Less than six hours after Donald Trump won the presidential election, individuals working for think tanks and non-governmental organizations, received in their email inboxes malware-infested links to PDF downloads promising a postmortem analysis of the greatest political upset since Truman defeated Dewey.
Adding insult to injury, two of the five waves of spear-phishing attacks on a few hundred very targeted individuals appeared to be messages forwarded by the Clinton Foundation, according to Steven Adair, CEO of the Washington, D.C.-area security firm Volexity, which announced the attacks were engineered by hackers known as The Dukes.
“Other people have said [The Dukes] are definitely related to Russia, or maybe work for the [Russian] government,” Adair says, stopping short of attributing the attacks to the country. Nevertheless, he believes The Dukes fall into the nation-state category. “They have the resources and capabilities and the way they operate is not a volunteer effort by a group of hobbyist hackers,” Adair says. These attackers, he adds, typically have deliberate goals to find out specific policy plans or information.
The Nov. 9 attacks tracked by Volexity were preceded by similar breaches in August in which the Dukes pretended to be from the Council on Foreign Relations and targeted individuals at specific NGOs and think tanks. The spoof monitored and then mimicked typical email communications with executive and legislative branch staffers.
Regarding the more recent spear-phishing attack, Adair says he would not be surprised if the number of recipients exceeds a thousand.
In any case, the attacks appear to be the work of ad hoc freelancers sanctioned by an official government agency seeking to gain specific information, such as policy plans.
A continual flow of WikiLeaks disclosures leading up to Election Day left a trail of evidence, according to U.S. intelligence, that Russian tampering had indeed occurred on the networks of Hillary Clinton's campaign and at the Democratic National Committee (DNC).
Dmitri Alperovitch, CTO of Irvine, Calif.-based CrowdStrike, which the DNC brought in to investigate intrusions into its network, stands fully by its June 2016 assertion that two nation-state adversaries in Russia – Cozy Bear and Fancy Bear – pulled off the attack. The company considers the entities to be “some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis.”
While the email hacks of Clinton campaign chairman John Podesta and the DNC might have suggested a complicated Russian conspiracy, “the fact of the matter is, the simple stuff still works,” says John Bambenek, threat systems manager of Bethesda, Md.-based Fidelis Cybersecurity, adding that Podesta's hack was a simple password-reset phish. “The security industry has been talking about those over a decade,” Bambenek adds.
Whether the hackers are sanctioned by the official governments or are working on their own, “depends on the specific adversary in question and is not generalizable across all state-sponsored actors,” points out Robert Simmons, director of research innovation at Arlington-Va.-based ThreatConnect.
Most nation-state intrusions observed by CrowdStrike are being conducted by government personnel working for intelligence or military agencies, Alperovitch says.
Simon Gibson, fellow security architect for Santa Clara, Calif.-based Gigamon, believes nation-state attacks are a combination of “very concerted efforts within governments to do this type of thing and hackers for hire.”
He cites the 2015 attack on the Office of Personnel and Management (OPM) as an example of the importance of figuring out who will benefit from a breach. “With OPM, clearly it was counter-intelligence for nation states being able to understand who had an SF86 [Standard Form 86 security clearance] file in the database,” Gibson notes.
These types of attacks are focused on “collecting information and assets in a very organized way to be potentially be used in the future as part of larger campaigns,” says Daniel Miessler (left), director of advisory services at Seattle-based IOActive.
Publicly pointing fingers at responsible parties may gain headlines, but it behooves the accuser to be right to retain credibility. In the high-profile attack two years ago on Sony Pictures Entertainment (SPE), President Obama and the Federal Bureau of Investigation squarely blamed North Korea for the assault that crippled the company's operations for months. While Mandiant convinced the U.S. government and Sony that North Korea was the culprit, numerous security firms – including Kaspersky Lab and AlienVault, as well as a Novetta-led consortium calling themselves Operation Blockbuster – concluded attribution in this case was inherently unreliable and based on circumstantial evidence.
“While the infrastructure used in the SPE attack overlaps with infrastructure attributed to malicious cyberactivity linked to North Korea, previously malicious IP addresses are not necessarily still used by the same attackers,” the February 2016 Novetta report stated.
“Attribution is never definitive because with enough knowledge and preparation, a sophisticated adversary can masquerade as a different threat actor,” cautions James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based think tank.
Gibson (left) also is hesitant to definitively attribute attacks because those responsible are usually clever at masking their actions or pretending to be someone else. And Scott notes that every incident has indicators of compromise (IoCs) that can be forensically analyzed to inform a threat actor profile, which can be compared to those of likely known cyberadversaries.
“Russia and China host the most sophisticated, most numerous, and best resourced collections of APTs [advanced persistent threats],” Scott adds. “However, sophisticated APTs, which may be state-sponsored have also been attributed to Brazil, Iran, India, France and other nations.” Pakistan and other parts of Eastern Europe, Asia, and South America have also been added to the list by other sources.
And, let's not forget the U.S. itself. President Obama and Vice President Biden in mid-October publicly promised retaliatory attacks against Russian targets that U.S. intelligence believed to be responsible for the attacks on the Clinton campaign and the DNC.
However, Gibson warns, “If you don't know attribution with one hundred percent certainty, retaliation is difficult.”
Of course, espionage between countries is nothing new. “In the U.S., we tend to focus on Russia, China, North Korea, and so on,” notes Bambenek. “Other nations might look at the United States, the United Kingdom and other NATO powers.”
Israel Barak, CISO of Boston-based Cybereason, expects terror organizations to draw talent from the Russian, Eastern European and Iranian talent pool, “aimed at disrupting and endangering human lives by cyberattacking national critical infrastructure.”
Cyberjihadists that use technological means to bring terror and chaos to the U.S. and its allies are rapidly advancing their cyberoffensive capabilities and resources, Scott notes.
Two years ago, Volexity tracked Chinese government hackers who attacked pro-democracy targets in Hong Kong and Taiwan, notes Adair, adding that the effort continued on political websites this year. Tactics often used include hijacking domain-name providers and modify settings within servers, adding an “exploit to a place they cared about.”
Gibson notes The New York Times was attacked for four months in 2013 by the Chinese government because it wanted to know who the newspaper's sources were who were reporting that the relatives of Wen Jiabao, China's former prime minister, had through business dealings accumulated a fortune worth several billion dollars.
“If you match a state cyberoffense team against nearly any target, including other states, the chances of defending over long periods of time are quite low,” Meissler says. “And when states are attacking less mature targets, such as most corporate and government entities, there is really very little that can be done to defend.”
Electric grids remain a target for cyberattacks, notes David Zahn, (right) general manager of the cybersecurity business unit for PAS, a Houston-based provider of process safety, cybersecurity and asset services for the energy, power, and process industries.
“The vast majority of critical infrastructure organizations lack the manpower, technologies and in some cases even the awareness, to have a defensive posture that can match a nation-state adversary,” Barak notes.
Basic cyberhygiene is still lacking. “Most organizations still have problems keeping core software patched,” John Bambenek, (below left)threat systems manager, Fidelis Cybersecurity
points out. “Of course, the human factor is still the biggest concern because people can fall prey to deception or social engineering.”
Similarly, Barak is concerned about how poorly protected American interests are in both the public and private sectors. “Critical infrastructure organizations, many of which are commercial enterprises and industrial facilities, are every country's soft belly, especially in the United States,” he says.
Zahn agrees. “In the world of industrial control systems (ICS) – which are the systems that run refineries, power plants, trains and even our favorite rides at Disneyland – we are not well protected. Here is a sobering fact: Many industrial plants today lack an automated inventory of all their cyberassets relying primarily on tracking incomplete spreadsheets. How can you secure what you cannot see?”
Gibson attributes the acceleration of nation-state attacks to “our reliance and dependence on connected information technology. The more valuable it is, the more it's attacked.”
The vast majority of such organizations, sums up Barak, “lack the manpower, technologies and, in some cases, even the awareness to have a defensive posture that can match a nation-state adversary.”