By Belton Zeigler, partner, Womble Carlyle Sandrich & Rice
In summer 2015, the spies of a foreign country gained access to a private company’s domain name – pick any company you like, or several, since we don’t know which ones or how many. And within those domains, they created false email accounts, booby-trapped web pages, and developed hidden conduits for stolen information. After carefully building their “infrastructure” within those legitimate websites to mask the origins of their communication, they entered the computer systems of one of our country’s largest political parties. Or so the story goes.
But how did they do it?
Using unauthorized email accounts developed within the private company’s domain, fraudulent web pages, and stolen information, these individuals lured Democratic National Committee officials into loading software onto their system that gave the hackers control of those computers.
Through that computer access, they stole – and eventually published to the world through various surrogates – hundreds of emails. The publication of those emails (along with emails from other sources) caused a sensation in the political world.
Today, business owners, CEOs, partners, and shareholders know more than we care to know about cybercriminals. These are the people who steal our identities and credit card numbers. Slow down our systems. Lock up our computers and demand ransom for the keys. But what if corporations weren’t simply inconvenienced by cybercriminals? What if we inadvertently became a part of a multi-country – or multi-organization – cyberwar, while remaining completely unaware of our accidental participation?
Sounds like a plot from a Tom Clancy novel, perhaps. But the reality is we might be. That has been a key message of the FBI and Department of Homeland Security in their report on the 2015-16 hack of the DNC.
According to these agencies, this particular theft was not the act of private criminals or of misguided activists but the calculated act of a hostile nation. Since then, that report has been questioned, and understandably so, since a massive leak from a major organization is a complex analysis. There were most likely other thefts by other parties, including organizations, hostile individuals, and perhaps even inside leakers.
But the most important part of the report is not precisely who did what, but that it indicates that it was the hackers’ access to private third-party domains that gave them the information and resources they used to disguise themselves as legitimate actors in order to breach and steal their way into a major organization.
We can surmise, then, that one day in summer 2016, the CEOs of one or more unsuspecting private organizations received a surprise visit from the FBI. Agents told them that they were unwitting accomplices in another country’s hacking a major political party’s computer systems.
One can only imagine their incredulity. It would have been the cyber equivalent of coming home one day to be told that Russian spies had been working out of your house for months, maybe years, reading through your personal papers and pretending to be members of your family, tricking others into trusting them based on your good reputation, receiving packages of stolen secrets at your front door – and you never knew a thing.
For that reason, the bulk of the FBI and Homeland Security report details the actions that private businesses, educational institutions, and others can take – at once – to ensure that they are not serving as “stooges,” to use a phrase from the last Cold War.
The report contains several lists of software signatures, domain names, and other identifying information that IT administrators can run immediately against system logs to see if there are any tracks leading back to foreign governments on your system. That is one step that any responsible corporation can take immediately. If your IT administrator is on the ball, he did this as soon as the report was issued. But it doesn’t hurt to check.
The report also contains a guide to simple steps that every company should take to ensure that it has minimally adequate protections against cyberspies and cybercriminals.
- Monitor system traffic across firewalls.
- Patch software regularly.
- Enforce robust password standards.
- Train employees not to click on links from unknown parties.
- Segment networks and limit privileges and access – especially administrator privileges. Make sure that a single breach doesn’t create unlimited exposure.
- Audit your IT assets and eliminate unnecessary modems and interfaces.
- Have a third party conduct a cybersecurity audit of your organization, help you identify the gaps you should patch first, and create a plan for doing so.
When the report was issued, experts sniffed at these suggestions as pedestrian. But there was nothing special about the techniques used in the DNC breach; they were well-known and well-understood. Unfortunately, the mundane defenses to their techniques are not universally applied by corporations and other private organizations.
In the cyber realm, weakness breeds weakness. The resources and pathways that hostile governments and other malicious actors need to breach sensitive governmental targets are often found in less sensitive targets – the systems of ordinary businesses, private organizations, and educational institutions. The DNC hack shows that the failure of any of us to effectively secure our computer domain resources weakens us all.