In this space, we often talk about the tactics that bad actors use to infiltrate organizations, but sometimes it can be difficult to truly grasp the scope of these hacking operations.
Microsoft recently uncovered a robust effort to steal the confidential login information of users visiting various political organization websites. This instance was very representative of common tactics used to convince users to give up their passwords. These efforts involve spoofing domain names. Domain spoofing is when hackers use a domain name, which appears to be from a legitimate organization, to convince a recipient of fraudulent communication to open an attachment or click on a link.
The group behind these attacks was a hacking organization originating from Russia. Connected to the Kremlin’s intelligence agency, the GRU, this group has been known as APT28, Fancy Bear, Strontium, among other names. The organization, according to Microsoft, established 6 domains spoofing conservative groups, the U.S. Senate, and even Microsoft itself:
Members of these organizations, including board members and think tank employees, were then sent spear-phishing emails. These communications appeared to alert the members to a problem with their email account and suggested that they needed to use the fake domains to address the problem. The bogus websites appeared very similar to their legitimate counterparts. These pages were built to capture the log-in information of visitors. Many users recount not being able to see a distinction between the real and fake sites.
On August 20th Microsoft executed a court order to disrupt these malicious websites. “In this particular instance we believe we were able to act quickly enough that these specific sites were not used successfully,” Brad Smith, Microsoft’s President and Chief Legal Officer stated.
Presumably, if Microsoft hadn’t shut down these sites, they would have successful stolen the credentials of many within the IRI, Hudson Institute, Microsoft, and the Senate. Once those credentials are compromised, the hacking organization would gain unprecedented access to systems and sensitive information. These could be leveraged in the upcoming elections or used to re-direct money. Smith says that Russian cyberattacks in 2018 have been “even broader than we first thought. That’s across the tech sector, that’s across this country.”
Social Engineering tactics like spoofing and spear-phishing are common tactics used not only by large, government sponsored hacking operations, but also your everyday bad actor. Lessons can be learned by this thwarted infiltration effort, like the importance of proper security training. Deploying an organization-wide security education program can seem like a huge upfront investment. But, compared to the potential costs of a data breach or mailbox compromise, it is one of the most cost-effective cybersecurity practices. Employees are your last line of defense, and although security hardening solutions like Multi-Factor Authentication and continuous monitoring are important, they will only be successful with strong culture of security.
You may not be a member of a large think tank or the US Senate, but there are lessons to be learned from Microsoft’s take down of these fake sites. It is important to always consider the sender of any communication asking for login information. Knowing that an attachment or link might be malicious is important for everyone in your organization. To improve your business’s security practices, don’t hesitate to reach out to our cybersecurity experts at firstname.lastname@example.org or 630 832 0075.