Breach, Threat Management, Data Security

Network security foiled hack attempts into RNC


While American intelligence agencies claim Russian hackers are behind the intrusion into computers belonging to the Democratic National Committee (DNC), similar hack attempts failed to penetrate systems belonging to the Republican National Committee (RNC), according to the Wall Street Journal.

However, the efforts by Russian intelligence to penetrate the RNC were "less aggressive" and "much less persistent," people close to the investigation told the WSJ. Only one email account on the Republican side was targeted and that belonged to an RNC staffer who had left the organization long before the campaign gained steam.

Hackers did send phishing emails to the RNC last spring, in much the same manner as attacks which hit the DNC and other Democratic organizations and staffers. But a spam filter quarantined those suspicious emails, officials told the WSJ.

Additionally, following the public exposure in June of the incursion into the DNC, officials at the RNC – concerned too that their network might also have been penetrated – hired a private computer security firm. The unnamed company then contacted the FBI and received intel on how to distinguish malicious emails. Knowing precisely what to look out for, this led to the determination that electronic filters put in place had indeed stopped spam delivered to a former employee.

But, the WSJ stated that the same hackers who successfully penetrated the DNC did manage to siphon off emails from Republican state-level officials. Those emails were then published on a website, DCLeaks, which experts have associated with the same Russian actors – the COZY BEAR and FANCY BEAR APT groups – alleged to have targeted the DNC and Hillary Clinton's presidential campaign. The emails, however, are mundane and reveal little more than ordinary correspondence with constituents. And, they received little media attention, unlike the purloined messages stolen from the other side and published by WikiLeaks, which displayed back-room dealings by Democratic staffers to sabotage the efforts of Mrs. Clinton's rival, Vermont Sen. Bernie Sanders, as well as casting suspicion on whether while secretary of state she granted favors to benefactors of her family's charitable foundation.

There still is speculation that the RNC might have been penetrated and data stolen and just not released yet. The cyberthieves are holding the information to use later in blackmail schemes, some experts say.

“It would be naive [for Republicans] to think they weren't targeted," Michael Buratowski, a senior vice president at Fidelis Cybersecurity, which investigated the hack of the DNC, is quoted as saying in the WSJ report. His firm performed an independent review of malware and other data and agreed with initial examinations by CrowdStrike and other security firms that the COZY BEAR (aka APT 29, CozyDuke) and FANCY BEAR (aka APT 28, Sofacy) APT groups were behind the attacks on the DNC. CrowdStrike has stated the groups are associated with GRU, Russia's largest foreign intelligence agency.

Buratowski said he was not surprised to find that the RNC was penetrated as the motive of the suspects is simple: steal data from anywhere.

After initial cloudiness about whether the FBI and the CIA saw eye to eye on whether it was Russians behind the hacks, on Friday, unnamed U.S. officials are quoted in a Washington Post report stating that both FBI Director James B. Comey and Director of National Intelligence James R. Clapper Jr. were in agreement with a CIA assessment that "Russia intervened in the 2016 election in part to help Donald Trump win the presidency."

Tom Kellermann, CEO of Strategic Cyber Ventures (and former CISO of Trend Micro), agreed in comments sent to SC Media on Friday.  "As illustrated in the pawnstorm campaign, they orchestrated the attacks," he wrote. "Given pawnstorm research cybermilitias paying homage to the regime, directed by the regime, conducted the attacks."

Virtual patching and deception grid technology would have thwarted these attacks, he added. "Geopolitical tensions serve as harbingers for cyberattack. Russian colonization of American cyberspace continues unabated. It is time for the U.S. to act.

Phishing is only the first of multiple steps in a cyber attack, and by itself, inflicts no harm, John Worrall, CMO at CyberArk, wrote in a Dec. 5 blog post. But, once hackers are in a system there are strategies security pros can implement. Worrall wrote that: "Least privilege controls on endpoints can be very effective at preventing the installation of ... malicious applications. Privileged account security can prevent attackers from accessing the credentials necessary to gain access to servers, domain controllers or industrial control systems."

But, without solid evidence, other experts are not ready to accept the allegations. "Thus far all claims of alleged Russian involvement in the DNC and RNC hacks have been made by either law enforcement agencies or cybersecurity companies directly involved in the investigation," Andrei Barysevich, director of advanced collection at intelligence firm Recorded Future, told SC Media. 

Regardless, there are methods to prevent phishing attacks and enterprises can do better educating their employees not to click on suspicious links, he said. "Rigorous hands-on training of employees, such as explaining common methods and techniques utilized by miscreants to attack victims is crucial." 

Barysevich offered several steps:

  • Employees should exercise extreme caution when clicking on hyperlinks. Simply hovering over the link will immediately highlight its hidden destination.
  • Website security certificates must be confirmed in the browser's status bar. Not only will a website with a valid certificate  begin with "https," but the name on the certificate will match the website. It is a common practice among criminals to obfuscate fraudulent resources with stolen or fake certificates.
  • Malicious macros embedded in Microsoft Office documents remain the most abused method of infecting the victim. Recipients must be wary of any document requiring activation of macros and it should be turned off by default.

"Ideally, a company should regularly perform controlled phishing experiments, with the goal of raising threat awareness and identifying likely traps that its employees are receptive to," Barysevich told SC Media.

He further advised that the computer operating system and anti-virus protection must be up to date and updated on a timely basis.

"The best advice I would give is to follow your intuition," Barysevich said. "If you feel something isn't right, it probably isn't. Criminals can easily spoof email addresses to look legit. Call or email the sender to verify the file is safe to open. It is better to be over cautious than to put the organization in danger."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.