The National Counterintelligence and Security Center — an arm of the intelligence community responsible for developing strategies to counter foreign espionage targeting Federal agencies and major government contractors — has started a comprehensive training and education initiative focused on cyber espionage, particularly spear phishing.
The initiative, which also includes a broader awareness component focusing on the potential impact of data breaches on operational security for intelligence personnel, comes as a response to the massive theft of security clearance data on 21.5 million Federal employees. That incident, which officials have attributed privately to Chinese state-sponsored hackers, occured at the Office of Personnel Management and sparked a 30-day cybersecurity sprint across the government.
“What we have done through the auspices of the National Counterintelligence Security Center is to do as much education as we possibly can on what the potential implications are both institutionally and individually,” Director of National Intelligence James Clapper said during a House Intelligence Committee hearing Thursday.
Part of that education effort includes a 3-minute video on the specific threat of spear phishing — an effort by cybercriminals to leverage social engineering and create targeted emails that appear to come from a trusted source but contain links to malicious code or infected attachments. Once clicked by the recipient, spear phishing emails infect the user’s machine and help the hackers gain access to the network.
Spear phishing remains a successful tactic employed by both cybercriminals and state-sponsored cyber spies alike. But with all that is known about the dangers of clicking on unusual attachments or hyperlinks from sources you don’t know, why is spear phishing still so successful? Why is it that some of the most capable state-sponsored cyber espionage campaigns still rely on such a basic method of hacking a network?
The answer is surprisingly simple. According to security experts, spear phishing works because it targets the weakest link in the cybersecurity chain — human nature.
“Spear phishing attacks are successful because they prey on human behaviors and fallibility,” said Eric Lundbohm, chief management officer of iSheriff, a Redwood Shores, Calif.-based cloud security company. “Spear phishing attacks feed off personal information that the targets offer via the Web and on social media. For example, if a cyber-criminal can establish the Facebook page of a target within a government agency, they can then create phishing emails that use friends names, interests or events that the subject attended as subjects in the phishing campaign. This makes them more ‘real’ and, in turn, will fool a greater segment of the phishing targets,” Lundbohm said.
“Phishers attempt to trick people into clicking on malicious links by crafting messages that target emotions such as desires, generosity, needs, trust, fear or curiosity,” said Dan Lohrmann, chief security officer of Security Mentor, a Pacific Grove, Calif.-based security awareness training provider. “For example, a ‘special deal’ is offered for a great price to a specific audience. Spear phishing goes one step further where a reasonable request appears to come from a trusted source,” he said.
But in government espionage campaigns, the targeting gets even more sophisticated. “These spear phishing [emails] use familiar language, acronyms, names of real projects, current organizational structures, recent HR announcements or other materials that can seem, at first glance, to be legitimate,” Lohrmann said. “Spear phishing messages can be very short and simple using minimal formatting, or long, complex and professional-looking with familiar logos.”
As people reveal more of themselves on social media, it is becoming easier for cybercriminals to find very personal information about their target, allowing them to craft more believable emails, said Don Maclean, chief cybersecurity technologist at DLT Solutions in Herndon, Virginia. “Financial rewards for the bad actors are very high – about $500 per medical record, for instance – so they are conducting longterm campaigns,” Maclean said. “A single victim might receive numerous phishing emails, with various approaches, until they get fooled. The increased financial rewards also give them an incentive to make phishing emails more believable, by hiring a native English speaker to eliminate obvious clumsiness in the use of language.”
The DNI’s Spear Phishing Awareness Campaign
Know the Risk – Raise Your Shield: Spear Phishing