DOD battles spear phishing

The Defense Department is battling “a significant and widespread effort” to penetrate DOD information systems with sophisticated, targeted, socially engineered e-mail messages in a technique known as spear phishing, according to internal documents.

The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD users last month in an internal presentation that everyone within DOD is a spear phishing target. Attempts have been made against all ranks in all services in all geographic locations. DOD civilians and military contractors have also been hit by spear phishing attacks, the JTF-GNO presentation states.

The Defense Security Service (DSS), which supports contractor access to DOD networks, said in a bulletin sent to contractors in October that JTF-GNO “has observed tens of thousands of malicious e-mails targeting soldiers, sailors, airmen and Marines; U.S. government civilian workers; and DOD contractors, with the potential compromise of a significant number of computers across the DOD.”

U.S. Forces Korea echoed this warning in a recent information assurance alert. It warns that outsiders target its information systems on a daily basis by phishing and spear phishing attacks, which attempt to gain access to operational and personal information through bogus e-mail messages.

“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states.

The bulletin adds that the sophistication of the techniques spear phishers use is reflected in their ability to obtain and apply legitimate DOD documents and data. The spear phisers also use enticing subject lines related to legitimate operations, exercises or military topics.

The U.S. Forces Korea information assurance alert states that unsolicited e-mail messages lure unsuspecting users to click on links to Web sites or attachments that download malicious software, known as malware, onto the system to steal data, including sensitive but unclassified information.

JTF-GNO illustrated the sophistication of spear phishing attacks DOD faces in a “DOD Spear Phishing Awareness Training” presentation obtained by Federal Computer Week. That presentation shows a faked message that appears to come from the operations division at the Pacific Command (Pacom) with a PowerPoint attachment concerning the Pacom “Valiant Shield” exercise held this summer.

But the seemingly legitimate address and PowerPoint slides were fake, and clicking on the attachment would launch malware that could infect the user’s computer, the JTF-GNO presentation warned. All DOD employees and contractors must spear phising awareness training by Jan. 17, 2007, according to internal DOD messages.

JTF-GNO acknowledged its spear phishing challenges in its awareness presentation which states, “The attacker selectively chooses the recipient (target) and usually has a thorough understanding of the target’s command or organization.”

Spear phishing e-mail messages appear genuine, have legitimate operational and exercise names, and may address the recipient by name and use internal lingo and jargon, the JTF-GNO presentation states.

Last month, JTF-GNO mandated use of plain text e-mail. HTML messages pose a threat to DOD because the code can contain spyware, and in some cases, could contain executable code that could enable intruders to access DOD networks, a JTF-GNO spokesman said.

The department also beefed up its network security and e-mail security in November with a new generation of Common Access Cards, which include public-key infrastructure to access e-mail. DOD users are also supposed to digitally sign their e-mail messages.

But the JTF-GNO spear phishing awareness presentation makes it clear that technology alone will not defeat the threats spear phishing pose. JTF-GNO instructed DOD e-mail users to ensure that the source is legitimate and the message is digitally signed before they click on any link in a message or open an attachment.

E-mail messages from organizations or individuals outside DOD should be viewed with caution, the JTF-GNO presentation states, and DOD e-mail users should be suspicious of their formats and attachments.

DOD spokespeople have declined to identify the sources behind the spear phishing attacks or e-mail messages infected with malware. But in a presentation to the AFCEA LandWarNet conference this summer, Lee LeClair of the Army’s Network Enterprise Technology Command/9th Signal Command said U.S. military networks are faced with attacks by state-sponsored teams that control botnets and engage in spear phishing.

Jessica Kalish, a spokeswoman at iS3, which sells anti-phishing software, said lone hackers do not carry out spear phishing attacks. They are mounted by criminal enterprises, terrorist organizations, malcontents or espionage operations, she said.

Spear phishing attacks are often enabled by spyware installed on a user’s PC, which can, for example, capture keystrokes that indicate a target is working on Valiant Shield, Kalish said. The attacker then crafts a fake PowerPoint attachment loaded with malware, which is launched when clicked by the unsuspecting recipient.

Kalish said the Anti-Phishing Working Group has developed a database of phishing attacks that can help defend against spear phishing, but only after it identifies an attack. Kalish said iS3’s Stopzilla anti-spyware and anti-phising software uses heuristics to proactively identify potential spear phishing attempts.

Stopzilla warns users about potential fake Web sites or attachments packed with malware before a user clicks through and launches a dangerous program, Kalish said.

Max Caceres, director of product management at Core Security Technologies, which sells software used by DOD and other federal agencies to test how their employees resists spear phising attacks, said the wide range of information available online makes it easy to gain inside knowledge of an organization and craft targeted attacks.

Core Security Technologies has never failed in its spear phishing tests against large organizations, Caceres said, an indication of the task DOD faces as it attempts to battle its latest network threat. The human factor which requires e-mail users to carefully examine their messages, plays a critical role in defeating spear phishing, Caceres said.

The JTF-GNO spokesman is on holiday leave this week and did not respond to detailed questions from FCW on the breadth of spear phishing attacks against DOD. A Pentagon spokesman deferred to JTF-GNO to answer an FCW query.