The 12 Russian operatives indicted by the Justice Department waged a campaign of well-executed espionage and novel technical engineering, coupled with rudimentary computer attacks.
That last part is key. Their tools may have been top-notch and their manipulation may have been slick, but the mode of entry was old-school and beatable, according to experts.
According to the Justice Department, the Russians used spear-phishing as one of their primary attack techniques. Spear-phishing refers to an email targeted at an important person — or a “big fish” — who can provide entry to a cache of the most important data. It starts with basic reconnaissance (like looking at Facebook and LinkedIn profiles) to create a portrait of a prominent individual, then using that portrait to create an email that he or she is sure to click on. In the Democratic National Committee hack in 2016, those emails were just spoofed to look like security updates from Google, according to the indictment.
To prevent this type of attack, the DNC could have done much more in terms of “basic cyber hygiene,” according to Amit Yoran, a founding member of the U.S. Computer Emergency Response Team, the arm of Homeland Security that reacts to major cyberattacks in the U.S. Patching systems and using two-factor authentication, which involves verifying a person’s identity using more than simply a password, would have greatly mitigated the damage the Russian agents could do, he said.
Not only does it show how preventable the incidents surrounding the attacks on the DNC could have been but the increasingly integral role private-sector companies have on the front lines of national defense, he said.
Spotlight shifts to companies
The Russians allegedly took a multi-pronged approach to the Democrats’ congressional and presidential campaigns, as well as the elections systems in several U.S. states. According to the indictment, a software vendor was the conduit to one attack against the voting registration system in Florida.
When the DNC realized they’d been hacked, they called in an American consulting firm to help. That company, which was not named in the indictment, removed many instances of malware left on DNC machines by the Russians.
However, that firm didn’t rid the committee’s servers of all instances of the malware, according to the Justice Department. Some malware remained, according to the indictment, and the Russians continued operating. Also, in the process of working on DNC computers, the consulting firm made their presence known to the attackers. Typically, that is not something a cybersecurity response firm wants to do.
The Russians were then able to find “countermeasures” to get around those defenses, prosecutors said.
For corporations watching and wondering what this might mean for the private sector: “At the most basic level, you’ve got to be able to defend yourself,” said Yoran, who now serves as chief executive of cyber-risk management company Tenable. “The rule of law isn’t well established in cyberspace. You’ve got to put in place reasonable protections and reasonable measures.”