Although the hacking of Democrats during the 2016 presidential campaign had major repercussions, the methods used by the 12 Russians accused of the crime were not out of the ordinary, according to cybersecurity experts in Arkansas.
These methods — like spear-phishing — are used everyday against businesses. That makes the July 13 indictment issued by Special Counsel Robert Mueller not only fascinating reading — one expert compared the attack to the movie “Ocean’s Eleven” — but something that business owners can learn from.
► Every business, no matter how small, is at risk. Any Arkansas company could be a secondary target because cybercriminals want to control as many servers as possible to use later in attacks on larger entities. The experts compared these compromised systems to sleeper cells.
► Humans are and always will be the weakest link when it comes to keeping a network secure, so educating employees and balancing access with ease of use is a must. The “zero trust” approach is a trending option where companies don’t just put security measures in place for external threats but go a step further by not trusting anything inside their systems.
► Know what is normal for your network so that intruders can be detected and dealt with sooner, even if all they’ve done is monitor users’ actions and haven’t stolen data yet. The Russians weren’t discovered for several months.
► Ask specific questions of cybersecurity and information technology firms and professionals before hiring them.
► Keep all software updated, and maintain a properly configured firewall, the part of a computer system or network designed to block unauthorized access while permitting outgoing communication.
Even though the methods referred to in the indictment aren’t unusual, the fact that an indictment was issued is, said Jon Waldman, founding partner at SBS Cybersecurity LLC in Little Rock. Most of the time, cybercriminals are not indicted because they hide in countries that won’t extradite, or they carry out small-scale attacks and successfully conceal their identities, he said.
Aaron Gamewell, president and CEO of SBS Cybersecurity, said that an attack against a single business often doesn’t justify the federal government using its resources to investigate it.
By contrast, the attack described in the Mueller indictment is far from small in scale. It is also what cybersecurity professionals call an “advanced persistent threat,” or APT, attack.
Jeremy Ausburn, senior security engineer for Edafio Technology Partners of North Little Rock, said an APT attack occurs when “somebody got in and hung out for awhile. … The act of waiting puts you into the baseline.”
The baseline is what’s normal for a network, he said, and if the “malicious actors” wait long enough to become what’s normal, their presence is more difficult to detect.
Waldman compared the hacking, allegedly by 12 Russian intelligence officers, to the heist depicted in a classic caper film.
“It’s the ‘Ocean’s Eleven’ of hacking. Those guys don’t do small-time stuff; they do big-time stuff,” he said. “And it’s a collection of experts, 11 different guys that are great at what they do, not 11 guys that all know how to do the same thing or are kind of mediocre at what they do.
“Then they spend time planning and preparing. They get in, they plan things out, they case the joint, and they know they have nothing but time in order to execute these attacks. They wait for the perfect moment to strike. … And they get what they want.”
‘A Crime of Opportunity’
What the Russians wanted was to steal emails and other documents and then release them at strategic times to influence the outcome of the election.
The Russians, according to the indictment, began hacking the email accounts of volunteers and employees of the Hillary Clinton campaign in March 2016 and began hacking the Democratic National Committee and Democratic Congressional Campaign Committee systems in April 2016. More than 300 people were targeted.
In June 2016, the Russians started to release tens of thousands of stolen emails and other documents using fictitious online personas.
The hackers used a network of computers around the world and in the United States to conceal their identities or “anonymize” themselves, and they bought that infrastructure using cryptocurrency, the indictment says.
Even though the Russians bought the computers they used, companies should be aware that hackers can and do use computers they’ve infiltrated to carry out large-scale attacks, Waldman said.
So companies must change their mindsets from “we don’t have anything valuable” or “we’re just a small business in Arkansas; no one knows or cares who we are,” Waldman said.
Hackers have automated the process of gaining access to systems and “all you are to a hacker is a number on the Internet, an IP address,” he said. Every device connected to the internet has an IP address.
“Here’s the big secret of hacking: The vast majority of the time, hacking is a crime of opportunity,” Waldman said. “Bad guys typically don’t know who you are, where you are or what you have until after they’ve compromised your network. … If you understand that you do have information or resources of value, you can make up your mind to at least put basic cybersecurity protections in place to keep yourself from being a victim of opportunity, which we often refer to as being the ‘low-hanging fruit.’”
Spear-phishing is a common technique hackers use, and the Russians deployed it so that people would unknowingly reveal their passwords or grant some other kind of network access.
Spear-phishing is sending emails targeted at specific individuals or departments within an organization that appear to be from a trusted source. They contain links that look legitimate, tricking the user into entering a password on a site the hackers can monitor or into allowing malware — malicious software — to be downloaded into a system.
All of the cybersecurity experts interviewed said being attentive can thwart spear-phishing.
The first thing people should do is hover their cursors over links in emails to see if the URLs that appear match the links, several of the experts said.
In addition, companies could try the “zero trust” approach to securing their networks. “The history has been that IT in a company worked very hard on building higher walls around the company, and thicker walls, kind of a hard shell,” said John Burgess, co-founder and president of Mainstream Technologies. “What the trend is moving toward is what’s called zero trust, where you never assume that it’s safe. … Used to, we’d only encrypt things that left and entered the network, and stuff that went around inside the network we all trusted each other.
“Well, now you’re moving to where everything is encrypted all the time so that if someone does get into the network, they can’t find very much. The balance is how do you implement something like that so that you’re secure but so that you don’t prevent work from happening.”
Ausburn, with Edafio, agreed that a balance is needed. There’s “this horrible pendulum of security vs. usability,” he said. “Would you get rid of all this security so I can go get my job done? Well, that is a huge problem. Well, let’s swing the pendulum way to the other side. Now it’s so secure I can’t use anything,” he said.
“It all needs to be based off of a business decision, at least in the American culture, because we do not have a good, strong, consistent privacy law.”
‘Spoofing’ and Malware
Spear-phishing also involves “spoofing,” a cybersecurity term that refers to altering something to look like something else. For example, some emails the Russians sent looked like security notifications that Gmail account holders receive from Google, notifications that ask them to change their passwords because their accounts may have been hacked.
The Russians also used spoofed email addresses to send spear-phishing emails, according to the indictment. Spoofed email addresses and links often contain a misspelling, so that’s something computer users should look for, cybersecurity experts said.
Spear-phishing not only delivered passwords to the Russian hackers but also placed their malware into targeted systems. There are, however, ways to protect against that.
Waldman, with SBS Cybersecurity, said malware comes in two forms: the kind that’s hidden in website ads and that downloads automatically when a user visits the website, or the kind that comes in spear-phishing emails that downloads when a user clicks on a link or attachment.
Companies, Waldman said, can protect themselves from malware by:
► Educating their employees about what not to do;
► Making sure their email software or application uses the highest level of email security and training it to know what’s junk and what’s not;
► Purchasing “professional” anti-malware software for about $30 a year; and
► Backing up their data regularly.
Many modern email products, like Gmail or Outlook, have built-in phishing protections and keep users from proceeding with a link until the product determines it’s safe, he said.
It’s also important for business owners to understand their own networks and to know what to ask of IT firms or professionals before hiring them.
The DCCC and DNC, for example, hired cybersecurity firm Crowdstrike Inc. of Sunnyvale, California, when they discovered the Russian hackers in May 2016, according to the indictment.
But Crowdstrike missed a Linux-based version of the Russians’ malware that remained on the DNC system through October 2016.
Waldman said it’s likely that the DNC leadership didn’t know they had a Linux-based server or anything that ran on Linux software. Companies can avoid this kind of issue by knowing everything they have.
They can also ask the right questions of IT firms.
Gamewell, with SBS Cybersecurity, said a good IT firm should be able to show potential customers the results of a recent third-party audit of its own network security.
Other questions to ask an IT firm include what reports and alerts it will send to the company’s leadership, what actions will be taken and how the leadership will be involved. Gamewell cautioned that companies must be involved because they, not their IT firms, will be liable if a breach occurs.
The Russians also scanned the DCCC and DNC systems to identify vulnerabilities. Waldman said companies can protect themselves from that by configuring their firewalls to not respond to internet-based IP requests.
It’s important for companies to test every line of defense, he said, even their people.