Bear vs. Donkey - The Russian Bears Breach the DNC Servers

July 6, 2016 Kent Blackwell

Activities related to Russian espionage can be found nearly everywhere in the past month.  First, it was the Season Finale of “The Americans”, then a NPR story on the evolution of Russian Espionage and finally it was revealed that the servers of the Democratic National Committee (DNC) had been breached by multiple Russian actors. Technical details about the attack remain scarce, but opinions are plentiful. Some attempts at attribution have placed the blame on traditional espionage by Russian intelligence assets, while individual actors have also claimed responsibility.  In particular, an individual named “Guccifer 2.0” claimed responsibility for the hack and offered files stolen from the DNC as proof. In the coming weeks a more complete timeline will emerge and more details about the vulnerability used to gain a foothold into the network will be revealed. It may be possible that more than one entity had access to the DNC data.  In all likelihood, the vulnerability that provided the initial access will be one of a few common methods malicious actors will use to gain access to a target network. Let’s look at some of the vulnerabilities that could be to blame and talk about what your company can do to prevent these kinds of attacks from happening to your networks.

The most likely possibility for the initial breach was a phishing attack. It remains a perineal favorite of hackers. It’s cheap, easy, and has a great return on time invested. When most people think of phishing attacks they think of a poorly worded email from a “Nigerian prince” or a suspicious request from your “bank” These kinds of phishing emails are common place but they’re not the real threat. Spear phishing involves sending uniquely targeted emails to specific people who have access to the desired network. These kinds of attacks are much harder to distinguish and can fool even the most seasoned of office workers. Companies tend to emphasize a “hard outside, chewy inside” security strategy. While effective at mitigating a great deal of potential vulnerabilities, it also means an attacker usually only requires a single attack to work. All it takes is a single phishing email to be opened to bring down an entire network.

Another possibility is a vulnerable system was exploited to give the attacker access. This could be a web server that was compromised or an infected word file sent as part of a phishing campaign. Zero day vulnerabilities in Microsoft Word and Excel have been used before by nation state actors. If indeed this is the vector used, it lends validity to the idea that Russian actors carried out the attack. A lone-wolf would be less likely to use such a zero day as the cost to purchase one is prohibitive and the return value is minimal.

A less likely, but still potential vector is that someone with access to the DNC networks had their credentials stolen in some way. It could have been through an unrelated phishing attack, a key logger installed on a machine they used, or their credentials were captured by a Man-in-the-Middle (MitM) attack at their favorite coffee shop. In any case, once the attacker had valid credentials they would have established a persistent foothold that didn’t rely on a username and password that could change at any minute.

So what can you do to make sure your company isn’t making waves on Twitter for all the wrong reasons? While a thousand-word blog post isn’t going to be able to detail every single security best practice, we can hit some higher level points. In the case of phishing, here are some mitigation strategies.

  • Training training training. Ultimately the last line of defense against any social engineering attack, phishing or otherwise, is going to be your users. If your companies “security training” is a Powerpoint slide deck that gets dusted off annually to update the stock photos of men in masks hunched over a laptop then it’s probably time to step things up.
  • Review all publically available information to determine what an attacker could use to generate authentic looking emails. Open source intelligence is a gold mine for an adversary looking to put together a few phishing campaigns.
  • The most important? Assume your adversary will succeed. Eventually one your users will absentmindedly open that Word doc, run the macro, and get his or her box compromised. When you plan your internal security strategy around this idea, you’ll start to see how many different threats your network truly faces.

How can you prevent your critical systems if you don’t even know they’re vulnerable? If an attacker is willing to burn a zero-day vulnerability on your network, do you even have a chance at stopping them? Well of course!

  • Patch and update. Those three words can prevent most security breaches if done correctly. Having your network compromised because a skilled attacker chained together multiple exploits is unpleasant. Having your network compromised because of the JBoss server that hasn’t been patched in three years is embarrassing.
  • A robust logging and monitoring solution makes responding to compromised systems a great deal easier. When you know exactly what got hit, when, and what happened after the attacker got control clean up can be significantly easier. It’s certainly easier than having to dig through the Window’s event logs on every server trying to trace the attacker back to whatever system was initially compromised.

Working from home or on the road is now commonplace in many organizations. While the flexibility makes it easier for employees to get work done, it also adds a number of new risks. Using public WiFi networks is a lot like using a sketchy looking gas station bathroom, you do it as little as possible and don’t touch anything.

  • What’s the best way to mitigate potential damage from credential theft? Mandatory Two Factor Authentication. Sure you might hear some grumbles and it adds a few calls to the helpdesk but this one action can mitigate a host of threats. Suddenly those credentials go from a front door key to just one piece of the puzzle.
  • Whenever you connect to an untrusted network (be it wireless or wired) you should always use a VPN. This passes all of your traffic over an encrypted tunnel and protects against prying eyes looking for anything of interest.

While it may be far too early in the timeline of the DNC hack to have any concrete details, it’s not too early to start reviewing where information security falls on your priority list. Is security in the forefront of your business decision making process or is it an afterthought? Tacked on after the fact and only given any thought when the auditors come knocking?  Instilling the importance of security to all users and making it part of the corporate culture is the best way to ensure your company isn’t the latest victim of data theft.



About the Author

Kent Blackwell

Kent Blackwell is a Manager with Schellman. Kent has over 9 years of experience serving clients in a multitude of industries, including the Department of Defense and top cloud service providers. In this position, Kent leads test efforts against client's web applications, networks, and employees through social engineering campaigns. Additionally Kent works with Schellman’s FedRAMP and PCI teams to ensure customer’s compliance needs are met in a secure and logical manner.

More Content by Kent Blackwell
Previous Article
The Danger Inside: Tips for Preventing Insider Threats
The Danger Inside: Tips for Preventing Insider Threats

Originally published in the @ISACA Newsletter

Next Article
How to Effectively Communicate Cybersecurity Needs to a Healthcare Board
How to Effectively Communicate Cybersecurity Needs to a Healthcare Board

In 2015 alone, 112 million healthcare records were compromised. If there’s one thing we can count on in the...


First Name
Error - something went wrong!