboxes and file systems. Preparation begins with leveraging the tactics, techniques, and procedures summarized in this article.
To learn more about how to start encrypting your business communications, contact us.