Sophos Cloud Optix
If you’re a US citizen concerned about the integrity of presidential elections, the next paragraph might raise issues that are stressful to contemplate.
in 2016, hackers had some success spear-phishing a US voting software company to target 122 election officials. The NSA detected and analysed the attacks in a report. Unfortunately, the report has now been leaked to a media organisation world in farcical circumstances, which is how we know about the hacking at all.
That the US e-voting system is under attack, allegedly by Russians, is arguably the least troubling part of this story given how much coverage the issue’s already had.
In September, stories started appearing about alleged covert Russian attacks on online voter registration, and possibly electronic voting systems. After the election, Democrat politicians demanded these claims be investigated.
The report gives credence to these allegations, although the only media organisation to read it in full, The Intercept, admits it has not seen the intelligence data on which this conclusion was based.
What might worry people more is how trivially easy it still is for attackers to target official organisations using cheap-and-cheerful phishing attacks many years after these became an everyday occurrence for every large organisation in the world.
In August 2016, seven people working for a voting software vendor used by a number of US states were sent phishing emails purporting to be from Google, at least one of whom was believed compromised.
With a credential bridgehead and stolen documents, the attackers set up a bogus Gmail account from which to attempt the same trick on state voter registration officials who might be fooled by an email from the company.
The method attached Word documents purporting to be product material that were boobytrapped to hijack Windows PowerShell scripting to download malware.
It’s straight out of the cybercrime playbook, exploiting predictable elements: spoofed emails manipulating consumer webmail, boobytrapped attachments, the ubiquity of Windows.
The Russians get the blame but in truth, any nation with the resources to put a few experienced techies in a room could have done as well. This wasn’t exactly hard work.
What did the campaign achieve? Nobody can be sure, although there is, so far, no evidence that election equipment or voter rolls were manipulated.
News sites have since named Reality Winner, a US government contractor with security clearance, as the report leaker. Her method? Reportedly, printing it out and leaving the building.
As you’ll recall, this comes barely four years after Edward Snowden, another contractor, did the same thing on a larger scale, which in turn came three years after Chelsea Manning copied secret diplomatic cables using a humble CD burner and passed them to Wikileaks.
A system this open to leaking – and phishing – is not simply failing to defend its secrecy, it is incapable of defending its secrecy. If these events prompt a more fundamental security reassessment, perhaps the clumsy, almost reckless attempted probing of the US 2016 election will one day be seen as having done its citizens a big favour.
I agree that it seems to be way too easy to walk out of a building with secret intel… that said:
Reality Winner cannot be considered in any regard to what Snowden did… I regard Snowden as an American hero.
Reality Winner is a loser that has an ego issue thinking she helped a cause… she didn’t and should pay dearly for it.
Reality Winner was politically motivated, Snowden was trying to inform the American people and all humans globally. He didn’t do it because he hated the president. He did it because he knew he had to, since no one else would.
Reality, in reality, is a loser who wanted her 15 minutes of fame. She helped no one and couldn’t cover her tracks if she tried to steal a twinkie.
I simply don’t understand why elementary security principles keep getting ignored by organizations that should know better. They should know a LOT better.
Modern malware is delivered primarily by one of three methods: email (phishing, usually), human engineering, and physical (USB sticks, paper, etc.) The first and last are trivial to monitor, but organizations simply don’t spend the effort. Human engineering is a bit more complicated, but one would think organizations like the NSA would be able to train their staff.
NSA: Guys, if you don’t know how to do things, come here and read a few articles. Two days of reading the right stuff will go a LONG ways towards securing your infrastructure. Goodness, this stuff isn’t rocket science. It just requires caring about it. NSA, you folks are the heart of the United States’ digital safety net. Do your jobs!
Is there anyone (here, there or anywhere) that has not received a phishing Email from an apparent Russian hacker?
and on that note, with one of the NSA/CIA kits sole purpose to make some hacks look like Russians (thanks Shadow brokers), can we trust that this wasn’t all just the NSA/CIA trying to create job security?