Regardless of what side of the political divide they might be on the Mueller report published by the Department of Justice makes for fascinating reading for cybersecurity professionals. It’s rare indeed that such level of detail concerning how a phishing campaign was launched against a specific high-ranking individual, along with the subsequent mayhem that ensued, gets so publicly shared.
The Mueller Report specifically provides a chronological list of the attacks employed by Russian operatives to influence the outcome of the 2016 presidential campaign, including:
- On March 19, 2016, Russian hackers sent John Podesta, campaign chairman for Democratic nominee Hillary Clinton a spearphishing email designed to trick him into thinking that Google was urging him to reset his Gmail password. Podesta clicked the link and entered his current password, giving the hackers the keys to his account. The report says that two days later Russian hackers collected more than 50,000 email messages from Podesta’s Gmail account.
- The Russian hackers also sent similar spear phishing messages at other Clinton campaign officials, including campaign manager Robby Mook and an unnamed “a senior foreign policy advisor.”
- Russian hackers then also created an email account with a name one letter off from that of a Clinton campaign official and used it to spear-phish more than 30 other staffers. Those efforts included looking up the internet addresses that supported the campaigns’ computer systems and researching public information that could be used to trick staffers working for the Clinton campaign, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) into sharing their credentials.
- On April 12, 2016, Russian hackers compromised the DCCC network using credentials stolen from an employee. Between April and June 2016, the hackers installed malware called X-Agent on “at least ten DCCC computers. That malware captured DCCC employee passwords and watched their keystrokes and their screens as they typed sensitive information. That malware also transferred DCCC files to a server in Arizona that the Russians hackers had leased.
- On April 18, 2016, Russian hackers used their malware to steal the credentials of a DCCC employee who had access to the DNC network. By the end of June 2016, they had accessed around 33 DNC computers. Russians hacker then moved several gigabytes of committee data to a server they leased in Illinois. Between late May and early June 2016, Russian hackers also breached the DNC’s Microsoft-hosted email service and stole “thousands of emails” from committee workers.
- On July 17, 2016, Russian hacker expanded their campaign by launching their first attempt to go after email accounts belonging to Clinton aides that were hosted at an unnamed third-party provider. In this same month, Russian hackers also breached an unnamed state election office’s website to steal information on 500,000 voters.
The report goes on to describe how Russians hacker set up a website called DC Leaks to publish many of their stolen files and how they transferred a large collection of stolen material to an unidentified organization that published more than 20,000 DNC emails and documents on July 22, 2016.
The investigative team also notes that even after the intrusions were discovered and CrowdStrike, a cybersecurity services firm was hired to wipe systems clean by the DNC, the malware employed by Russian hackers was still present on systems as late as October of 2016.
From a cybersecurity perspective, the Mueller report makes it clear just how much damage can be inflicted using what might first appear to be a simple spear-phishing attack. Cybersecurity professionals should not only study how these attacks were conducted, but they should also use them to educate employees on just how catastrophic spearphishing attacks can be to any organization. A recent research report published by Barracuda Networks notes 83 percent of spear-phishing attacks involve some form of brand impersonation that is designed to compromise passwords. The report also notes that while compromised business emails only make up six percent of spearphishing attacks, the Federal Bureau of Investigation (FBI) estimated this type of attack has caused more than $12.5 billion in losses since 2013.
So, the next time someone within the organization decides not to pay attention to cybersecurity policies, cybersecurity professionals would be well advised to share John Podesta’s tale of woe concerning how what initially appeared to be a relatively innocuous email played a large role in changing the course of history.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.