The Iron Dome Hack Shows Phishing Is Still Effective Against Defense Contractors
Phishing attacks might seem technologically primitive, but they can still work.
Update: After publication of this piece, Israel Aerospace Industries (IAI) reached out to Motherboard and other outlets. A spokesperson said that "The information reported regarding the leakage of sensitive information is incorrect. The publications refer to an attempt to penetrate the Company's civilian non-classified Internet network which allegedly occurred several years ago. IAI's cyber security systems operate in accordance with the most rigorous requirements and also in this case they were proven to be effective."
But Krebs reported that when he spoke to IAI, the company gave no indication that it was a civilian network that had been penetrated, instead brushing the security researchers' report off simply as "old news" and saying the information had been passed on to the appropriate authorities.
Defence contractors involved with Israel's Iron Dome rocket defense system were hacked and had "huge quantities of sensitive information" stolen, according to a report on security blog KrebsOnSecurity. The attacks took place between 2011 and 2012, and analysts believe that they originated from Chinese, state-sponsored hackers.
KrebsOnSecurity learned of the hack from CyberESI, a threat intelligence firm, which said the hacking process resembled that of the "Comment Crew," a group though to be affiliated with the Chinese People's Liberation Army (PLA). In May 2014, US prosecutors charged five members of the crew with criminal hacking and espionage, according to the New York Times.
After the hackers had gained access to the companies' systems, they downloaded files related to UAVs, Arrow III missiles, and the Iron Dome, and also installed malware to give themselves even greater access to the contractors' networks, according to the researchers.
All this wasn't thanks to some real technical wizardry, abusing a hidden vulnerability, nor to some sought-after zero day exploit. Instead, the attacks were initiated by phishing emails; the kind that trick a victim into clicking a link or downloading a virus-laden file. It's a low-risk, high-reward kind of approach: As a hacker, if your email is ignored, probably nothing will happen. But if just one person in a company falls for it, you could have the potential to access valuable information.
Of course, the emails used in this type of case are likely more sophisticated than the ubiquitous Nigerian Prince scams. They are "spear-phishing" attacks, which can be produced with a greater amount of effort and detail, and, for added authenticity, mimic someone the target already knows.
To breach Elisra, one of the Israeli contractors, the hackers apparently impersonated many of the company's top executives, such as their CEO, CTO, and various vice-presidents, in emails. Staff of another, Israel Aerospace Industries, fell for a series of "specially crafted" email attacks, Krebs wrote.
It's no surprise that those in the security industry are the targets of hacking: They handle information that is of value to many people. But it seems a little disconcerting that in 2014, some of the most sensitive systems can still be breached by one of the oldest strategies—pretending to be somebody that you're not.
This isn't an isolated case. The past few years have seen plenty of phishing missions against defence and security contractors. In August 2011, a Japanese company that carries out contracts for the country's government was suspected to have fallen victim to a spear-phishing campaign, leading to 83 of its systems becoming infected. Another case popped up in June 2012, when security researchers found phishing attacks targeting several US contractors.
In May this year, a report by security firm iSIGHT Partners detailed a phishing campaign reportedly from hackers based in Iran, which went a step further and set up an entire ecosystem of fake social media accounts, complete with fleshed-out back stories. Some of the hackers used these to pose as journalists, and reached out to US diplomats, Israeli contractors and other people involved with national security projects. The "journalists" even had a legitimate-looking website, newsonair.org.
Even though phishing emails seem technologically primitive, they're still quite successful.
"Phishing attacks are still proving effective as it is relatively easy to send an email to key people in an organisation, bypassing multiple layers of technical defences that might be in place," Jason Cook, lead consultant at Context Information Security, told me.
Indeed, even a well-constructed system can fall to a simple email. "Phishing utilises social engineering; a carefully worded email can apply pressure or give incentives to convince an otherwise sensible user to ignore security procedures," Cook continued.
In response to the threat, US defence company Northrop Grumman have taken it upon themselves to simulate phishing attacks in order to train their staff to notice them and avoid clicking anything malicious.
"If I've got 70,000 employees who are smart enough to say, 'Whoa, looks like a spearphishing e-mail—I'm going to report it to my cybersecurity operations center,' then my operations center can dig into it and immediately block anyone else in the company from getting that e-mail," Michael Papay, the company's chief information security officer told The National Journal. "Having 70,000 people instead of a small number of people doing protection provides economy of scale."
But Cook says this kind of training isn't a silver bullet. "Phishing education cannot fully mitigate against these attacks," he said. "It can generally be assumed that given enough attempts someone will eventually be 'tricked.' Sometimes all it takes is one person and an attacker has achieved their goal, whether it is a targeted malware deployment or credential harvesting."
He suggested that a greater awareness of phishing should be married with other measures, such as "intrusion detection/prevention systems, firewalls, anti-virus software, physical security and effective logging and auditing."
But even with those safeguards in place, and even in some of the most high-risk industries, sometimes it only takes one person to bite the bait.