How Russian hackers attack (and how to defend against it)
- By Caroline Mohan
- Jul 31, 2018
In a summer marked by detailed disclosures of Russian cyber attacks during the 2016 elections and warnings of the risks this election cycle, the Department of Homeland Security also is working to educate stakeholders in other critical infrastructure sectors of the ongoing threats.
In a July 30 webinar hosted by DHS's National Cybersecurity and Communications Integration Center, Jon Homer, the chief of NCCIC's Industrial Control Systems Group, Hunt and Incident Response Team, described the recent advanced persistent threat mounted by Russian hackers. Homer’s team is running a campaign to predict, identify and terminate such threats.
Homer described the spear-phishing and watering-hole attacks employed by the hackers and how they can use one vendor’s data to access a massive network of vendors and clients. Once attackers have access to a network of sensitive information, they spread their reach by corrupting things as simple as Microsoft Word files and desktop shortcuts.
For example, attackers can alter the template file called “normal.dotm” that runs in the background of every Word file to direct a victim to point to irregular files outside of the computer’s network when a Word document is opened. When Word requests an external file, the corrupt file server requires the user’s credentials to gain access -- Word automatically provides the user hash, and the credentials are immediately compromised.
The same technique can be used on a desktop shortcut, Homer said. When users add a custom photo to a shortcut on their computer, that photo can be configured to redirect to a corrupt IP address in the background to require a user hash to access the shortcut.
Homer also discussed ways in which an organization can test its systems for long-existing malicious activity.
He highlighted the importance of remaining focused on behaviors, as “IP addresses don’t last very long.” Trying to identify vendors entering a network with employee credentials is a common way to detect fraudulent activity, he added.
Homer also discouraged the practice of whitelisting third-party vendors. Whitelisting any vendor’s activity creates a large loophole for attackers who can take advantage of a vendor’s “relationships of trust” with clients and so remain undetected by traditional vulnerability scans.
“It’s important to take a look at your historical logs,” Homer stated. Part of his campaign includes a list of indicators of past fraud like IP addresses and hashes that an organization can run against their past critical infrastructure attacks to detect any threats.
To have an efficient and updated view of an organization’s attack surface, IT security teams must “look as deep into the past as possible,” he said.