21 July 2015

Exclusive: Russian Hackers Target The Pentagon

07.18.15

A sophisticated group of hackers, who earlier targeted the White House and State Department, have launched a stealth phishing campaign on the Pentagon.

Hackers linked to Russia who penetrated the computer networks of the White House and the State Department have turned their sights on the Pentagon, The Daily Beast has learned. And this time the hackers are using more sophisticated technologies that make them exceptionally hard to detect and that allow them to cover their tracks.

The Daily Beast obtained an email notice that the Defense Department sent Friday warning “at least five” DOD computer users have been targeted in the latest campaign. The notice linked these attacks to penetrations of unclassified networks at the White House and State Department that began last year and were reported in April. The notice doesn't specify whether any information has been stolen, nor does it indicate which agencies the targeted victims work in.

But based on the technical details contained in the notice, the hackers are upping their game and employing even more advanced methods to trick users into downloading viruses onto their computers that can then siphon off files, messages, and other sensitive information.

“The sophistication of this attack far surpasses anything we have seen to date from any state actors,” said Michael Adams, a computer security expert who served more than two decades in the U.S. Special Operations Command. The Daily Beast shared the technical details of the malware with Adams, who said it employed tools that make the intruder extraordinarily difficult to detect.

“To use a military analogy, the level of sophistication of this attack is like comparing a World War I propeller-driven fighter plane to a stealth bomber coming in under the radar, completely destroying its target, and leaving before the enemy even realizes they have been attacked,” Adams said. 

In the new campaign, which the notice says was detected on July 8, the victims received emails that purported to come from the National Endowment for Democracy, a prominent non-profit organization in Washington that receives congressional funding. The group supports pro-democracy efforts around the world, including in Russia and China, where hackers who recently stole personal records from more than 22 million current and former U.S. government employees are believed to be based. 


The emails contained a link that, when clicked, takes recipients to an infected server on the organization’s network. It then downloads malicious software on to the victim’s computer.

A spokesperson for the National Endowment for Democracy didn’t respond to requests for comment.

“To use a military analogy, the level of sophistication of this attack is like comparing a World War I propeller-driven fighter plane to a stealth bomber.”

The notice says that the campaign is using a “variant” of the the malware reported in April, but this campaign appears to be more advanced in several respects. The hackers are using multiple forms of encryption and secure communication channels. They’re also able to erase traces of the intrusion, which can make it difficult to know what the hackers stole and whom they infected. 

In another clever trick, the infected server at the pro-democracy group actually delivers two documents to the intended victim—one a “benign document” such as a pdf or audio file, and the other a “malware loader” that starts running unbeknownst to the victim. 


The malware works in stages. Once implanted, it calls out to another server and downloads a second file containing more malicious software. That communication occurs via an encrypted connection designed to avoid eavesdropping. 

A Defense Department official acknowledged that the notice had been sent but declined to comment further on the hacking campaign. "There are thousands of attempts to hack DOD every day. We have processes and procedures in place to mitigate those attempts,” the official told The Daily Beast. 

A spokesperson for the National Security Council referred queries to the Pentagon. 

The notice, which was distributed to Defense Department contractors and others cleared by the Pentagon to receive security warnings, says that it was as an “anticipatory intelligence product,” which may indicate that the Pentagon thinks it caught onto the hacker campaign early. But it provides no information on how many Defense employees may have been targeted or infected, beyond the five people to whom the legitimate-looking emails, known as spear phishes, were sent. And the notice doesn’t say whether any of those employees clicked on the dangerous link and downloaded the malicious software. 

“While I am somewhat comforted to hear that the malware was discovered on some systems, it is a virtual certainty that there are more instances of this malware inside the DOD and whatever other parts of our infrastructure this enemy has targeted,” Adams said. 

A separate notice sent Friday by the FBI, also obtained by The Daily Beast, warns that hackers are now targeting “U.S. government agencies and private sector companies” via a vulnerability in Adobe Flash. That vulnerability was publicly disclosed earlier this month when the Italian company Hacking Team, which collects and sells information about flaws in software, was itself the victim of a massive penetration that exposed the company’s inner workings and its business dealings with the U.S. government as well as a host of despotic regimes around the world. 

The FBI warning is apparently unrelated to the one from DOD. But it underscores the pervasiveness of hacking campaigns in the U.S. today, and how government security officials find themselves scrambling to prevent more intrusions.

No comments: