“Attach[ed] is a quote for the Social Media training we discussed,” said one message sent on July 3 to the vice president of EnergySec, a federally funded group in Oregon that focuses on the cybersecurity of the nation’s power grid.
But like much of the digital universe, the e-mails were not what they seemed. They were cyberweapons, part of a devastating kind of attack known as “social engineering.”
Emerging details about the e-mails show how social engineering — long favored by con artists, identity thieves and spammers — has become one of the leading threats to government and corporate networks in cyberspace.
The technique involves tricking people to subvert a network’s security. It often relies on well-known scams involving e-mail, known as “spear phishing,” or phony Web pages. But such ploys now serve as the pointed tips of far more sophisticated efforts by cyberwarriors to penetrate networks and steal military and trade secrets.
The e-mails this spring and summer appear to be part of a long-running espionage campaign by a hacker group in China, according to interviews with security researchers and documents obtained by The Washington Post. Some of the e-mails, including those sent to the Chertoff Group and EnergySec, were caught by suspicious employees. Others hit home.
“Multiple natural gas pipeline sector organizations have reported either attempted or successful network intrusions related to this campaign,” officials at the Department of Homeland Security said in a confidential alert obtained by The Post.
The May 15 alert, by the department’s specialists in industrial control systems, said “the number of persons targeted appears to be tightly focused. In addition, the email messages have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.”
Social-engineering attacks revolve around an instant when a computer user decides whether to click on a link, open a document or visit a Web page. But the preparation can take weeks or longer.
Serious hackers investigate their targets online and draw on troves of personal information people share about themselves, their friends and their social networks. Facebook, Twitter and other social media have become prime sources for the hackers, specialists said.
“Everybody has their trigger,” said Bruce M. Snell, director of technical marketing at McAfee Security Systems. “A good social engineer will find that trigger.”
Once malicious software code is delivered, it burrows in and hides in a targeted network. That code, known as malware, can lurk for years in intelligence or attack schemes that are sometimes known as “advanced persistent threats.” Eventually, the code reaches back out to the hackers for instructions, often cloaking the communication through encryption or masking it to seem like innocuous Web browsing by an employee.
Over the past three years, most major cyberattacks on U.S. corporations have included social engineering, specialists said. That includes hacks of Google and security giant RSA. Researchers think that scores of attacks were designed by the same Chinese hackers who appear to be involved in the current e-mail campaign. Some U.S. officials think the hackers may have links to the Chinese military.
The Chinese are not the only ones using the technique. Cyberwarriors at the Pentagon receive social-engineering training for offensive and defensive missions, knowledgeable specialists said.
David Kennedy, a security consultant and former National Security Agency analyst, said he is amazed at the effectiveness of the techniques.
“I have done hundreds of these, and I have never been stopped,” said Kennedy, who teaches social engineering to other security specialists. “It sounds horrible, but it works every single time.”
The human factor
Social engineering works because it targets a vulnerable part of cyberspace that cannot be patched with technical fixes: human beings. People want to believe that their communication is safe.
“Because it goes at the human level, not at the technological level, we’re all vulnerable,” said Joseph Nye Jr., a distinguished service professor at Harvard University who is on the board of advisers to the Chertoff Group. Nye said he has received at least six spear-phishing e-mails purporting to be from the Chertoff Group. He said he deleted them all, but he added, “Every once in awhile, one of these will get by you.”
The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try. Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.
“This is the next evolution of social engineering, where victims are researched in advance and specifically targeted,” said a recent Internet threat report by Symantec, a computer security firm. “The very nature of social networks makes users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims.”
At the same time, technology is transforming social engineering. One online data-mining service favored by hackers — as well as by security researchers and law enforcement — works much like a laser-focused Google. The automated system, called Maltego, enables users to quickly bring together and analyze disparate details about people from all corners of cyberspace, showing an individual’s links to friends, family, work associates and personal interests.
“None of these steps are particularly difficult to code or do by hand. But doing it by hand is painful,” said Roelof Temmingh, founder and managing director of Paterva, the small South African company that sells the service. “Maltego can do all of this in a flash.”
Temmingh demonstrated Maltego’s utility not long ago by looking for a person to target at Fort Meade, home to the super-secret NSA. He typed in Fort Meade’s latitude and longitude and searched for Twitter users. In a couple of steps, Maltego quickly delivered the name of a person who tweeted at the Fort Meade location.
With that, Maltego searched MySpace, a dating Web site and other resources to build a rich profile: a young Army private who served in South Korea, likes to smoke and drink, divorced and looking for a “serious relationship.” She likes Harry Potter movies and “The Cosby Show.” Maltego also turned up her name, address and birthdate.
Building a tool kit
In 2009, David Kennedy began digging deep into corporate security for a Fortune 1000 company as a penetration tester, identifying flaws that hackers could exploit. He wanted to know whether employees could be duped into clicking on unknown documents or handing over confidential information over the phone. Most of them could.
Kennedy concluded that social engineering was “the next biggest attack vector.” He teamed up with a nonprofit organization called Social-Engineer.org to develop products that would make security testing more effective.
The result is known as the Social Engineering Toolkit. Its many applications can identify targets and deliver attack payloads, secretly, like digital stealth missiles. The tool kit also provides ready-made code for attacks.
In an irony of the digital age, the same tools are available for free to attackers.
“Can a bad guy take all this and get better? Sure. . . . But that is not the intended goal,” said Chris Hadnagy a founder of Social-Engineer.org and author of the book “Social Engineering: The Art of Human Hacking.” “What we are doing is trying to weaponize people to be protected against this threat.”
Kennedy described one effective approach involving a tool that creates instant copies of real Web pages and embeds them with malicious code. In an e-mail, the attacker could pose as an executive of a company, seeking help from an IT department employee. The attacker has studied the employee and knows he is new to the company and probably eager to please his superiors.
In a phone call that appears to be coming from within the company, the attacker asks the IT staffer why a certain Web page won’t open. The attacker directs the staffer to the bogus Web page. The intrusion occurs the moment the IT staffer visits the page.
“I find that leveraging human compassion is generally the best way to gain what I want,” Kennedy, now president of TrustedSec, said in a recent seminar.
A tailor-made attack
The current intrusion campaign began in December, possibly earlier. That’s when analysts think the attacks first started against gas pipeline company executives. With some study, it became clear that the e-mails were part of a sophisticated campaign. Only certain executives were singled out for attention. The e-mails were tailored to them.
The attackers were relentless, launching e-mails on at least 13 days. They also were creative. Attached to the e-mails were documents covering a variety of subjects that might be of interest to the executives: the U.S. debt crisis, Adobe updates, iTunes help and an analysis of the presidential election.
The true scope of the campaign started to become apparent in June, after cybersecurity researchers at a security firm called Digital Bond received one of the phony e-mails. The Digital Bond researchers specialize in industrial-control computers that operate power plants and other critical infrastructure.
The note, which appeared to be coming from their boss, Dale Peterson, was filled with technical jargon. “Details are available at: Leveraging_Ethernet_Card_ Vulnerabilities_ in_Field_Devices.pdf Download it and have a look,” the e-mail said.
The intrusion failed in part because the attackers slipped up and because a Digital Bond researcher was alert. The e-mail was signed “Peterson.” But the security researchers knew that their boss uses his first name on e-mail, not his last.
Other security researchers asked to review the situation found the attachments were not actually .pdf documents but “executable files” that deposited “Trojan horse” code when a computer user clicked on them, said Jaime Blasco, security lab manager at AlienVault, who reviewed the attack.
Blasco and his partner, Ruben Santamarta of the security firm IOActive, found the hackers had used multiple Web server computers to give instructions to the malicious code. The electronic trail on those servers led to other victims, including the Chertoff Group; NJVC of Vienna, Va., a contractor for the National Geospatial-Intelligence Agency; and the National Electrical Manufacturers Association (NEMA) in Arlington County, which represents companies that make components for power grids.
Officials at NJVC and NEMA acknowledged the attacks but said employees prevented network intrusions. Department of Homeland Security officials declined to discuss the episodes.
The scope of the attacks expanded in July, when the cybersecurity group EnergySec was hit. EnergySec President Patrick Miller also reached out to Blasco for help. Based on evidence, it appeared to be the same attackers: a group of Chinese hackers that had been using social engineering for nearly a decade to break into systems across the globe with impunity.
Cyber-researchers have dubbed them the Comment Crew or Comment Group. The name stems from the fact that hackers include attack commands in the comments that programmers typically include in HTML code to document their goals or make notes of changes.
The Comment Crew has become notorious for using simple social-engineering techniques, including well-crafted e-mails, in elaborate hacks that breach security, load “remote access tools,” or RATs, and siphon off oceans of data from victims.
Though it is sometimes impossible to definitively identify hackers, because of the hall-of-
mirrors nature of cyberspace, they often leave behind compelling digital evidence. Researchers said the IP address of a Web server and a particular method of writing HTML comments links the attacks on the gas pipeline executives to those against the Chertoff Group and others. It also links the current campaign to a series of earlier devastating attacks by the Comment Crew, dubbed Operation Shady RAT.
Those intrusions compromised hundreds of systems over at least five years, including federal agencies, defense contractors and the United Nations, according to studies by McAfee and the Dell SecureWorks Counter Threat Unit.
“The above patterns of attack are very similar to attacks carried out by the actors responsible for the Shady RAT campaign,” said Ned Moran, a researcher at the nonprofit Shadowserver Foundation who also analyzed the attack on Digital Bond.
Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, estimates the group has at least 100 members who work at specific tasks such as social-engineering research, malware development and the processing of stolen information. In essence, the Comment Crew has made a business of cyber-espionage. Their activity online shows they typically work 9 to 5 — Shanghai time — and take off Chinese holidays.
Stewart and others say Chinese hackers have been using a troubling variation of social engineering called a “watering hole” attack. Instead of sending e-mails with links — something that some security-conscious computer users now avoid — they try to entice wary victims to visit familiar, authentic Web sites that have been secretly loaded with attack code. Think of a lion near a watering hole.
One ploy involves an e-mail announcement of online coupons for half-price drinks or food at a favorite bar. The attack comes when the victims visit the Web site seeking the coupons and unwittingly download the malware.
In a new report, Symantec researchers said some hackers are simply co-opting Web pages popular in certain industries, such as the energy sector, and waiting for victims to arrive.
With enough money, focus, malware and social-engineering skills, “anybody can get into anyplace,” Stewart said. “The most careful person is not going to have a defense against it.”