Close

20th July 2018

How the Russians used spearphishing

password phishing icon

US indictment says Russian hackers used spearphishing to interfere in 2016 presidential election

Hillary Clinton’s campaign chairman John Podesta received the spearphishing email from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, on or around 19 March 2016 according to the official indictment.

The email was spoofed to look like a standard security request from Google to change his password by clicking on a link which had been obfuscated using a freely available URL shortening service.

The link took Podesta to a fake website where he changed his password (and thereby divulged it to the hackers).

Two days later, the Russian operatives stole — and later leaked — more than 50,000 of Podesta’s private emails throwing Clinton’s bid for the White House into turmoil.

On 13th July, the US Justice Department indicted Lukashev and 11 others for interfering in the 2016 presidential election by hacking and leaking tens of thousands of emails and other material from Clinton’s campaign, as well as the Democratic National Committee, the Democratic Congressional Campaign Committee and others.

Kevin Mitnick, the renowned computer security consultant and author remarked: “After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client’s security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.”

Mitnick, Chief Hacking Officer at KnowBe4, continued: “The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

How does this affect me and my small business in the UK?

This reminds us again that maintaining the security of your organisation is very much a team effort and involves EVERYONE.

As technical security measures become more and more sophisticated, attackers increasingly focus on the weakest link in the systems: PEOPLE.

As regulatory powers evolve and potential penalties for data breaches increase, it becomes ever more important to train your staff and be able to demonstrate that you have done so.

If you would like to find out what percentage of your users are vulnerable to social engineering attacks such as those described above, we offer a free phishing security test.
Request my free phishing security test now

If you are interested in security awareness training so that your staff are able to spot and avoid such scams, we offer free demonstrations of our customised online awareness programmes.
Request my free security awareness training demonstration now

Leave a Reply

Your email address will not be published. Required fields are marked *