The Link You Just Clicked May Not Be Real
Thanks to a new report from cybersecurity firm FireEye, we now know exactly how hackers sponsored by the Russian government have been able to gain access to sensitive information on computer networks owned by NATO, its member countries and former Soviet nations such as Georgia. The methods are both sophisticated and easily fended off with just a little vigilance.
A number of security companies have recently issued reports on alleged Russian hacking into Western networks. Some of these have included valid technical insights, others have been ominous but poor on detail. One could get a pretty good idea of what the hackers did once they had access to their target systems: What malware they used and what it could do. It was also clear that the various hackers groups used so-called phishing to gain access: Someone in the target organizations had to open an email attachment or click on a link so that the malware could worm its way into a network.
What I missed about all the previous reports, however, was a good description of the bait the hackers used to induce those fatal clicks. It's easy to say that anyone who clicks on links in unsolicited emails or opens attachments sent by strangers is a fool, but it would be wrong to assume that there are many fools in bureaucracies such as NATO's. People there, and at major companies, get basic cybersecurity training and should not make childish mistakes. So why are the hackers so often able to trick them?
Milpitas, California-based FireEye is a major player in the computer security industry. Research by Mandiant, a company it acquired this year for $1 billion, was behind the U.S. indictment of Chinese military hackers last May. FireEye has the resources and the attention to detail required to study hacker attacks from initial penetration through to the data theft. So to anyone sitting on sensitive information that could be of interest to sophisticated government-sponsored hacker groups -- be they Russian, Chinese or U.S. -- FireEye's report on what it calls Advanced Persistent Threat 28 is required reading.
Most usefully, it provides examples of the "spear phishing" bait used by the sophisticated group that uses a Russian-language development environment and operates during Moscow and St. Petersburg working hours, 8 am to 6 pm.
To get into Georgia's interior ministry, the hackers sent around an Excel file containing a list of Georgian drivers' licenses, making it appear as though it was being sent from the ministry's mail server. People inside the ministry would be likely to open it because it appeared to come from a colleague. To get into the network of a U.S. defense contractor that had a joint working group with the Georgian defense ministry, a list of the working group members' birthdays was sent out.
Another piece of bait contained a non-public listing of defense attaches working in Turkey.
Targeting a journalist who wrote extensively about the Caucasus region, the hackers sent him a letter from a non-existent staffer of U.S.-based Reason magazine offering an opportunity to contribute articles. It was written in the comically bad English of a Russian villain in a spy movie: "We wish our cooperation will be both profitable and trusted. Our aim in the Caucasian region is to help people who struggle for their independence, liberty and human rights. We all know, that world is often unfair and cruel, but all together we can make it better." No matter: By the time the journalist had a chance to laugh at the fake, the malware was already running.
The hackers also set up entire fake websites that appeared to contain information of interest to the recipients. A malware-infested clone of the Bulgarian news site Novinite.com could be found at Novinitie.com; qov.hu.com looked similar enough to the Hungarian government domain, gov.hu, and nato.nshq.in to NATO Special Operations Headquarters site nshq.nato.int, for an unwary user to slip up and click on a link. Participants in the Baltic Host military exercise unsuspectingly clicked on the group's Baltichost.org site.
One wouldn't need to be stupid to be tripped up like this, just unwary for a second. In the two decades since we started using email for work, the traffic in our mailboxes has grown so heavy that we no longer pay close attention to where the dot is in an address. Links to the fake sites could easily come through the social networks, where we trust people we call "friends" to direct us to the information we need. Studying each link and each address critically is an alien concept to most people because of all the digital white noise to which we have been subjected; mass emails from colleagues and bosses are so common we never doubt their authenticity.
We live in a world where developing spear phishing bait is somebody's nine-to-five job. People doing it are skilled social engineers, and because they are sometimes financed by governments, they have access to data that can make the bait look appealing and convincing. We are suckers compared to these professionals, but we do not have to be. We just need to tailor our routines to a higher threat level than we believed was possible.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org