In August 2015, Russian hackers reportedly breached an email system used by the Joint Chiefs of Staff, stealing senior officials' credentials. But was it a targeted hack or a crime of opportunity?
In August 2015, Russian hackers reportedly breached an email system used by the Joint Chiefs of Staff, stealing senior officials' credentials. But was it a targeted hack or a crime of opportunity?

An unclassified e-mail system used by the U.S. Joint Chiefs of Staff, their chairman and his support staff was infiltrated by Russian hackers in August 2015, according to a CBS News report, citing former Joint Chiefs Chairman Martin Dempsey.

Dempsey, who was chairman at the time of the system breach, told the news organization that the perpetrators stole passwords and electronic signatures belonging to him and hundreds of other senior officers. Although the hackers did not gain any intelligence from the attack, the incursion did force Pentagon officials to fully take the network down and spend two weeks replacing hardware and software.

The email system is used by the Pentagon's Joint Staff, composed of roughly 3,500 military officers and civilians working for the chairman. According to the news report, the attack started with 30,000 malicious emails sent to a university on the West Coast. Of those emails, four were forwarded on to members of the Joint Staff, one of which was opened.

Just one in 30,000 was all it took to incite chaos.

One might jump to the conclusion that this attack was the work of a Russian advanced persistent threat group. However, John Bambenek, manager of threat systems at Fidelis Cybersecurity – one of the companies whose analysts concluded that Russian APTs Fancy Bear and Cozy Bear hacked the Democratic National Committee –expressed skepticism that an nation-state threat group was involved.

“It would appear odd to me that [a foreign] intelligence agency would send 30,000 emails to a single university as a foothold to pivot to the Joint Chiefs of Staff,” said Bambenek, in an email interview with SC Media. “Without having investigated this directly, this strikes me as routine phishing in ‘napalm-the-earth style' that got forwarded to military contacts and then spread organically from there.”

Still, news of this 2015 incident adds to the growing narrative that Russian hackers have been relentlessly penetrating U.S. assets and institutions such as the DNC, the Democratic Congressional Campaign Committee and the Election Assistance Commission, and also interfered in the 2016 presidential election. But at least from first impressions, Bambenek does not think this particular incident was quite so Machiavellian.

“The government may have more information that leads them to believe otherwise, but based on a spam run to a university pivoting to the military, combined with the somewhat sensationalized media reporting… my educated suspicion is that this was a criminal, not intelligence, actor” who just happens to be Russian or sympathetic to Russian interests, said Bambenek. But, “Once the attackers realized what they had, [they] decided to engage in some sabotage.”