Russian Military Intelligence executed a cyber attack on at least one US voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.
According to NSA docs sourced by The Interceptor, the hack centered on a classic tactic, spear-phishing, to gain login credentials from an employee at an election system software vendor, which brings in another classic tactic in play, the insider. As described by the classified NSA report, the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers.
But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company, according to the NSA report. Although the document does not directly identify the company in question, it contains references to a product made by VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.
The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded. The NSA notes in its report that it is “unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated.”
Morgan Gerhart, vice president at Imperva, explains:
“The insider threat landscape usually breaks down into three pieces: malicious insiders, negligent insiders and compromised insiders. Malicious insiders are those disgruntled workers, who misuse their access to sensitive data for profit or simply for “revenge.” The most notorious example is Edward Snowden. In this case, the individual that leaked the NSA report to the media would be considered a malicious insider.
Negligent insiders jeopardise sensitive data by innocent mistakes or bad practices. These usually boil down to misconfigured servers (e.g., use of default or weak passwords), backups or test servers that contain sensitive information but are not protected like production servers, or simply taking your work home – for example saving corporate data on personal devices or cloud services.
Last, but not least, is the “classic” compromised insider, where hackers compromise insiders that have internal access to the network and assets (files servers, databases, applications, etc.). Once an attacker has access to internal resources, it’s only a matter of time before he gains access to sensitive data. It is unfortunate, but most organisations focus on securing their borders. The main problem with this is, that there are no real borders to secure.
Another previous example of an insider attack would be the Wikileaks affair which involved Bradley Manning, an army private and U.S. intelligence analyst with Top Secret security clearance. Private Manning had “access to an unprecedented amount of material” and was convicted of leaking 251,287 classified cables. The files were stolen over time. One time Private Manning bragged to a friend saying he would “come in with music on a CD-RW labelled with something like ‘Lady Gaga’ … erase the music … then write a compressed split file. No one suspected a thing.” He said that he had “unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months.”
Careless insiders are the most common of all but are, by far, not the most concerning ones. Misconfigured access control systems and misplaced data dumps are by far more dangerous, less common and much more difficult to recover from.
To mitigate the risk, corporations should ask themselves where their sensitive data lies, and invest in solutions that directly monitor who accesses it and how. According to reports, the leaker was identified because of strong audit trails of who accessed what. They can invest in solutions that help them pinpoint critical anomalies that indicate misuse of enterprise data stored in databases, file servers and cloud apps and that also help them to quickly quarantine risky users in order to proactively prevent and contain data breaches. This approach works across careless, compromised and malicious insiders.”