Why None of us are Above Cyber Attacks: How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts
It’s fair to say that when it comes to high profile cyber security failures, the past twelve months have seen more than their fair share.
As if the loss of customer data in TalkTalk-gate wasn’t enough, 2016 brought fresh attacks on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, costing a number of banks both their reputations and tens of millions in losses. But why do security breaches keep befalling global giants who pump millions into their cyber security initiatives?
Organisations or individuals?
When reports of cyber-attacks hit the headlines, the press are quick to condemn the overarching failings of the organisations in question. Given that global consumer businesses are in possession of vast amounts of private customer data, it’s little wonder that the kneejerk reaction to security failures on this scale is anger. But with user error often relegated to a single line in damming press pieces, it’s easy to miss a common trend across many of these cases: that initial access to an otherwise secure system was granted by the accidental opening of an email, or a click on a seemingly innocuous link by somebody within the organisation.
If we’re looking for evidence in support of this statement, all we need do is delve a little deeper into the mountain of reports into these instances that are available on the web. In fact, one report published earlier this year in the Federal Times noted that as much as fifty percent of all cyber breaches and data leaks can be attributed to human error.
In short, in this era of increasingly sophisticated cyber threats, a critical truth remains: your firewall can be as sophisticated as you like, but it means nothing if your people aren’t armed with the right knowledge.
Falling foul of cybercriminals can happen to anyone
In spite of the usual dialogue of blame that implies a certain ‘stupidity’ on the part of the staff in question, the reality of human-error data breaches is that they happen often enough to highlight a genuine problem with education around information security. There was perhaps a time when malicious phishing emails were laughably obvious, but with the ever-increasing sophistication of available technology, and smarter social engineering, falling foul of a cyber-attack can quite literally happen to anyone.
Never has this been illustrated more than by the recent email leaks from senior officials in Hillary Clinton’s US presidential election campaign.
Case in point: How hackers infiltrated the Clinton Clan
Back in March, John Podesta – former chief of staff to the Whitehouse and Chairman of the 2016 Clinton campaign – received an email that appeared to come from Google. It wasn’t until some months later, in October of this year, when hundreds of Podesta’s private personal emails began to appear on WikiLeaks that officials were alerted to any data breach. Rather than a legitimate Google security alert, what Podesta had received was a well-disguised phishing message designed to dupe him into giving up the password to his Gmail account.
Of course when news of the hack broke, people were quick to point the finger at Russia. With mounting international tensions, and the profile of notorious hacking group Fancy Bears continuing to rise, such accusations were hardly unexpected.
The subsequent investigation into exactly where this particular email came from claimed to have traced the malicious URL contained within it to a single account on the popular URL shortening service, Bitly. Using a Bitly short-link, hackers concealed a longer link which, to the untrained eye, looked very much like a legitimate Google URL. Within this was a 30-character string that contained the encoded Gmail address of John Podesta.
The Bitly account used in this attack was found to be the very same one responsible for generating malicious short links used in a significant number of other hacks on members of the National Democratic Committee (including one on former Secretary of State, Colin Powell, where his private emails later appeared on the website DC Leaks.) Investigators at cyber firm SecureWorks also claimed to have been able to trace ownership of the Bitly to a domain under the control of Fancy Bears when they discovered that privacy settings had not been activated on the account.
Using Bitly allowed third parties to see their entire campaign including all their targets— something you’d want to keep secret
– Tom Finney, Researcher at SecureWorks
“It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone,” said Kyle Ehmke, a threat intelligence researcher at security firm ThreatConnect. “[Perhaps] the strings might help them keep track of or better organize their operations, tailor credential harvesting pages to specific victims, monitor the effectiveness of their operations, or diffuse their operations against various targets across several URLs to facilitate continuity should one of the URLs be discovered.”
As it stands, investigators have drawn connections between nearly 9000 malicious phishing emails used to target 4000 individuals across the US and Europe – all seemingly originating from Fancy Bears. The Podesta hack was not the first time the Bears have made the headlines; their connections to the Kremlin have remained the subject of speculation for some time following their meteoric rise to media fame when they leaked documents from WADA (The World Anti-Doping Agency) incriminating American athletes. Whether there is any truth in claims of suspected Russian ties remains to be seen – but if the authorities are in possession of any hard evidence, such information is unsurprisingly not in the public domain.
The use of popular link shortening services such as Bitly or Tinyurl [that left an uncharacteristic trail] might have a simple explanation – the hackers probably wanted to make sure their phishing attempts went past their targets’ spam filters
– Thomas Rid, King’s College London
What we do know is that in Podesta’s case, something as simple as apparently legitimate account security email has led even some of the most tech-savvy figures down the rabbit hole.
Phishing emails that even evaded Clinton’s IT team
Perhaps the most surprising thing of all in this account is the fact that John Podesta did actually report the email to his IT officers as suspicious – and was reassured that the request to reset is password was indeed ‘legitimate’:
Clearly, Podesta had some awareness of phishing emails as a means to obtaining sensitive private data, but was ultimately still duped into giving hackers access to his account and surrendering sensitive private information to criminals.
Comment from Bitly
When avid tech-reporters Motherboard published their original series of articles covering the Clinton campaign hacks, they approached Bitly directly for comment. Their official reply, amongst stating that they ‘can only do so much’ when it comes to preventing use of their services for unlawful or malicious purposes, read as follows:
“The links and accounts related to this situation were blocked as soon as we were informed. This is not an exploit of Bitly, but an unfortunate exploit of Internet users through social engineering. It serves as a reminder that even the savviest, most sceptical users can be vulnerable to opening unsolicited emails.”
– Bitly, speaking to Motherboard
Lessons learnt – how do businesses protect themselves against cybercrime?
Irrespective of their size or stature, no firm wants to fall foul of cybercriminals. The reality is that the ‘wolf-in-sheep’s-clothing’ analogy runs deep – within an organisation as high-profile as the Clinton camp, even seasoned IT security professionals were tricked into believing that a phishing email sent to one of their most prominent officials was legitimate.
As the tech world continues to advance, there will always be instances where data breaches and malicious attacks mounted on organisations by cybercriminals will be effective. This said, with an estimated fifty-percent of cyber security breaches attributed to human error, businesses need to view the education of their entire workforce as a critical line in the defence against hackers and cybercrime.
“We are all vulnerable, regardless of role or seniority”, says Mark Logsden, former Head of Cyber Security at AXELOS Global Best Practice. “The most effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
Still want more? Check out these other interesting resources
The fantastic original Motherboard article on the Podesta hack
Another piece on how Clinton’s IT team were duped by hackers
Interactive visualisation of the world’s biggest data breaches by sector/fault
Cyber Security Training from Unicorn in partnership with AXELOS GBP
Just last week we brought you news of a second high-profile cyber-attack on a major UK bank. With the Financial Services sector still reeling from the $81 million cyber heist involving Bank Bangladesh earlier this year, the second attack highlighted the growing need for increased cyber security across the industry.
With news that the Bank of England recently issued a request to all UK banks to redouble their security efforts when it came to all computers connected to the SWIFT messaging network, it’s obvious that cyber-crime is a very real threat to institutions across the board. “What we’re seeing is the very clear need for businesses to realise the potential cost of not only software security, but also cyber awareness among staff”, says Unicorn Training’s own Alex Prodromou. “With the increased sophistication of cyber-crime, more often than not hackers are able to access and wreak havoc across an organisation, simply because of the unwitting action of a member of staff who may have clicked on a phishing link, or opened an unsecured attachment.”
“Contrary to what we often read in the news, this isn’t anything to do with stupidity or negligence”, he continues; “but rather that organisations don’t always see the value in adopting a bottom-up approach, and educating staff about the potential threat posed by cyber-criminals.”
Indeed, the Bank of England’s alleged warning to the UK banks it regulates constitutes the first of its kind – and is the first time in history that a bank in a major economy has issued an alert of this kind.
It should be noted that The bank of England – one of the central G10 banks responsible for co-overseeing Brussels-based SWIFT – had no comment. However, it is undeniable that the Bangladesh theft has sent shockwaves through the established money transfer service for both commercial and central banks across the globe.
One thing is for sure – cyber resilience remains one hot topic for the industry, and institutions of all sizes ought to be taking concrete steps to safeguard their interests. Talk to us today about RESILIA, powered by AXELOS, and learn how Unicorn can help safeguard your business against cyber-crime.
It’s been another eventful few months for high profile cybercrime. In the wake of last year’s very public TalkTalk hack, SWIFT (Society for Worldwide Interbank Financial Telecommunication) has this year reported not one, but two instances of devastating cyber-attacks that have targeted high profile organisations in the commercial banking sector.
Back in February, a cyber-attack aimed at stealing cash from Bangladesh’s central bank at New York’s Federal Reserve was reported to have cost the organisation in the region of $81m (or £56m). In the investigation that followed, the extent of this attack was largely attributed to the central bank network’s lack of adequate security controls – including the fact that they had no functioning firewall, and that they were connecting to global financial networks using second-hand $10 internet routers.
Given the circumstances, it is incredibly fortunate that the bank’s total loss was in the region of millions; rather than the 1 billion dollars that the cyber-theives were allegedly out to steal. It was later revealed that a simple spelling mistake in one of the transfer orders was what had alerted staff to the attack, and stopped much of the money going astray.
However, to think that cyber criminals are only out to target financial institutions whose systems are clearly substandard would be a grave misconception. Last week, SWIFT reported a second attack that targeted a commercial bank in a similar manner. Although SWIFT and the wider media has not as yet revealed the organisation question – or indeed if any money has actually been taken – it did report that the techniques employed in this attack bore a remarkable resemblance to those used in the February attack on the Bangladesh central bank. What this shows us is that these attacks are not isolated in nature, but rather what SWIFT called, “part of a wider and highly adaptive campaign targeting banks”, that exhibit a, “deep and sophisticated knowledge of specific operational controls.”
“We are all vulnerable, regardless of role or seniority. An effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
–Mark Logsdon, AXELOS Cyber Security
As the growing prevalence of cyber-attacks such as these proves, cyber resilience rightly remains a hot topic for financial institutions. Mark Logsdon from our Cyber Security training partner, AXELOS, says: “The details of these high profile attacks remain subject to speculation, however they appear to be very similar to that carried out on Sumitomo Mitsui Banking Corporation (SMBC) in London back in 2005. In that attack criminals sought to create a series of SWIFT money transfer orders with an estimated value of £220M. Similar to these recent attacks they were only foiled by a combination of a vigilant member of staff and a simple error in the transfer order.
“An effective and consistent controls environment is key to preventing cyber-attacks”, he continues, “including those that are far less sophisticated than this one. This includes technology, process and critically people based controls. We know that over 90% of all cyber-attacks start with the unwitting action of a member of staff, i.e. they click on a link, open up an attachment contained in an email or innocently provide a critical piece of information to an attacker. The impact on the company or to us individually can be devastating.”
AXELOS is a joint venture between the UK Government (Cabinet Office) and Capita plc. They own and develop global best practice, including ITIL, Prince2 and RESILIA, used by millions of users in thousands of organisations around the world. Find out how Unicorn can help safeguard your entire organisation with our RESILIA cyber awareness learning here – brought to you through our partnership with AXELOS.
Alternatively, read more about Cyber Crime at the BBC website here.
Unicorn and AXELOS RESILIA working together to improve workforce behaviours through innovative cyber awareness learning
AXELOS has launched a comprehensive new suite of cyber awareness learning, in partnership with Unicorn, to meet the challenging demands all organisations face in managing their vulnerabilities to growing cyber risks.
Nick Wilding, Head of Cyber Resilience at AXELOS Global Best Practice, has laid down the gauntlet to firms in their fight against cyber crime, insisting, “Whatever you’re doing to improve cyber resilience and raising awareness, skills and insight amongst all your staff, you can never do enough.”
Upwards of 90% of successful security breaches are regularly being attributed to human error, regardless of a person’s role or responsibility. As organisations regularly evolve and adapt their technical security controls throughout the year so they need to be providing engaging, regular and easy to understand learning that will help to embed and sustain more resilient behaviours with all their staff.
AXELOS is a joint venture between the UK Government and Capita plc.
Its RESILIA cyber resilience best practice portfolio puts staff at the heart of an organisation’s cyber resilience strategy and gives companies the confidence to recognise, respond to and recover from cyber attacks effectively. The portfolio includes certified training, all staff awareness learning, leadership development and a maturity assessment tool. The RESILIA cyber awareness learning modules are hosted on Unicorn’s award-winning learning and development platform, SkillsServe.
Typically if companies have carried out any information security awareness training, staff have been put through an uninspiring annual eLearning course, which has little or no impact on embedding good cyber resilient behaviours within the workforce. But Nick believes organisations cannot continue to rely on this ‘compliance-based’ approach to cyber awareness if they are going to successfully manage their ever-changing cyber risks.
He said: “Every individual within an organisation can be a target. No one is immune so everyone has a critical role to play in protecting their organisations most valuable and sensitive information.
“Providing your staff with engaging and innovative learning programmes to promote genuine cultural change and understanding is critical. The learning should be ongoing and regular, short and practical, adaptive and personalised with the option to learn inside and out of work hours.
“RESILIA’s new cyber awareness learning modules include games, simulations, animations, videos, eLearning, posters, plus refresher learning and ‘up-front’ tests to meet the demand for both operational efficiency and learning effectiveness.”
Mark Jones, Commercial Director at Unicorn Training, added: “The cyber resilience module is designed to suit all individuals regardless of their preferred learning style or when and how they like to undertake their learning, with SkillsServe supporting 24/7 mobile just-in-time learning at the point of need.
“This approach gets to the heart of cyber resilience – enabling all staff to take personal responsibility for better protecting their employer’s most valuable and precious information.”
SkillsServe is the World’s top ranked LMS for financial services and fourth overall in the learning industry-renowned 2016 Top 50 Global LMSs Report. For more information visit www.unicorntraining.com/off-the-shelf-content/cyber-resilience/
As Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” Unicorn’s Mark Jones talks cyber resilience ahead of Learning Technologies 2016.
Tucked away in the Chancellor’s 2015 Spending Review and Autumn Statement before Christmas was a little, but not insignificant nugget, that would have been missed by most commentators.
The government is committing £1.9bn by 2020 to support a comprehensive programme of cyber security prevention measures.
Recent high profile cases, including TalkTalk and VTech, have again highlighted how the cost of cyber security breaches is rising dramatically. Yet too often technology is still seen as the solution, when in reality it’s regularly reported upwards of 90% of successful breaches are down to human error.
In the wake of their breach, Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” and moves like the Government’s budget pledge merely serve to reinforce her view.
Last summer, we partnered with AXELOS – a joint venture between the UK Government and Capita plc – to help raise awareness of the critical importance of staff engagement in countering the threat of cyber crime following the launch of AXELOS’s RESILIA Cyber Resilience Best Practice portfolio.
The aim was to provide a platform – SkillsServe – for RESILIA’s suite of cyber resilience learning modules to help address an issue that is infinitely more about people and training than computers and technology. Critically SkillsServe’s ISO 27001 security rating confirms its status as a secure portal, free of the vulnerabilities experienced by other open source, higher risk solutions, while SkillsServe’s position as the World’s top LMS for financial services adds further credibility the learning.
In this month’s T-C News, Unicorn’s Commercial Director Mark Jones analyses how effective and engaging training can help firms better manage their ever-changing cyber risks.
Backed by the expert insight of Nick Wilding, Head of Cyber Resilience, AXELOS Global Best Practice, Mark observes how “no matter what you’re doing to improve cyber resilience and raising the awareness, skills and insight amongst all your staff you can never do enough,” before concluding, “The impact of not engaging all your people is too great a risk to take for most – are you ready to make a change?”
Meanwhile if you want to learn more about getting your staff up to speed with cyber resilience come and see us at Learning Technologies 2016 conference and exhibition, at Olympia, London on Wednesday 3 and Thursday 4 February, where Unicorn will be on Stand P14. Register for free entry to the Learning Technologies and Learning and Skills 2016 exhibitions and seminars at www.learningtechnologies.co.uk
Unicorn, the global top five LMS provider, is taking a central role in helping tackle the global risk from cyber-crime by working alongside AXELOS – a joint venture between the UK Government and Capita plc – to raise frontline cyber awareness to up to one million users worldwide.
With over 110,000 cyber-attacks happening every hour, cyber-crime is one of the biggest threats to the global economy. Breaches in IT security and its expensive, often crippling consequences, make the news almost daily, from high-level global violations to localised infringements.
AXELOS Global Best Practice has recently launched its new Cyber Resilience Best Practice portfolio – RESILIA – aimed at putting employees at the heart of an organisation’s cyber resilience strategy and providing companies with the confidence they need to recognise, respond to and recover from cyber-attacks effectively. As part of this, Unicorn has partnered with AXELOS to host a comprehensive suite of learning modules on Unicorn’s award-winning LMS SkillsServe.
For those with an existing LMS, Unicorn supports with an LCMS option This will allow users to adopt a learning method that suits them, encourage positive cultural change and gain the necessary information to fight cyber-attacks. The modules include gamification, animations, video, eLearning, posters refreshers/reminders plus a test element.
Nick Wilding, Head of Cyber Resilience at AXELOS, explains: “Everyone has a role to play on the frontline of cyber-crime prevention, and RESILIA helps firms recognise and accept that through delivering compelling content that goes over and above traditional Information Security training to create real cultures of cyber awareness.
“Organisations have typically been happy doing once a year IS awareness training and haven’t invested considerably in solutions as nothing is mandated to say they and their employees must do X, Y and Z. But the costs, financial and in terms of reputational damage, customer confidence and operational stability, of a cyber-breach can be catastrophic and this threat is increasing on a daily basis worldwide.”
Mark Jones, Unicorn, Commercial Director, continues: “This project gets to the heart of supporting learning about the cyber risks that staff face, their personal responsibilities for their employee’s cyber resilience, and how we can all develop a positive culture of cyber awareness across our organisations.
“The design innovation has been carefully considered to meet the needs of all individuals regardless of preferred learning style or when and how they like to undertake their learning. SkillsServe supports 24/7 mobile JIT learning at the point of need. Meanwhile, depending on their experience and knowledge, learners can do a test first, which can equate to large time, and ultimately cost, savings for a business.”
RESILIA Awareness will continue to evolve in line with changing conditions, needs and possibilities, including role and sector specific learning. Through its scope and flexibility it can become the core of a tailored programme to build cyber resilience awareness across your organisation. RESILIA supports organisations in showing best practice towards FCA regulatory requirements or ISO standards requirements.
SkillsServe is ranked fifth overall and number one for financial services in the learning industry-renowned 2015 Top 50 Global LMSs Report. For more information visit http://www.unicorntraining.com or contact firstname.lastname@example.org