According to a classified NSA report, a Russian hack used Word documents as part of their attempts to interfere in the 2016 US Presidential election. The report also shows that some often-repeated security advice is worthless in the 21st Century.
The report details how Russian based hackers targeted employees of firms who maintained electoral rolls or other parts of the election system.
Their aim is getting employee logins so the hackers can get into the company servers. Once ‘inside’ they read documents/emails, send false information and potentially tamper with databases. Infected Word attachments is one way they used.
From the Office/computer security perspective, there’s nothing new in the NSA report but it’s unusual to have details coming from such a high-level and authoritatice source.
How the GRU hacked with Word
One trick was to send emails that appeared to come from a related company (‘e-voting vendor’) which had a hacked Word document.
The infected Word documents had .docm extension which means that it can contain VBA code with Word will run.
A staffer would open the attachment (after all it came from a known company) which then infected the company and network.
Another method was to email (again spoofed to seemingly come from a trusted source) a fake web link. The link led to what appeared to be a login for Google or some other known site but it’s really a trap to get the employees to type in their login name/password.
Many press reports say the attacks came from Gmail but a close reading of the NSA Report shows that Microsoft’s Outlook.com was also used. Neither company is to blame for this misuse of their services.
Only open emails from known sources
Security advice includes one suggestion that doesn’t really apply these days:
Only open attachments from trusted sources.
How do you know a source can be trusted? It’s easy to ‘spoof’ or fake an email address so the message seems to come from a company or person you know.
In the case of the Russian hacks, they made up companies that seemed legitimate and related to the election (domains like AmericanSamoaElectionOffice.org).
Once the hackers have a login, they can use that email account to distribute the infected document to others inside and outside the organization. Because the FROM account is totally real, receivers will, understandably, trust attachments.
It’s easy to criticize later but a busy employee can easily act on an email without thinking of the consequences.
Matters arising ….
- Beware incoming documents in .docm format because they can contain viruses. Also .xlsm and .pptm for Excel and PowerPoint.
- It was refreshing to see the exact type of document named in the report. Microsoft talks about a ‘Word document’ without being specific about the type of document used in the attack (.doc .docm .docx etc).
- You’re not safe just because your business is small or seeming unimportant. Some people seem to think that only banks are hacking targets, think again.
- The Intercept published the NSA report received from an anonymous source, now alleged to be Reality Leigh Winner who has been charged with removing classified material.
- You can read the report here. At the request of the US government, The Intercept blacked out some names.
- The NSA report says that the hacking is from the Russian General Staff Main Intelligence Directorate, or GRU.
Those of us above a certain age knew the GRU as the KGB.- Historical update: the GRU is the military intelligence arm of the Russian government. The KGB is now known as the FSB. Thanks to Peter R and Chuck A for sharing their superior knowledge of post-Soviet intelligence services <g>. To paraphrase Reilly – Ace of Spies “the Cheka begat the NKGB which begat MGB which begat the KGB and now we have the FSB.“
- Peter is typing this in Tbilisi, Georgia. As it happens, in Café KGB which has ominous signs “KGB still watching you”.
