By Leonid Bershidsky
Thanks to a new report from cybersecurity firm FireEye, we now know exactly how hackers sponsored by the Russian government have gotten access to sensitive information on computer networks owned by NATO, its member countries and former Soviet nations such as Georgia. The methods are sophisticated but, with just a little vigilance, easily fended off.
The report stands out for its insight into how hackers operate. Some security-company reports on alleged Russian hacking have provided valid technical insights; others have been ominous but weak on detail. Together, they have provided a pretty good idea of what malware hackers have used. And they’ve reported that the various hacker groups used phishing to gain that access: Someone in the target organization had to open an email attachment or click on a link to allow the malware in.
But until now it hasn’t been clear what bait hackers have used to induce those fatal clicks. It’s easy to say that anyone who clicks on links or opens attachments in unsolicited emails is a fool, but it would be wrong to assume that there are many fools in bureaucracies such as NATO’s. People there, and at major companies, get cybersecurity training. So why are the hackers so often able to trick them?
FireEye, based in Milpitas, California, is a major player in the computer security industry. Research by Mandiant, a company it acquired this year for $1 billion, was behind the U.S. indictment of Chinese military hackers last May. FireEye has the resources and the attention to detail required to study hacker attacks from initial penetration through to data theft. So to anyone sitting on sensitive information that could be of interest to government-sponsored hacker groups — be they Russian, Chinese or American — FireEye’s report on what it calls Advanced Persistent Threat 28 is required reading.
Most usefully, it provides examples of the “spear phishing” bait used by a sophisticated group that operates during Moscow and St. Petersburg working hours, 8 a.m. to 6 p.m.
To get into Georgia’s interior ministry, the hackers sent around an Excel file containing a list of Georgian drivers’ licenses, making it appear as though it were sent from the ministry’s server. To people inside the ministry, it seemed to come from a colleague. To get into the network of a U.S. defense contractor that had a joint working group with the Georgian defense ministry, a list of the working-group members’ birthdays was sent out.
Another piece of bait contained a non-public listing of defense attaches working in Turkey.
To a journalist who wrote extensively about the Caucasus region, the hackers sent a letter from a non-existent staffer of U.S.-based Reason magazine inviting the reporter to contribute articles. It was written in the comically bad English of a Russian villain in a spy movie: “We wish our cooperation will be both profitable and trusted. Our aim in the Caucasian region is to help people who struggle for their independence, liberty and human rights. We all know, that world is often unfair and cruel, but all together we can make it better.” No matter: By the time the journalist had a chance to laugh, the malware was running.
The hackers set up entire fake websites. A malware-infested clone of the Bulgarian news site Novinite.com could be found at Novinitie.com; qov.hu.com looked similar enough to the Hungarian government domain, gov.hu, and nato.nshq.in to NATO Special Operations Headquarters site nshq.nato.int, for an unwary user to slip up and click on the link.
One wouldn’t need to be stupid to be tripped up like this, just unwary for a second. In the two decades since we started using email for work, the traffic in our mailboxes has grown so heavy, we don’t pay attention to where the dot is placed in an address. Links to fake sites can also easily come through social networks, where we trust “friends” to direct us to information we need. Mass emails from colleagues and bosses are so common we don’t stop to doubt their authenticity.
Today, developing spear phishing bait is somebody’s nine-to-five job. And because these skilled social engineers are sometimes financed by governments, they have access to data that can make the bait appealing and convincing. Compared with them, we are suckers, but we don’t have to be. We just need to tailor our routines to a higher threat level than we believed was possible.
This article first appeared on bloomberg.com