On July 13, Special Counsel Robert Mueller filed an indictment explaining how a group of Russian operatives who are part of the Internet Research Agency targeted the Democratic Party and the Hillary Clinton campaign, hacked into their computers and then stole vast quantities of data. The breach happened in March of 2016, and became the centerpiece of election news as breached emails started appearing on Wikileaks and other websites.
But more than just the emails are stories of how the data was exfiltrated and transferred out of the U.S., and how the Russian operatives tried to cover their tracks. This investigation then led to a second indictment related to the same Russians and their attempts to manipulate social media and create fake news to influence the 2016 U.S. presidential election.
Reading through the indictments reveals the same sort of hacking and social engineering activities taking place that have been seen many times before, including phishing emails, the deciphering of insecure passwords and misdirection tactics. This is because state-sponsored actors and criminals are one and the same. Russian bad guys, like other cyber-criminals, make it a point to go after the people in an organization.
In the case of the Clinton campaign hack, the Russians sent a phishing email to campaign chairman John Podesta disguised to look like an official email from Google, asking him to change his Gmail password and offering a place to click. Podesta clicked, and that was all it took to download tens of thousands of email messages.
Although you’re probably not a senior government official with a high-profile position, cyber-criminals will use the same tactics to steal your company’s money or intellectual property, and the results can be serious.
So what can you do? Start by defending your company and staff against phishing. Here are some key steps:
● Educate your employees about phishing emails, how to spot them, and what to do if they find one;
● Insist that your employees use strong, unique passwords for your email system;
● Avoid using public webmail services for critical communications, but if you must use them, insist that your employees use multifactor authentication; and
● Train your staff to expect attempts to subvert your procedures through actions such as phony requests to transfer money.
Attacks are getting more sophisticated and harder to prevent, but training and awareness can go a long way in reducing the success of the social engineering that hackers of all sorts depend on.