Even trained intelligence officers can be conned by basic hacking campaigns designed to win their trust.
That’s the lesson from a sweeping indictment unsealed Wednesday against four Iranian hackers -- and a former U.S. Air Force intelligence specialist who allegedly defected to Iran for ideological reasons and helped the hackers seek information about a highly classified intelligence program.
The Air Force specialist, Monica Elfriede Witt, told senior Iranian officials about the classified program and described some former colleagues still working on it, according to the indictment. Once they had that information, what the four hackers did was simple. They created fake online personas — including one that mimicked one of Witt’s former intelligence community colleagues — to gain other intel officials' trust. They sent links that were highly personal and convincing -- waiting for a chance to deliver malware that could seize their information, capture their keystrokes and spy from their webcams.
Those are the sort of phishing schemes used by common criminals, but the indictment proves they work for sophisticated nation-state hackers, too.
The hackers became "friends" on Facebook with at least four U.S. intelligence agents based in the United States and Afghanistan, some of whom were accessing Facebook on Defense Department computers. The hackers also joined a Facebook group heavily populated with agents, though it’s not clear whether they compromised the agents’ computers or mobile devices.
“Social media affords our adversaries the ability to harvest our trust with beguiling specificity,” John McClurg, a former FBI supervisory agent working on computer crimes, told me.
“It allows them to beguile us into a false position of trust. You think because the person who approaches you has such specific information it’s someone to whom you should offer your trust,” said McClurg, who’s now vice president at the cybersecurity company Cylance, which tracks Iranian hacking groups.
While it may seem simple, the scheme reads like a textbook Iranian hacking operation -- and Tehran is quite good at these targeted phishing tactics, said Jeff Bardin, a former Air Force cryptologic linguist who studies Iranian hacking operations.
“Spearphishing and social engineering are their core competencies,” said Bardin, who’s now chief intelligence officer at the cybersecurity firm Treadstone 71. “They just continue to improve at it. If people would learn to stop clicking on [suspicious] links, it would make it a lot more difficult for them.”
Witt and all four of the hackers remain at large and probably are in Iran, as my colleague Matt Zapotosky reported. In addition to the indictments, the Treasury Department imposed sanctions Wednesday against groups and individuals that supported the hacking operation, including the company Net Peygard Samavat, which provided computer servers and other infrastructure.
The indictment offers detailed clues about the Iranians' approach, which could be instructive cautions for people accepting friend requests. The hackers’ first move, according to the indictment, was to create an email and Facebook account under the name Bella Wood and use it to connect with a former Kabul-based colleague of Witt’s who accepted the hackers’ friendship request.
The flirtatious but malware-laden emails the hackers sent to that colleague don’t exactly read like the sophisticated lures of an ace spy.
“I’ll send you a file including my photos but u should deactivate your anti virus to open it because I designed my photos with a photo album software, I hope you enjoy the photos I designed for the new year, they should be opened in your computer honey,” one of them reads.
That may seem like an embarrassingly obvious phishing attempt, but that sort of email can be surprisingly effective, even against savvy targets, Bardin said. “Phishing is something they use over and over again and we just can’t get people to quit clicking on links,” Bardin said.
Here's another take from Rendition InfoSec President Jake Williams:
Next time you hear about "big bad APT" remember that hackers tasked by the Iranian government directed their victim to disable antivirus. APT doesn't work harder than they have to and many have terrible tradecraft and OPSEC.#IranIndictment pic.twitter.com/SeprIbDYCc— Jake Williams (@MalwareJake) February 13, 2019
From there, the hackers connected with three other former intelligence colleagues of Witt’s, according to the indictment. In some cases, the malware-carrying emails and Facebook messages they sent included similar flirtatious messages about photo albums. They also posed as one of the agents on Facebook and sent other agents a link that appeared to be to a legitimate news story.
As a final ploy they sent the agents an email that appeared to be from Facebook directing them all to reset their passwords — if they clicked that link it would have captured the agents’ Facebook credentials and allowed the hackers to seize or spy on their accounts. The indictment doesn’t say whether any of the agents fell for that ploy.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Some Homeland Security Department officials are warning that a reorganization of two task forces responsible for protecting elections against digital threats could hobble government preparations for the 2020 contests, the Daily Beast’s Erin Banco and Betsy Woodruff reported. One team is tasked with protecting election infrastructure while the other works to combat foreign influence operations, such as the spread of disinformation online.
The size of one task force has been reduced in half and the other team was downsized after the 2018 midterms, the Daily Beast reported. The teams, which used to report directly to Cybersecurity and Infrastructure Security Agency Director Chris Krebs before the midterm elections, now also report to an official who is lower in the agency’s ranks. "It’s very curious why the task forces were demoted in the bureaucracy and the leadership has not committed resources to prepare for the 2020 election," one official said, speaking anonymously.
DHS spokeswoman Sara Sendek disputed parts of the report, saying some employees who worked for the task force on temporary assignments had returned to their regular roles but the agency is also recruiting new permanent workers to protect the 2020 election. DHS brought on many temporary workers in the run up to the 2018 contest, including about a dozen military cyber pros. “The work of these taskforces continues to this day and is being institutionalized as a permanent effort,” Sendek told the Daily Beast.
The report came the same day Krebs testified before the House Homeland Security Commmittee that DHS plans to increase its collaboration with state and local officials to secure elections ahead of the 2020 campaign season. The agency intends to continue to share threat information, make election audits more effective and encourage officials to patch vulnerabilities in election systems, Krebs said in prepared remarks.
Here's cybersecurity reporter Kim Zetter from the hearing:
What strikes me most about today's election security hearing so far is how two years after the 2016 election, most of the questions from lawmakers are still so basic and could be answered by doing a Google research. Only one lawmaker asked the right questions.— Kim Zetter (@KimZetter) February 13, 2019
PATCHED: Several Democrats on Capitol Hill want the Trump administration to release more information to the public about efforts to protect the 2018 midterm election from foreign interference, CyberScoop's Sean Lyngaas reported. “It’s important for the public to have confidence in our election systems,” Rep. Jim Langevin (D-R.I.) told CyberScoop. “In order to have confidence, I think there has to be transparency.”
An aide to Sen. Ron Wyden (D-Ore.) said a public report on the work to secure the 2018 midterms should be released, Lyngaas reported. There is no evidence that any foreign interference efforts “had a material impact on the integrity or security” of election infrastructure last year, DHS and the Justice Department said in a news release this month. But the specific conclusions of the joint report are classified.
Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, called this month for an unclassified version of the report to be released. “A classified report and a short press release with no details isn’t nearly good enough,” Warner said on Twitter. “We need more transparency on how our democracy is being targeted by our adversaries.”
PWNED: On this Valentine’s Day, people looking for romance in the OkCupid Android app could find a hacker instead. Security researchers for the company Checkmarx found that hackers could access information about the dating app’s users if they launched a phishing attack exploiting a glitch in the app. As a result, they could potentially seize users' personal data such as name, gender, email address, date of birth, country and Zip code. “In the attack we crafted, the webpage simulates a user login page with the OkCupid look and feel, inside the OkCupid application,” the company said in a report. “The user is tricked into providing his credentials; he has no reason to suspect that it is not a legitimate request.”
Checkmarx said it started to disclose the glitches to OkCupid in November, adding that the company was “very communicative and very responsive in addressing these vulnerabilities.” The company also urged software providers such as OkCupid to require multifactor authentication for users who log in from a new device.
— The Senate Homeland Security and Governmental Affairs Committee advanced several cybersecurity bills, including the Federal Rotational Cyber Workforce Program Act. The bill would allow civilian cyber workers at a federal agency to temporarily work at another agency to gain new experience. That bill was reintroduced in this Congress by Sen. Gary Peters (Mich.), the committee's top Democrat, and Sen. John Hoeven (R-N.D.). The committee advanced the bills in a voice vote.
— Senate Banking Committee Chairman Mike Crapo (R-Idaho) and Sen. Sherrod Brown (Ohio), the panel's top Democrat, are soliciting feedback on data collection practices by financial regulators and businesses, according to a news release from the committee. The committee plans to scrutinize the collection of personal data and said the comments it receives could help shape potential legislation.
“In the year and a half since the Equifax breach, the country has learned that financial and technology companies are collecting huge stockpiles of sensitive personal data, but fail over and over to protect Americans’ privacy,” Brown said in a statement. “Outdated privacy laws don’t address the complex surveillance schemes these businesses profit from today.” The committee will collect feedback from stakeholders until March 15.
— More cybersecurity news from the public sector:
— Symantec said in a report that hackers in 2018 increasingly used “formjacking” attacks and probably made tens of millions of dollars that way, the Hill's Olivia Beavers reported. “When a customer goes to pay for something online, the malicious code gathers all their entered data — like payment card details or their username and address — and then sends that information to the hackers' servers, which they can then use to commit fraud or even sell them on the dark web,” according to the Hill.
— Michael S. Rogers, former director of the National Security Agency, is joining the operational technology security company Claroty as chairman of the firm's board of advisers, according to a new release from Claroty.
— More cybersecurity news from the private sector:
— Experts familiar with the Equifax data breach believe that those who stole the data did so on behalf of a foreign government and are using it “to try to identify and recruit spies,” CNBC's Kate Fazzini reported. Experts have not seen the data be used to impersonate people and it has not turned up on underground forums to be sold.
That's a complicated question, according to ZDNet's Catalin Cimpanu:
However, I don't agree with the article's proposed theory/conclusion that: if it's not on the Dark Web, it was an APT!— Catalin Cimpanu (@campuscodi) February 13, 2019
It's a little bit more nuanced than that
— More news about security incidents:
- The Bipartisan Policy Center and the Democracy Fund hold an event titled “The voting experience: 2018 and the future.”
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
How Trump blames Obama:
A play-by-play of Kamala Harris admitting she smoked weed: