Recently, the Department of Justice announced that it had indicted five Chinese Military officials for allegedly hacking into computer systems of a number of local companies to steal trade secrets and other information(1). The indictment states that these officials used nefarious methods to gain unauthorized access to sensitive systems and email accounts. The trade secrets and other information gained through these hacks have been allegedly used to benefit certain Chinese state-owned enterprises.
The significance of this breach is highlighted in this quote from U.S. Attorney General Eric Holder, “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”
The summary of the defendants and their criminal conduct highlights a number of alleged criminal actions. One of the common denominators of the criminal conduct is a method of attack called “spear phishing.” A spear phishing attack is not a new threat, and it isn’t the most highly technical of threats either, but as you can read from the news reports, it can prove to be most effective for a hacker. This type of attack is one of the favored methods for attackers, as it has been used broadly to try and penetrate organizations and systems for many years.
Spear phishing is a derivative of common phishing schemes. In spear phishing, the target is much more defined and narrow than regular phishing schemes. Regular phishing schemes often target consumers, while spear phishing schemes target high-value management or other organizational leadership that are likely to have access to highly sensitive information.
In spear phishing, the target recipients are often chosen by the attackers who perform reconnaissance via social media sites such as LinkedIn and Facebook to determine what sorts of systems or data the target may be privy to. The target recipients are then often sent “spoofed” emails, which appear to be sent from a trusted source and are designed to trick the target into opening the seemingly legitimate email. These emails are often very cleverly and professionally crafted, and at a quick glance to an untrained eye can look just like a legitimate email. Once the email has been opened, there is usually an attachment with a virus or a spoofed link, both of which typically will install a trojan or virus on the target’s machine, essentially opening up the target and the target’s network to further attack and exploitation.
There are many steps that an organization can take to help prevent or detect, and ultimately minimize, the effects of these sorts of attacks. A defense-in-depth strategy is recommended; no single control should be relied upon to mitigate the risk of this sort of attack.
- Have an inherent distrust in unsolicited email. Users should be trained and aware of these sorts of situations and to give all unsolicited emails a second thought before clicking a link or opening an attachment.
- Don’t click on links or attachments for unsolicited email. Until the email source is verified to be legitimate, users should be instructed to not click on links or attachments.
- Fine-tune the SPAM and anti-virus filters. Work with security and IT administrators to ensure that SPAM and antivirus filters check source addresses, scan attachments, link destinations, etc.
- Configure email for security. Email clients can often be configured to be more secure, for instance, the default email reader can disable links and open emails in a “text only” mode rather than the default HTML format.
- Install personal firewalls. Personal firewalls won’t help prevent spear phishing, but they can help detect some of the ill effects of a virus or trojan once it ha sbeen installed on a PC.
- Install antivirus and keep up-to-date. Anti-virus solutions should be installed on all PCs and should be kept up to date. Remember, antivirus solutions are only as good as their threat definitions and the administrators who maintain the solutions.
- Install data loss prevention tools. Data loss prevention tools can help an organization analyze network traffic before it leaves the premises. Thus, if an attacker is stealing information behind the scenes and sending it over the network, DLP tools can help spot those sorts of activities.
When an attack like this hits so close to home, it is a stark reminder that these sorts of attacks and attempts to gain unauthorized access to systems are a major risk for any organization that has:
- a competitive advantage that they may want to keep secret;
- trade secrets that need to be protected;
- upcoming merger and acquisition activity that needs to be kept confidential;
- sensitive data that needs to be protected;
- And the list can go on and on…
Management and internal audit should continually collaborate with information security departments to ensure that their organizations have sufficient controls in place to help prevent or detect these sorts of situations. Regular audits over the information security function at any organization are a good way to ensure the effectiveness of the information security program and activities over time.
For more information on how Schneider Downs can assist you or your company with protecting your network, contact Eric Wright at 412-697-5328 | firstname.lastname@example.org or Dan Desko at 412-697-5285 | email@example.com.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.