A hack on the Defence Information Systems Agency (DISA), responsible for US military comms including calls made by President Trump, exposed the personal data of about 200,000 people, it was announced last week.
The agency has played down the severity of the attack, stating that the information stolen wasn’t “sensitive”, but director of strategic threat at cyber security firm Darktrace and ex-CIA officer, Marcus Fowler, says that this kind of information can be invaluable for nation states plotting further attacks.
“I think they often undervalue the importance of the information they share. As an intelligence officer, every bit of intel from any variety of places can be used to target individuals, organisations, any number of things,” says Fowler.
For this reason, he cringes every time he hears companies or organisations deploying the ‘lack of sensitivity’ get-out card to diminish a hack.
This kind of information can be vital in building a broader social engineering attack. Attackers might match up names on this list with information that has been leaked before. For example, they could consult data leaked in the 2017 Equifax hack and choose to target those low credit scores.
This might be combined with information scraped from the social media environments of the target or their associates.
“Each of these individuals has concentric rings of circles around them that have varying degrees of security acumen and awareness,” points out Fowler. “Targeting profiles for senior leaders can no doubt be incredibly robust and complex – trying to get them through family members or other avenues.”
There are 8,000 military and civilian employees at the DISA, but the many others whose data is handled by the agency were also affected.
Unlike credit card details, this data can’t be extorted for financial gain, but although this matters to cyber criminals, it doesn’t for nation state actors. “This data still has value, or the attacker wouldn’t have sat there for two months and taken it,” says Fowler.
DISA hasn’t shared details about how the hack was orchestrated but Fowler says his immediate suspicion would be some kind of spearfishing campaign. “Somebody clicked on the link. Something wasn’t patched. It was able to get down.”
The Department of Defense would not confirm to the BBC whether or not it was aware of who was responsible for the attacks. Generally, for government agencies, the assumption would be a nation state attacker. But Fowler speculates it’s also possible that a cyber criminal came upon the vulnerability and spotted an opportunity to sell the data.
“One thing that will be interesting is where does this data show up? If you find it on the dark web for sale, then it was probably cyber criminals. If we never see it again in its full package, then I would say nation state and that it’s being used for some larger targeting event.”
The hack took place over two months between May and July 2019, which indicates inadequate visibility or understanding of the digital environment at DISA. “Someone should have observed that – that is an observable anomaly change within that environment,” says Fowler.
Fowler believes that DISA falls into the same category of other government institutions whose cyber security strategy is very threat centric, at the expense of closely monitoring the internal environment. “That works from a counterterrorism standpoint, but from a cyber security standpoint, it’s actually not the best approach in terms of how you should be thinking about your cyber security,” says Fowler.