Anatomy of a Spear Phishing Attack on the White House

A news report earlier this week describes how the Dutch intelligence agency AIVD managed to infiltrate the Russian cyber outfit nicknamed Cozy Bear, and was able to watch in real time as the organization successfully compromised the Democratic National Committee’s email servers in 2016.

It’s a remarkable account on a number of levels, but one detail in particular stands out because it’s a crystal-clear illustration of how spear phishing works.

After discovering Cozy Bear’s activities in the U.S., the Dutch agency notified its U.S. counterparts, and together they were able to watch the Russians launch a sustained attack on the State Department’s network. The attack, which appears to have happened sometime in 2014, was rebuffed, but sources later described it to CNN as “the worst hack attack ever” on the American government.

However, the Dutch news report continues, the Russian attackers managed to “use their access to send an email to a person in the White House.” The White House staffer opens the message, and that’s when things get really interesting:

He thinks he's received an e-mail from the State Department - the e-mail address is similar - and clicks a link in the message. The link opens a website where the White House employee then enters his login credentials, now obtained by the Russians. And that is how the Russians infiltrate the White House.

(emphasis added)

According to this report, the hackers then gain access to the email servers containing President Obama’s “sent and received emails,” as well as “e-mail traffic with embassies and diplomats, agendas, notes on policy and legislation,” but fail to get control of the servers that send messages to and from his BlackBerry.

A Classic Attack

This is a classic spear phishing attack: The attackers do extensive research on the target organization, identify a likely target, and then send a carefully crafted email to the target.

The target thinks the email comes from someone they can trust, but the message actually leads them to a bogus login site controlled by the attackers. When the target enters his or her login information on that site, they’re actually going to the attackers, who then use the credentials to extend their attack.

The Dutch report says that the Russians were able to send the message from the State Department’s systems before they get kicked out by the Americans. In other words, they compromised the network and gained direct access to the State Department’s mail servers, at least for a short while.

No Network Access Required

However, it’s important to note that access to the State Department’s mail servers is not required to send a fake state.gov email. In fact, it doesn’t take much effort to craft a fake email and put a State.gov effort into the From field.

Done right, such a message is nearly indistinguishable from a legitimate message — and almost no mail filtering service or malware scanner in the world would be able to stop it.

To fix this vulnerability, State.gov needs to implement DMARC at enforcement, just as the Department of Homeland Security’s BOD 18-01 directs. This wouldn’t prevent hackers who had already gained access to State’s network from using it to send messages, if that access includes access to the department’s mail system. However, it would provide a global ban on hackers sending unauthorized messages using State.gov in the From field. As Valimail CEO Alexander García-Tobar recently wrote in Federal Computer Week, BOD 18-01 will greatly increase the cybersecurity of the U.S. government, and this is exactly why it’s needed.

Note: State.gov does have a DMARC record, so it has visibility into what IP addresses around the world are sending on its behalf. It’s just that this DMARC record is set to a policy of “none,” which means mail servers around the world will check for authorization, but will continue to deliver unauthorized messages.

Many organizations find it’s difficult to take the next step, and get their DMARC to an enforcement policy, which provides real protection. It’s a particular challenge with organizations that are using many different cloud services or servers around the world.

Valimail can help with that, with our ValiGov service for federal agencies, and we guarantee that we will get our customers’ domains to DMARC enforcement. Find out more here.

Top photo: The White House, via Flickr.

 

Valimail is the trusted leader in fully-automated email authentication, with the only comprehensive platform for anti-impersonation, brand protection, and compliance used by corporations and federal agencies such as Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail Enforce is the only FedRAMP-authorized email authentication service and, because it uses no personally identifiable information (PII), it is also GDPR compliant. Valimail authenticates billions of messages a month for some of the world's biggest companies, in finance, government, transportation, health care, manufacturing, media, technology, and more. Valimail is based in San Francisco. For more information visit www.Valimail.com.