In 2016, targeted cyberattacks pivoted away from economic espionage to politically focused subversion, which may not sound immediately alarming to public agencies at all levels — but in their tactics, criminals showed an increased reliance on emails and common IT tools, a new report reveals.
The Symantec 2017 Internet Security Threat Report (ISTR) released on Wednesday, April 26, draws the eye back to a year punctuated by Distributed Denial of Service (DDoS) attacks, attempts to subvert the American electoral process, multimillion-dollar bank heists, a rise in ransomware predations and the revealing of cracks in the cloud environment. The report has been produced for 22 years.
None of this is good news for state and local governments. But as a representative of the leading cybersecurity company told Government Technology, public officials can help preserve residents’ confidential data and maintain their own online architecture by strictly following a series of best practices that sound like old news — and perhaps should be — but still are not universally followed.
Cyberattacks, particularly against the Democrats, were one of the major stories in the 2016 presidential election — but contrary perhaps to the image of sophisticated hackers that presents, attackers increasingly “lived off the land,” using tools already installed on users’ systems to reach personal data.
“I think whether it’s our government, someone else’s government, the state government, we’re all susceptible to these same groups, and that’s why the trends are so important — because you’ve got to know how to defend yourself,” Jennifer Nowell, national director for state and local government and education at Symantec, told Government Technology.
Arguably the hallmark of attackers’ simplicity was a marked return to email as their weapon of choice, with one in 131 emails sent last year containing a malicious link or attachment — up from one in 220 in 2015. That’s a nearly 68 percent increase.
Spam rates held constant at 53 percent of emails sent, but the phishing rate bounded upward from one in 1,846 in 2015 to one in 2,596 last year. That’s an increase of nearly 41 percent.
Ransomware was its own story, with the number of detections jumping about 36 percent from 340,665 in 2015 to 463,841 — and it’s one with which public agencies can increasingly relate. In late November, attackers demanded 100 bitcoin, then worth about $70,000, to release San Francisco Municipal Transit Agency (SF Muni) machines from encryption.
It was “some evidence,” Symantec authors wrote, “that ransomware attackers have begun tailoring their ransom demands on the basis of the type and volume of data they have encrypted.”
The temporary standoff meant free rides for some customers, but the predators lost. SF Muni restored its own data from a backup — which the security company said is “the single most effective way” to fight ransomware.
The average ransom amount jumped from $294 in 2015 to $1,077 last year.
Elsewhere in 2016, attackers demonstrated an alarming ability to “live off the land,” using OS features, legitimate tools and cloud services to infiltrate networks. The “malicious use of legitimate tools” is harder to spot, researchers pointed out.
Mimikatz, a tool that can change privileges, export security certificates and recover Windows passwords was criminals’ most popular choice for subversion with 4.6 million instances of usage, followed by the Microsoft Sysinternals tool PsExec at 3.2 million, and Windows Credential Editor at 2 million. Malicious PowerShell scripts “have also been widely used in targeted attacks,” the report’s authors wrote.
But the even simpler construct of social engineering remains too — and was the root cause behind the spear-phishing email sent last year to Democratic campaign chairman John Podesta suggesting his Gmail account had been breached and asking him to reset his password.
“You know, human nature is for us to be helpful. And so we want to say, ‘Let me give you my date of birth, let me give you my Social Security number,'” Nowell said. “With use of these easier tools in combination, they get what they need.”
Identity thefts and data breaches were two areas where the United States was especially hard-hit in 2016. The nation ranked No. 1 of 10 countries in data breaches (1,023) and stolen identities (more than 791 million).
In the U.S., transportation and public utilities ranked fifth of 10 sectors with data breaches, by number of incidents, at 75 last year. The public administration sector ranked ninth with just six incidents. But Nowell said resolving the issue can be a relatively direct way for governments to save taxpayer dollars.
Here as elsewhere in the report, the best practices listed may sound familiar, including backing up files; keeping security software and OS and system software up-to-date and patched; deleting suspicious email; keeping passwords strong; and being wary of Microsoft Office email attachments asking the user to enable macros to view content.
But Nowell said security awareness and education, as well as communication, are key. She pointed to the Ohio Attorney General’s office as an example of an agency that has created awareness around security, even reaching the state’s smaller businesses to let them know what they should be doing.
“I think we’re seeing really positive momentum in the state around training and awareness and making sure they are communicating this as effectively as they can,” Nowell said, adding that states generally lead lower-level agencies on cybersecurity and best practices, with CIOs learning from each other.
At an informal session about hacktivism and cybersecurity on April 25 at the 2017 NASCIO Midyear conference in Arlington, Va., Andre McGregor, director of security at Tanium, discussed the hacking of the now-defunct leo.gov (PDF) and the always-present human element in hacking attempts.
Back in November 2015, a hacktivist sent multiple emails to law enforcement employees in an attempt to gain access to the portal — which gives an official with one username and one password access to many different services and sources of information within the FBI’s Law Enforcement Online Enterprise Portal (now available on cjis.gov).
In this attempt, the hacktivist received multiple out-of-office automatic replies, McGregor said, so he masked himself as one of these out-of-office employees and essentially got access to leo.gov by communicating with another person within the agency.
“The human is still the weakest link,” McGregor said, “and how do we mitigate against that?”
The weakest link in the Internet of Things (IoT), which includes outmoded routers and Internet-connected cameras, is usually their security — which may be non-existent or lacking an update.
One of the biggest IoT breach stories last year was the series of attacks by the Mirai-infected botnet of devices. In September, IoT devices primarily driven by the Mirai “zombie army,” as Symantec referred to it, led the largest DDoS attack ever against French hosting company OVH.
Nowell acknowledged the challenge posed by the millions of legacy IoT devices already released, but said companies that build Internet-enabled devices need to either include security or bolt it on afterward.
“As old as that is to say, you’re only as strong as your weakest link,” she added.
Not surprisingly, as agencies of varying sizes contemplate moving operations to the cloud, it, too has security issues, Symantec researchers found, noting that cloud attacks are still in their infancy.
The company’s analysis that produced this year’s ISTR report — which is based on data from Symantec’s Global Intelligence Network that includes more than 2 billion emails and 2.4 billion Web requests processed daily — found that most CIOs think their organizations use only around 30 to 40 apps in the cloud “despite most enterprises having adopted an average of 928.” That, Symantec noted, is a difference of more than 2,000 percent.
In October, an IoT attack on domain name servers provider Dyn primarily through Chinese-produced webcams highlighted how one such incident could affect other Web services from providers like Amazon Web Services, SoundCloud, Spotify and others.
In another case from early 2016, Symantec noted that a California company whose entire operation was run through a managed cloud solutions provider lost access to more than 4,000 files in the cloud after an employee opened a spam email.
The human element, Nowell said, means that while many cloud apps are sanctioned and allowed, others that aren’t allowed are still used.
“You still have to provide the same level of security and it really should still be transparent to the user,” she said of providers. “We should be able to provide the transparency to users. And give them the flexibility they need to do their job.”
NEW ON THE PODCAST