U.S. officials confirmed this week that the Pentagon was hit by a spearphishing cyberattack last month, most likely from Russian hackers, which compromised an unclassified email system.
The attack compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff, a U.S. official confirmed to NBC News. Officials said no classified information was taken, but didn't specify in the report how much or what kind of non-classified information was involved.
The attack occurred around July 25 and used what officials called a "sophisticated cyberattack." The suspected Russian hackers, which may or may not be connected with the Russian government, used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spearphishing attack, according to CNN, which first reported the attack.
The news of the breach comes on the heels of the massive Office of Personnel Management (OPM) breachthat occurred earlier this year, compromising the personal information of more than 21.5 million federal employeesand contractors. While this latest breach was significantly smaller in number of records compromised, it speaks to the growing sophistication of phishing attacks as an entrance to move laterally across the network, Unisys Vice President of Security Solutions Tom Patterson said.
"Phishing attacks like this one aimed at the Pentagon’s joint staff are not new. What makes them more effective is the amount of advance knowledge the attackers have in order to trick the recipient into clicking on the link," Patterson said. "With so much personal information now in the wild, attackers are able to create a ‘pattern of life’ on targets which makes phishing attacks such as this one aimed at the Pentagon’s joint staff much more effective."
Patterson said the sophistication in this attack was not the phishing itself, which is fairly common, but in the hacker's "clever exfiltration of data."
"The days of the typo-ridden silly emails are long gone. Today’s phishing attack looks as real as an authentic message, and are only going to get better," Patterson said.
While it is important for a business to focus on phishing prevention through user education, Patterson said it is becoming clear that enterprises need to put more emphasis on mitigation once the hacker enters the network, as the "standard pattern of attack" is to gain access through phishing then escalate privileges and spread laterally. One way to do that, he said, is employing micro-segmentation of data, he said, which divides the data center into smaller zones for easier security enforcement.
"Enterprises in both government and private sector have begun to shift their defenses inward, understanding that it only takes one of these types of phishing attacks to be successful," Patterson said. "With this new drive toward mitigation, enterprises can use micro-segmentation to survive and manage these inevitable types of attacks."