Experts describe the battle between spies and DNC researchers as ordinary citizens doing hand-to-hand combat with trained military officers.
That sinking feeling—when you realize everything secret you’ve said for the past year has been seen and stolen.
That feeling may be even more intense when you work for a national political party, ferreting out information on your opponents.
A cybersecurity company says two different sets of spies hacked into the Democratic National Committee’s computers—in one case reading e-mails and chats for a year, in another, swiping the dirt the Democrats dug up on Donald Trump.
National groups and companies need to do a better job of protecting their valuables from thieves, some security professionals say.
“What truly concerns me is that there are a number of organizations like the DNC who have an information asset that lacks a sufficiently sized and capable maintenance team,” said James Arlen with Leviathan Security.
“As if you owned a Ferrari and took it to the 20-minute Lube-in-a-Hurry shop for all of its maintenance,” he added. “Sure, it would work—for a while—but it would not be a solution that could be described as taking good care of the car.”
Some may not recognize that their data is a valuable asset, according to Arlen.
“This is a clear example of that type of problem—not spending on the maintenance of the information asset because it doesn’t have a value ascribed to it by the accountants,” he told Archer News. “It’s not an asset on the balance sheet and therefore it isn’t an asset.”
Bear vs. Donkey
The company that reporting finding and eradicating the spies from the DNC networks said the hackers appear to be Russian.
“In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis,” wrote Dmitri Alperovitch, co-founder of CrowdStrike, in a post about the attack.
“Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services,” he said.
One of the groups, called Fancy Bear—and also known as Sofacy, Pawn Storm or APT 28—got in to DNC computers in April and reportedly went straight for the Trump research. The group has targeted aerospace, defense, energy, government and media in the past, according to Alperovitch. Other security companies warned about the group in December.
The other group, called Cozy Bear—and CozyDuke or APT 29—infiltrated DNC networks last summer and reportedly monitored e-mail and chats for a year. The same group hacked the White House and State Department last year, CrowdStrike said.
The Russian government says it’s not them.
“I completely rule out a possibility that the [Russian] government or the government bodies have been involved in this,” Kremlin spokesperson Dmitry Peskov told Reuters.
U.S. elections hold critical interest for both hostile and friendly countries, Alperovitch said.
“The 2016 presidential election has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes,” he said. “Attacks against electoral candidates and the parties they represent are likely to continue up until the election in November.”
Not just candidates & parties
The major political parties are not the only ones who need to watch for e-mail hackers and info thieves.
“Yes, assume there are threat actors who have an interest in your organization,” said Barry Greene with Senki. “They may be criminals, nation-state, corporate intelligence, or some sort of civic advocate. They can be based anywhere in the world.”
It is a mistake to think that all of your electronic messages are private. E-mail is like a postcard, said Arlen, and you should expect that someone can and will read the content.
“I’ve been an active email user since 1990 and I’ve always assumed that my e-mail will be read,” he said. “I think that in a post-Snowden world, it is a reasonable assumption that if the possibility for interception exists, someone is intercepting.”
You will need to use some kind of encryption to make your e-mails private, Arlen explained. “If you want secure communications, you’re responsible for provisioning it yourself—you’d best be using PGP/GPG or an equivalent variant—Signal.” PGP, GPG and Signal are all ways you can encrypt your communications.
Getting in
The spies may have gotten in by sending phishing e-mails that lured people into opening attachments or clicking on links.
The DNC found out about the April intrusion and called a DNC attorney, the Washington Post reported. The attorney knew people at CrowdStrike and contacted them for help. Soon, CrowdStrike was on the system analyzing the problem, and the bad guys were removed over the past weekend.
“When we discovered the intrusion, we treated this like the serious incident it is,” said Rep. Debbie Wasserman Schultz, chairwoman of the DNC, according to Reuters. “Our team moved as quickly as possible to kick out the intruders and secure our network.”
Experts say organizations can and should prepare for these kinds of attacks ahead of time.
“The key is to prepare before ‘S#$% hits the fan,’” Greene told Archer News. “The preparation does not have to be perfect, but it provides a guide in the crisis. Our industry problem is that many organizations do not have a crisis security plan. They get blindsided.”
“In a situation where you have an incident—like DNC—then you pull in all resources,” he added. “If you are prepared, then you would know who to call.”
Almost unbelievable
Some on Capitol Hill had trouble believing this hack actually happened.
Reporters asked Trump critic Sen. Lindsey Graham (R-S.C.) for his take on the hack.
“Are you making that s–t up?” Graham asked, according to Talking Points Memo.
But officials confirm that it is true. The goal may not be to influence the election, but to learn more about the person who may become president, some say.
“The purpose of such intelligence gathering is to understand the target’s proclivities,” Robert Deitz, a former general counsel at the National Security Agency, said in the Washington Post.
“Trump’s foreign investments, for example, would be relevant to understanding how he would deal with countries where he has those investments” should he be elected, Deitz explained in the Post. “They may provide tips for understanding his style of negotiating. In short, this sort of intelligence could be used by Russia, for example, to indicate where it can get away with foreign adventurism.”
The Trump and Hillary Clinton campaigns were also targeted, the Post reported.
“This is a sophisticated foreign intelligence service with a lot of time, a lot of resources, and is interested in targeting the U.S. political system,” said Shawn Henry, president of CrowdStrike, in the article.
“You’ve got ordinary citizens who are doing hand-to-hand combat with trained military officers,” he said. “And that’s an untenable situation.”
Hand-to-hand combat
The situation may look bleak.
“Many—or even most—organizations simply do not have a sufficient level of sophistication that would enable a reasonable response to this sort of intrusion,” said Arlen.
But you can take steps to protect your company, said Greene.
“Step one—don’t panic,” he said.
“Step two—don’t go hire lots of security consultants and buy security products,” he added. “Give your own team time to focus on security.”
Give the team time to come up with a plan, he said.
“What they see as the security priorities, what can be done right now, what gaps exist in the company, and what needs to be explored,” he explained.
Step three, Greene said, is for management to bring in outside help to address the issues the team brings up, as well as add their own view.
“The work from the internal team will provide an initial guide,” he said. “Outside help will point out areas that are missed, gaps and solutions. But it is far cheaper and more effective to have the outside help use the work generated by the existing team.”