Although they didn’t publicly speculate on its perpetrators in October 2014, anonymous officials dismissed the hacking of the unclassified White House network as entirely predictable, telling the Washington Post:
“On a regular basis there are bad actors out there who are attempting to achieve intrusions into our system. This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”
Now, CNN reports that this attitude “belies the seriousness of the attack”, and that “Russian hackers… [penetrated] sensitive parts of the White House computer system” and gained “access to sensitive information such as real-time non-public details of the president’s schedule. While such information is not classified, it is still highly sensitive and prized by foreign intelligence agencies”.
President Obama’s deputy national security advisor Ben Rhodes reassured CNN’s Wolf Blitzer that the classified and unclassified White House networks were kept entirely separate. “Frankly, you have to act as if information could be compromised if it’s not on the classified system.”
“The FBI, Secret Service and US intelligence agencies” are investigating the breach.
Investigators apparently believe that hackers accessed the White House network by first hacking the State Department via a spear phishing email – a focused scam to gain information from a specific individual. This is by no means a novel method of attack: many high-profile data breaches – including several of last year’s headline incidents – are the ultimate result of using such attacks to hack organizations further down the supply chain.
Phishing awareness training
Phishing attacks, in which unsuspecting users are tricked into downloading malware or handing over personal and business information, are becoming increasingly common. They usually take the form of email links to malicious websites masquerading as legitimate ones.
Every day, 156 million phishing emails are sent, 15.6 million make it through spam filters, 8 million are opened, 800,000 recipients click on the links, and 80,000 of them unwittingly hand over their information to criminals.
Organizations should ensure that their staff are properly trained to recognize phishing scams, and exercise caution when clicking links in unsolicited messages.
IT Governance’s Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.