A Lesson In 'Executive Spear-Phishing'

Last week, CBC News reported interesting new details about recent cyber attacks against the Canadian government. The apparently unprecedented intrusions, first detected in January, were largely downplayed by government officials. But sources told CBC the attackers accessed highly-classified information in key defense and treasury offices.

According to CBC:

The hackers apparently managed to take control of computers in the offices of senior government executives as part of a scheme to steal the key passwords that unlock entire government data systems.

The report details how the "executive spear-phishing" worked. Basically, the hackers, reportedly using servers in China, gained control of a number of government computers that belonged to top Canadian officials, allowing them to send e-mail to department IT staff. Posing as the executives, the hackers duped technicians into providing passwords to government networks. The hackers sent other staff memos as attachments, which, when opened, unleashed viral programs on the network. The programs then sent specific information back to the hackers over the Internet.

There are a lot of lessons to be drawn from what the IT blog Naked Security called "The great Canadian information heist" in a post yesterday. The chief one being that organizations that store sensitive information must have layers of safety nets.

As blogger Rami Jebara writes, "At no point should it be acceptable to send sensitive information over something like e-mail that can be easily spoofed."