After the last US election, the Internet landscape has changed into a hyper-political platform. Although news of Russia versus America is much more prevalent these days, there has long been a cyber war between these two countries. The latest cyber warfare stems from a Russia hacking group named APT28 that used a form of spear phishing in an attempt to steal login credentials from high-ranking politicians and possibly install malware on US government official computers. The fraudulent sites were uncovered by Microsoft’s Digital Crimes Unit and transferred to a sandbox network where they can be further researched, but the attack shows the lengths at which government entities will go to manipulate country politics.
Spear Phishing for Login Credentials
When government entities get involved with hacking, US, Russia, and China are usually at least one of the bad actors. Take a look at Norse, a dedicated threat intelligent network that tracks common cyber attacks across the globe. The largest group of attacks comes from the US, China and Russia. Norse’s live visual map shows that each threat is nonstop targeted towards many of the big cities located in these countries. This map gives an eye-opening look at the constant state of attacks between countries, and it represents a constant flow of cyber warfare that exists in today’s Internet.
Although Norse shows the common state of cyber security today, it’s unable to detect one of the biggest threats to everyday consumers and government officials – phishing. With spear phishing, attacks are much more subtle and can’t be tracked in the same way as others. A website is set up, the code emulates the official site, and emails are sent to specific people targeted by the attacker. These attacks are especially potent due to their ability to steal executive credentials, install malware, and possibly give the attacker free reign over critical systems.
Many people think of phishing as a low-level attack to steal social media accounts, but this type of attack is a bigger threat than just a way to deface a Facebook wall. It’s normally used in conjunction with some other type of attack such as malware installation. One example of this was Russian hackers attack on a Ukrainian infrastructure in 2015. The original attack started with a spear phishing campaign and resulted in the shutdown of power Ukrainian grids using malware called BlackEnergy3. Twenty four regions of Ukraine were left without power in an unprecedented attack on not just a country but on a country’s critical infrastructure.
In the latest spear phishing attack, it appears that focus was on credentials for US government officials. The sites affected were the Hudson Institute (a conservative site focusing on Russian corruption), the International Republican Institute (a group dedicated to promoting worldwide democracy), and three other sites related to the US Senate.
After sites are set up, attackers send targeted emails either associated with the people whose credentials they truly want or people whose credentials could be used to gain escalated privileges. Social engineering is also common with these types of attacks. Executives can be more aware of the possibility of a phishing attack, so attackers use social media in a reconnaissance effort to get more details from targets. They use these details to gain trust from executives and others in control of data. Once trust is gained, they trick executives or other privileged users into installing software or even wire money to the attacker’s account.
With the creation of government lookalike sites mirroring reliable websites, the attackers goals are still unclear in this latest attack. Microsoft has not released more information about the incident, but researchers were able to obtain a court order to seize the domains and have them transferred to the tech giant’s own servers. Although the announcement is recent, Microsoft indicated that it had done its investigation over the course of several months.
Although APT28’s main goal is unclear, it can be concluded that the effort was made to phish user credentials. APT28 is a well known Russian military intelligence agency that specializes in hacking government entities and promoting information warfare. Security experts have blamed this group on the hacking of Podesta’s emails during the US presidential election.
One theory that would mimic the Podesta email theft is that the websites were not just created to steal credentials but to also install malware on government official computers. It’s not uncommon for attackers to send emails to specific targets and trick them into installing malware.
With the Podesta incident, a fake security warning was displayed tricking the campaign chairman into installing malware. These popups are common on even legitimate sites with malicious ads. Users click these ads thinking they are downloading an official update but instead it’s malware that can be used to take over a machine, steal data, or use ransomware for financial gain. Adobe Flash is widely used on top of fake videos pages promising content to the user only after downloading a fraudulent.
How to Check If a Website is Safe
Cyber security researchers spend their days finding and investigating malicious sites, but the general public can also use precaution before submitting information to a website and downloading executable software. Anyone online should practice online safety, but Russian hackers can be especially good at masking the true purpose of a site. One way they can mask a fraudulent site’s intention is to steal HTML, CSS, images and content from the official site and using it to create scam websites.
There are several ways a consumer can manually perform a website trust check and verify website authenticity. These Internet safety tips can also be applied with kids to promote Internet safety for kids.
Check the SSL/TLS certificate: In the upper right or left corner of a web browser address bar, a lock is shown when a site uses encrypted data transfer. Encrypting data transfer is one way to create a safer web and protect from a data breach due to traffic interception. If a site does not have an SSL/TLS certificate installed, it could be a scam site. View the certificate information and ensure it matches the domain owner.
Practice click safety with emails: Attackers use phishing emails in a majority of these cyber security incidents. An email is sent with a link to the site that contains malware or is used to steal login credentials. Some attackers will hack emails of friends or relatives and then use their email accounts to send you the phishing message. A link is left for you to click, and it’s natural habit for many users to click the link and think about the consequences later.
Some email providers have algorithms that work to detect these phishing emails and block them from your inbox. Sophisticated attacks will even use spoofed email recipient addresses or ones that are close to the spelling of an official email domain. All of these are difficult to detect, but hovering your mouse pointer over a link included in a message can give clues to the target destination.
By hovering over the link, you can see the target URL. This URL is usually a subdomain or third-party domain that can be identified as a scam site unrelated to the official site. Be careful of slight typos. Some attackers create domains that are closely spelled to an official site including government websites.
Use a websites that can check such information such as WOT. Powered by a global community of over 140 million people, WOT checks every website before you visit it to let you know its safety and security rating.
You can find tools that perform a website security check to help find scam websites. Sucuri Site Check has a scam adviser that scans a URL for any malware present. Norton as a Safe Web crawler that provides a rating associated with a URL to help you detect malicious sites.
These website safety tools are beneficial, but you should still be cautious when browsing a domain that you don’t recognize. Even popular sites can be hacked and data breached using code injection malware running on web servers. Although it’s less common than a phishing attack, it’s always a concern for webmasters tasked with protecting web applications from outsider risks.
The American versus Russian cyber war is likely to continue and its citizens could get caught in the crossfire. Always be aware of the domain that you’re browsing, and be suspicious of any link that you see in an email message. With some Internet savvy security precautions, you can avoid common pitfalls of phishing and malware.