I read an interesting article from CNN reporter Theodore Schleifer, who wrote “How China could have hacked the U.S. government in 10 steps.”
Last Thursday, U.S. investigators said that more than 4 million current and former government personnel records were compromised in a large-scale cyber attack. The assumption is that the Chinese have hundreds of thousands of security clearance forms, which could be used for bribery or to stage future attacks via phishing campaigns, etc.
Image credit: Tim Sackton | Licensed under: CC BY 2.0
Here are Schleifer’s 10 steps that could have been used to hack the government according to U.S. officials:
Let's say there is a U.S. government agency -- Agency X -- that does not update its server operating system software patches.
Between one and two years ago, that agency gets flooded with broad-based phishing emails.
That attack is successful and the attacker, now known to be China, receives some replies from employees at Agency X.
Based on those returns, the attacker then moves to more targeted spear-phishing attacks against Agency X.
At least one -- or maybe more -- of the spear phishing attacks is successful. This is first point failure from lack of patching, or quickly securing a hole in the system.
Now, the attacker has a toehold into Agency X on a deep level, beyond an individual.
The attacker then is able to find the unpatched vulnerability on the server software at Agency X.
The attacker makes his next move: Through that vulnerability, the attacker creates a fake administrator account and gave itself escalating privileges.
Now, the attacker deploys those privileges to create new user accounts at Agency X.
Those user accounts are used to spearhead phish and a return from OPM.
In April, the U.S. government learned of the ten-step plan to hack it. For two months, the federal government didn't reveal the information publicly because they had not yet cleaned up the entire system. Nor did federal officials want the Chinese to know they were onto them.
It’s worth noting that the federal government took months (or longer) to detect the security breach. But, the key takeaway...
Attackers Took Advantage of Unpatched Vulnerabilities
Of course, IT GRC solutions can help prevent, detect and analyze cyber security across Windows server environments. Our automated reporting solutions reveal unpatched servers across large enterprises and report on privileged user accounts—who has access to what? Plus, our powerful auditing solutions alert on privileged account activity, including the creation of new user accounts.
And our new forensics tool, IT Search, a browser search tool for InTrust data, gives you deep insights for rapid remediation and analysis of data breaches—it’s like “Google” for IT security configurations and activities.
To learn more about the anatomy of an insider threat, watch this Randy Franklin Smith on-demand webcast.