Security Lessons to Learn From Tactics of Indicted Russian Hackers

NEWS ANALYSIS: The Russian hacking attack on the Democratic Party was state sponsored cyber-crime, according to Special Counsel Robert Mueller, but there are security lessons to be learned from mistakes made by Democratic Party officials as well as the hackers.

Russian Infrastructure Attack Campaign

The indictment filed by Special Counsel Robert Mueller on Friday the 13th reads in places like a crime novel. The story explains step-by-step how a group of Russian operatives who are part of the Internet Research Agency targeted the Democratic Party and the Hillary Clinton campaign, hacked into their computers and then stole vast quantities of data. 

The breach happened in March of 2016, although the process started three years before that and would soon become the centerpiece of election news as breached emails started appearing on Wikileaks and other websites forming the basis for a series of stories embarrassing to the campaign. 

But as you read through the indictment, there’s more there than just a theft of emails. There’s also the story of how the data was exfiltrated and transferred out of the U.S. as well as how the Russian operatives tried to cover their tracks. This investigation then led to a second indictment related to the same Russians and their attempts to manipulate social media and to create fake news to influence the 2016 U.S. presidential election.

As you read through the indictments, you’ll see the same sort of hacking and social engineering activities you’ve heard about many times before including phishing emails, the deciphering of insecure passwords, the misdirection tactics. It’s all there, and it all provides an opportunity for you to protect your organization if you’re willing to learn from the Russian example and use it to deal with the bad guys that attack your organization. 

If it seems like the tactics are very similar in each indictment, that’s due to the fact that the same people are involved. 

“Essentially state-sponsored actors are using the same tradecraft as the criminal bad guys,” explained Stu Sjouwerman, CEO of KnowBe4, a security training company. “In Russia they are the same bad guys. The have a choice to go to prison or work for the GRU,” he said. The GRU is Russia’s main military intelligence agency. 

Sjouwerman said that the Russian bad guys, like other cybercriminals, make it a point to go after the people in an organization. In the case of the hack of the Clinton campaign, the Russians sent a phishing email to campaign chairman John Podesta disguised to look like an official email from Google, asking him to change is Gmail password, and offering a place to click. Podesta clicked. 

That was all it took to download tens of thousands of email messages. The rest is history. 

By now you’re telling yourself that you don’t have to worry because you’re not a senior government official and you don’t have a high profile position that would make you an inviting target. But that doesn’t matter. 

Cyber-criminals will use the same tactics to steal your company’s money or its intellectual property as they used in their attempts to influence the U.S. election. Those bad guys may be after your contacts at some other company which is their real target and you may just be a stepping stone. But whether they’re after your property or your business partners, the result can be serious. 

So what can you do? Whether your attackers are state sponsored hackers or simply criminals, you can protect against those same tactics. The first one of those is to defend your company and your staff against phishing. “Instead of going after John Podesta, they go after senior managers in accounting,” Sjouwerman explained. 

The criminals find this information from your website, from LinkedIn and from media reports. They spend the time to research the senior people in your organization so they can successfully impersonate them. Then they either spoof an internal email, or the email of someone the targeted executive trusts. After that, it’s an assault on passwords, on contact information, on payroll information and on your computer infrastructure itself. 

The bad guys will try to steal your money and your other property through social engineering. But they’ll also install malware bearing surveillance applications, viruses, keyloggers and other cyber-weapons. They will try to get their hands on executive pay stubs and they’ll try to get customer and vendor lists. 

Here are some steps to take that have been presented before—more than once—but which bear repeating: 

  • Educate your employees about phishing emails, how to spot them, and what to do if they find one. You can help them by providing practice through a test provided for free by KnowBe4. 
  • Insist that your employees use strong, unique passwords for your email system. KnowBe4 also has a free test for breached passwords that uses over a billion compromised credentials harvested from the dark web. 
  • Try to avoid using public webmail services for critical communications, but if you must use them, insist that your employees use multi-factor authentication. But Sjouwerman said that you can’t just use authentication where the site sends a number to a cell phone because those are too easy to spoof. Instead, he said that you should use an app such as Microsoft Authenticator or Google Authenticator where the app generates the code on the phone. 
  • Train your staff to expect attempts to subvert your procedures through actions such as phony requests to transfer money and set up procedures so that they don’t fall for fraud in which someone spoofs a senior executive and asks for information such as an executive’s pay stub, which is an increasingly prevalent type of phishing attack. 

Another thing to remember is that you can’t assume that the bad guys will always try to exfiltrate data to a foreign location. The Russians, for example, used a server in Arizona as an intermediate step out of the U.S. 

The attacks are getting more sophisticated and there are limits to how much you can do technically to prevent these attacks, but training and awareness can go a long way in reducing the success of the social engineering that hackers of all sorts depend on.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...