CrowdStrike: "Russian Hackers Attack DC Think Tanks With Phishing Emails"

DNC Headquarters The Wall Street Journal reported this morning that "A Russian hacking group linked to a series of computer intrusions at the Democratic National Committee and other organizations is now targeting Washington think tanks focused on Russian policy, according to investigators at computer-security firm CrowdStrike Inc.

"The company detected “several intrusions” at think tanks that it said bore the trademarks of a Russian hacking group alternatively known as Cozy Bear and APT 29, said Dmitri Alperovitch, Crowdstrike’s co-founder and chief technology officer.

"One think tank, the Center for Strategic & International Studies, confirmed Tuesday it was under attack last week. “As with many research institutions we are constantly dealing with cyberattacks,” Andrew Schwartz, the institute’s senior vice president of external relations, said by email." End quote.

No wonder. If you do your homework on Vladimir Putin, for instance by reading this book: Putin's Kleptocracy: Who Owns Russia, and study other open source intelligence, the picture gets clear quickly.

Putin grew up in the KGB, and "once a spook, always a spook". The KGB's successor, the FSB is allowing and supporting Russian hackers in their criminal attacks on US institutions. As long as they do not hack in Russia, they are left alone and when Putin needs some "resources" to get a former USSR satellite state back in line, he makes a few phone calls and the next day energy plants are down, banks are DDoSed, and other infrastructure mysteriously fails.

Did you know that when Putin was stationed in Germany, his full-time job was stealing manufacturing and corporate confidential information from US companies so that Russian industry could use that intellectual property? If they would have had phishing at their disposal, Putin would have been sending those out by the bushel.

So, what to do about it?

Not like this. A buzzfeed headline stated: "Senate Staffers' First Ever Cybersecurity Training Was Embarrassingly Basic". "

“Don’t click on spear phishing emails” was the main message handed down to Senate staffers this week, who received a 20 minute online tutorial on online safety and security. It was the first-ever tutorial given to Senate staffers on online security, said several of those involved, but didn’t cover more than the basic premise “don’t be an idiot online.”

“There was nothing they taught us that I wouldn’t have already known from watching like, the evening news,” said one Senate aide, who spoke to BuzzFeed News on condition of anonymity, as they were not approved to speak about the tutorial to the press. “Watch out for fake emails from hackers, don’t click on malicious links, basically… don’t be an idiot online.”

That was a textbook example of old-school awareness training. That stuff just does not hack it anymore.

New School Security Awareness Training

You need to train all employees from the mail room up to the board room in the most common social engineering attack vectors, and all ideally at the same time to create a human firewall. But first do a baseline test to find out what the "Phish-prone" percentage of the organization really is. Often an unpleasant surprise, but a very effective way to free up budget.

Once the baseline test and the training are done, the third step is frequent, simulated phishing attacks to keep employees on their toes with security top of mind. Start out with doing a free phishing test now and see what your phish-prone percentage is.

Free Phishing Security Test

Did you know that 91% of successful data breaches started with a spear-phishing attack?

Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks?