Russia Hacking - Cyber Attacks Pt 2 - How They're Doing It, Why Should We Care
In my previous episode I covered a threat model of the general types of hacking we're looking at right now and the “who” that’s involved in the kinds of cyberattacks we're seeing in active use, but that's not the most interesting part of it for me. I like to dig in and under, to find out what's going on behind the scenes and in the circuits. In this video I'm going to be giving you a more extended breakdown of the “how” and why of what we're seeing - as well as go over the importance of using best practices! Last week I touched on phishing, which is a cyberattack where the intended targets are contacted by someone in the guise of a legitimate service or institution. It could be an email from a service provider with a hyperlink asking for your username and password, ostensibly to fix an error. Instead that hyperlink takes you to a dummy site, and now the attacker has your information. Not great if it's something like Steam, but what if it's your bank? The attacker can use that information to access your account, helping themselves to whatever it may hold of value. Fortunately, most people are aware of common phishing practices but it remains a ubiquitous part of cybercrime. Phishing is like that kid who's always around that most people know to avoid - so now let’s talk spearphishing, its more intense older brother who's on the varsity wrestling team. It’s an even more targeted attack like what’s happening to the US Department of Defense right now, but it might not be going down the way you think - more on that a little later. Either way, you’re not paranoid about it – it’s proper.
{{ If you're interested in topics like cybersecurity and hacking and want to see more content like this, don't forget to hit [like] and [subscribe]! I cover everything from Linux and open source culture to tech and gaming in a way that's uniquely geeky, accessible, and fun! Taking a look at the world around us and expanding our collective hoard of knowledge so we can all move forward. But - where was I? Oh right, spearphishing!}}
People in skilled and specialized industries often get invitations to conferences and talks. You pay a fee, you hear the latest and greatest on x, y, or z, enjoy a dry sandwich with seltzer water and call it a "Great networking experience!" on your Linkedin. You get to the office and it's another week, and you've got another invite for an online conference waiting in your email. It looks just like any other HR-approved missive, containing (network blocked) hyperlinks and scripts with a convenient sign-up button right there! You figure hey, you could do an event centered around your industry interests, help you keep up that competitive edge! You click that to register for "webinar" and there will probably even be that advertised person giving some sort of talk (who may not even be aware of the scam!). As you go through the process of signing up and attending this conference, you fill in all the required fields: your name, what company you work for, what you do and for how many years. Once you're back at home, you'll probably get invited to complete a feedback survey - which may also have a tracker in it! After all that, if deemed important enough or that you have access to more important people, you'll get invited to sit a panel or to a face-to-face event somewhere....and blammo you are now an intelligence asset to someone else, however unwittingly. As if email scams with sketchy links weren't enough to deal with, there have also been attempts to mail people USB drives loaded with malware. Masquerading as corporate gifts, loyalty rewards, or incentives, they can compromise accounts and whole networks!
Credential
What we've learned is that a series of cleared defense contractors, or CDCs, have been extensively infiltrated with lurker accounts. A CDC is a private entity that has been given clearance by the Department of Defense to access, receive, or store classified information. So the contractors that work with our nation's military, who have access to some of the most current and most sensitive information available, have been subject to credential stuffing as well as spear-phishing campaigns. Credential stuffing is something I've explored before, but it was long enough ago that I'm gonna go over it again real quick. You know those widely publicized data breaches from megacorps like Facebook or LinkedIn? If compromised, all your tenda data nuggets such as account access information like username and password combos are traded or sold from huge lists. An attacker takes this access data and applies it to other services in massive batches in the hopes that some users will have used the same credentials. So if you're reusing username and password combinations, or even just passwords, you're a viable target to this kind of tactic. Even though credential stuffing has a surprisingly low rate of success, because attackers can automate the process with bots they can launch more attacks more quickly the overall volume can make it worth it. Even if the profitable data the attackers acquire isn't something immediate like credit card or banking information, other sensitive information can be used later in more effective phishing attacks. As an end-user, one of the best and most effective things you can do to protect yourself from credential stuffing attacks is to always avoid password reuse! It seems obvious, but you'd be surprised how many people slip into the habit. In addition to using a unique, strong password with each service, enabling two-factor authentication when available provides an extra layer of security. I even have an awesome video on password reuse and why you shouldn’t do it.. But anyway…
Over the course of two years, hackers have been successfully targeting CDCs that handle contracts for the US Department of Defense and intelligence community. These lurkers have maintained access to networks, often for months, gathering and exfiltrating huge quantities of data. I'm talking about emails between employees, between the companies and other companies, documents relating to the company's products and research. CDCs that have information relating to the most current technological and scientific workings of the United States Department of Defense and so, so much of it has been harvested. Everything from proprietary details to specific technologies, infrastructure plans, even development and deployment timelines for US weapons-platforms. The Cybersecurity and Infrastructure Security Agency, (CISA), released a joint cybersecurity advisory with the FBI and NSA, imploring private sector partners and the public to "implement good cyber hygiene".
The importance of security training has always been self-evident, but now it's more critical than ever. With the advancements in hacking software such as increased availability of automated bots and technology itself giving us countless routes to our most sensitive data, any end user can benefit from taking a look at their privacy practices. More of our lives exist online than ever before, with everything from medical to banking information stored, many of us with at least one social media account that's our own self-made dossier. For a company, the security implications reach far beyond a single end-user or employee. Even workers well-versed in basic best practices and privacy tools can benefit from not just being offered training but actually participating in it. Overlooking an invite and letting it gather dust in your inbox is understandable, but every new training brings with it the chance to learn about the newest threats and tactics being seen in use. Once an employee's account has been breached, it becomes that much easier for a hacker to pivot within the company's system to see what else can be compromised. Every person in your organization that is apprised of the threats and the forms they take lessens the attacker's chance of success that much more.
Smaller organizations and business concerns are now being advised to use best practices and tighten up their security culture, advice now being extended to the general public. On an individual level all we can really do is watch, be aware, and keep ourselves secure. Even if there's no real chance you're going to be a "person of interest" to any government, foreign or otherwise, you (or your hardware) can be used as an access point to where their interest is. It might even be that the access point itself is what they want, since at least some of the interest for Russia looks like keeping their own propaganda machine going. Reports of hacking directly related to the Russia-Ukraine conflict have been rolling in since last week, megacorp Meta reporting hackers that took over Facebook accounts, targeting prominent military officials and public figures from Ukraine and launching a misinformation campaign. Twitter and YouTube reported signs of hackers trying to break into and compromise accounts. Even regular social media users in other countries have been hacked, most wholly unaware they've been compromised until an interaction with the content draws their attention to the Russian-state propaganda posted on their own account!
While having your social media account activate itself with sleeper malware just to post without you is disturbing and annoying, for most people it's as simple to fix as opening an account recovery ticket. There are higher stakes involved when one considers the amount of governance and infrastructure run through computer networks now. Last year, there was a sleeper malware incident from the UK's Gloucester City Council. The malware accessed the network by way of an email sent to a council officer and spent some time dormant in the system before being activated. The attack affected the council's customer services (such as online forms for housing benefits) and even the pay of the council staff themselves! It doesn't take a significant cognitive leap to apply that level of risk to critical infrastructure and medical care, which is when things might look a little bleak.
The good news (I love good news time!) is that you can protect yourself, your organization, and even your community by using best practices. Beyond why you should care about protecting your data privacy, when hackers can't get to you, they also can't get to everything else you're connected to. Use a VPN and check your privacy toolkit to see if there's anything you're missing. I'm going to continue to be keeping watch for developments in hacking tactics and advancements in cybersecurity, all to bring it to you, so give a like and subscribe if you want to see more. We're strongest together, and I'm gonna keep doing my part. Are there other hacking or cybersecurity topics you want me to look at? Drop it in the comments!
Stay safe out there, and I’ll talk nerdy to you later!