In the wake of last week’s confirmed attacks against The New York Times, Wall Street Journal and Washington Post comes a shocking new revelation that the US Energy Department, home to the National Nuclear Security Administration which looks after America’s nuclear arsenal has also fallen victim to compromise.
According to a report in the Washington Free Beacon, officials have confirmed that 14 servers and 20 workstations were compromised during the attack.
At this early stage, when so few details of the attack have been released officially, it’s difficult to come to any firm conclusions, but the details we have so far are already very concerning. The report in the Washington Free Beacon states “They believe the sophisticated penetration attack was not limited to stealing personal information. There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information.”. While stating that no classified information was accessed during the attack, it has been confirmed that personal information on hundreds of employees was accessed.
If the intent was espionage-related, as seems the most likely case, then it is unlikely that the attackers will give up due to the failure of one attack, modern attacks of this nature are run more as a campaign than as individual attacks. Even if no classified data was accessed (while it is “still under investigation” I have my doubts on how certain that conclusion can be), at a minimum the information that has already been confirmed to have been accessed will be invaluable in creating future targeted attacks against individuals working for and with the Energy Department and National Nuclear Security Administration, which remain very high profile targets.
Nation-states have always invested in cutting edge technology for the purposes of international espionage and continue to do so, this should come as no surprise. Governments and corporations alike owe it to their employees and to their citizens to apply similar cutting-edge technology to encrypt sensitive data and monitor critical networks for suspicious behaviour in real-time. It should not be a simple exercise to breach such a high risk organisation.
The stories around the intrusions at those high-profile newspapers have zoomed in on how the installed anti-virus solution at the victim organisation did not flag up the malicious files used by the attacker and that is part of the problem. Organisations continue to rely on single layers of security, often designed to solve a completely different problem, when faced with an advanced targeted attack.
Measuring the effectiveness of traditional anti-virus technology by its ability to detect customised targeted attacks is as useful as measuring the effectiveness of a hammer in removing a screw. It’s simply the wrong tool for the job. If an attacker can’t bypass your antivirus then his “targeting” is woefully inadequate. Security fit for today’s threat landscape needs to operate more on the assumption that “breach will happen” and the ability to provide real-time, actionable information as soon as it does. This allows the victim to rapidly contain and remediate.