That’s right; this is only the first stage of a multi-stage cyber attack. This is only the information gathering stage. The Chinese government hackers have done this all before. No, they probably don’t want to use this information to make credit cards to buy Hello Kitty products on Amazon. This is a cyber espionage attack pure and simple. As I stated in a previous post on the onslaught of attacks on the Department of Veterans Affairs, it was always just a matter of time.
So what happens next? Well, it appears that these hackers are building up a huge database of information that they can use to get the real work done; stealing secret information that they can use for their own purposes. The BBC reported that spam started to appear in employees’ email, indicating that the attack had compromised spam filters on government servers. This may, in fact, be true since the Office of Personnel Management (OPM) warned its employees to beware of phishing or spear phishing attacks. (“If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly…Take advantage of any anti-phishing features offered by your email client and web browser.”) Normal phishing attacks are a variation on spam which would target basic human interests such as promises of wealth or romance. If the servers were compromised, such attacks, which are normally blocked, would suddenly get through. The rest is up to human nature, which has been proven to be somewhat easily compromised in the past.
The real serious attacks one must be prepared for are the soon-to-be launched spear phishing attacks. My guess is the attackers have worked hard preparing them to look like legitimate emails that will appear to come from someone in authority. The emails will have the agency logo and format and may be nearly indistinguishable from the real thing. In fact, the attackers may have been waiting to be caught. Why? It’s good publicity for stage two of the attack. Expect to see emails that refer to the attack and that appear to address the receiver of the email personally. The email may refer to certain personal information such as the receiver’s social security number or other personally identifying information. This plus the emails perfect format, and the topic of the cyber attack may lower the receiver’s level of suspicion and persuade them to open a document or visit a website. Once they do, that’s the end of the game. Malware is installed and the entire network the user is connected to is shared with the attackers.
The main goal for the attackers is to get into an agency’s network to get to the truly valuable information. To do this they need to compromise an endpoint (smartphone, tablet, latptop), any endpoint will do. It only takes one trusting employee connected to a network to make the scheme work. The bad news is that the US government has numerous endpoints. It’s simply a matter of time. Since government networks are often connected, the attackers can eventually move from agency to agency, accumulating information until their no-doubt-well-hidden malware is detected. In fact, they may have already gotten what they came for.
All government employees in any government agency plus any contractors connected to government networks should be prepared for spear phishing attacks. This site will give anyone concerned a list of precautions to take. In addition, be extremely suspicious of any email with linguistic shortcomings. Oddly enough, this has more often than not been the Achilles heel of their spear phishing attacks. If you feel you may have already been compromised, be sure to inform someone. Don’t worry, you won’t be the first and you certainly won’t be the last.
The recent cyber attack on the US government proves conclusively that the only reliable protection for sensitive data is to make it physically inaccessible to attackers. This can be achieved through hardware separation at the endpoint. Check out how Inzero Systems developed a security architecture that did just this.