Anti-Phishing, DMARC , Cyberwarfare / Nation-State Attacks , Email Threat Protection
Top Republican Email Accounts Compromised
National Republican Congressional Committee Emails Spied On For MonthsThe email accounts of four senior aides within the National Republican Congressional Committee were compromised for several months earlier this year, Politico reports.
See Also: Gartner Guide for Digital Forensics and Incident Response
The NRCC's managed security services provider detected the intrusion in April. The NRCC then alerted the cybersecurity and forensics firm Crowdstrike, which the organization kept on a retainer, the news website reported on Tuesday. Thousands of emails may have been spied upon.
Politico's report apparently caught senior Republican leadership off guard; the NRCC kept the incident under wraps as the investigation continued. That concealment, which Politico reports was intended to not compromise the investigation, appears to be causing some consternation.
"First the #Democrats, now the #Republicans," writes U.S. Rep. Mark DeSaulnier, D-Calif., on Twitter. "We called on Republican Leadership to investigate before but saw very little action. Perhaps the #cyberattacks on the @NRCC will finally compel Republicans to address this real and immediate #threat."
The emails from the NRCC accounts do not appear to have been publicly released. In theory, the NRCC - as well as any other political organization - should have been on high alert after the information disclosure campaign that damaged the Democratic Party prior to the 2016 presidential election.
Also, Republicans have been targeted before. U.S. intelligence agencies said in a January 2017 report about Russian meddling in the 2016 election that "Russia collected on some Republican-affiliated targets but did not conduct a comparable disclosure campaign," referring to disclosures the report alleged Russian President Vladimir Putin ordered to discredit Democratic candidate Hillary Clinton.
Hacking Details Slim
There are many unanswered questions about the newly reported incident targeting Republicans, which occurred in advance of the midterm elections in November. Prior to the election, the U.S. government sought to reassure the public of the integrity of voting systems following the tumultuous events of 2016 (see Redoubling Efforts to Secure Midterm Election).
In the months leading up to the 2016 presidential election, Wikileaks released emails stolen from the accounts of Democratic National Committee officials as well as Hillary Clinton's chief of staff, John Podesta. U.S. intelligence agencies believe the material was stolen by Russian-backed hackers and then supplied to the site.
Other material was released on a site called DC Leaks, as well on a blog of someone going by the name Guccifer 2.0. The U.S. intelligence community's January 2017 report said there was "high confidence" that both sites were the work of the Russia's General Staff Main Intelligence Directorate, known as the GRU, which some security companies call Fancy Bear or APT28 (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').
It's unclear when the attackers gained access to the NRCC accounts. Politico quotes anonymous sources as saying the attacker is thought to be "a foreign agent due to the nature of the attack."
Crowdstrike tells Information Security Media Group that the firm was asked to investigate. The company says it was already contracted to protect the NRCC's internal corporate network, which was not compromised in the incident.
The NRCC contacted the FBI immediately of learning of attack, Politico reports. Contacted Tuesday, the FBI says it does not have a comment.
Probably Phishing
The most likely avenue that led to the compromise of the NRCC accounts is phishing, in which attackers trick victims into divulging their account credentials through fake login pages that appear to be those of legitimate providers. That was the primary attack mode that compromised DNC officials in 2016.
The best defense against phishing is multifactor authentication, such as requiring a time-sensitive passcode to be entered in order to access an account. The tool can repel account takeover attempts, but users could still be vulnerable if their two-factor code is stolen and used before it can expire.
There are also more secure methods. Google, for example, launched its Advanced Protection program that includes a hardware security key called Titan. A USB key must be inserted in order to authenticate to an account.
It's unclear whether the NRCC mandated two-step verification on its accounts, but over the next few days, many are likely to ask that question. Efforts to reach NRCC officials weren't immediately successful.