Newly published documents from the NSA state that Russian military intelligence targeted U.S. election officials with spear-phishing emails just days before the November 2016 election.
This attack and others like it were reported in late 2016, but the report published last week by The Intercept sheds light on how the attack happened.
Like 91 percent of all cyberattacks, it began with phish. The attackers used a two-phase targeted spear-phishing operation to target specific individuals.
In at least one of the cases, it appears likely that the attackers took advantage of email’s original sin: Without authentication in place, it’s incredibly easy for hackers to put fake return addresses on their emails, making it look like they come from a legitimate sender.
According to the Intercept article, in phase one, on August 24, 2016, attackers sent messages that appeared to come from Google, targeting specific employees of a supplier of voting software, most likely VR Systems. These messages directed recipients to a bogus site that looked like Google’s, but which actually was controlled by the hackers. At least one of those messages succeeded in tricking the recipient into entering their username and password on the malicious site, which then gave the Russian attackers access to VR Systems’ internal systems.
The Russians appear to have used this access to collect lists of VR Systems customers and to craft emails for phase two of the operation.
In phase two, starting on October 27, attackers sent messages that appeared to come from VR Systems, targeting 122 specific customers of the company (local elections officials). In this phase, attackers used a Gmail account “designed to appear as if it belonged to an employee at VR Systems.” The email contained a Word document infected with code that gave the attackers apparently limitless access to the targeted systems.
What can we learn from this attack?
First of all, phishing and spear-phishing are extremely common. The chief operating officer of VR Systems acknowledged this in a statement to The Intercept:
Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
Understanding that the threat exists, forming partnerships, and creating effective policies are the beginnings of an effective phishing defense, and VR Systems is on the right track here.
But there’s one more step that would have helped protect VR Systems’ customers in phase 2 of this attack and beyond, and that’s enabling DMARC.
As it stands, VR Systems has not published a DMARC record, as Valimail's domain checker reveals. Without it, the company remains vulnerable to phishing attacks — and its customers are vulnerable to phishing attacks that spoof VR Systems’ identity by putting its domain name in the From field.
DMARC is a proven way to eliminate same-domain phishing attacks, by limiting the use of your domain name to authorized senders only. That is important to protect your own employees from spear phishing aimed at tricking them (by posing as, say, the CFO or CIO).
An important note: We don’t know whether the phishers used VR Systems’ own domain in phase 2, though the report makes it seem likely. In phase 1, we do know they couldn’t have used a google.com email address, because google.com has a DMARC record and it’s set to enforcement mode, so non-authenticating messages won't be delivered. (Gmail.com, by contrast, has a DMARC record but it’s not set to enforce messages that fail authentication. So in phase 1, the attackers could have used a Gmail address.)
But there is one thing we do know: A correctly-configured DMARC record would have made it impossible for the phishers to use fake VRsystems.com email addresses. And in the wake of this attack, lacking email authentication means the company remains vulnerable.
DMARC is critical to protect your company’s brand from being damaged by impersonators. It’s important to defend your customers from attackers who might misuse your identity to gain access to their systems.
And it’s quite possibly important to protect elections from outside interference.
Has your company been targeted by phishing campaigns? Contact us to find out how to eliminate the risk.
Top photo credit: anoldent/Flickr