Threatwatch

White House staffers personal Gmail hacked

Spearphishing; Stolen credentials; User accounts compromised

Three White House staffers had their personal webmail accounts breached in what appears to be a malicious operation directed at the team responsible for the Obama administration's social media outreach.

The penetrated accounts have been sending other White House digital media employees bogus emails containing fraudulent links that can extract their personal email logins and Twitter credentials. More than a dozen current and former staffers were targeted, the individuals said. The scheme was ongoing as of Sunday night. 

The Twitter piece of the scam scam could be aimed at spreading misinformation through seemingly-official channels to citizens.

The “phishing” links -- labeled to look like legitimate BBC or CNN articles -- direct users to an authentic-looking Gmail or Twitter login screen to access the news content. At this point, the users have unwittingly been rerouted to fake login forms that enable hackers to capture their sign-on information. 

White House social media employees might be relatively easy game within the administration, since their role is to make the executive branch more open to the public. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access. A list of targets would be created from open sources and that's who the phishing email would be delivered to," said Jeffrey Carr, a cybersecurity analyst with consultancy Taia Global.

The objective for harvesting Gmail account information might be to capture administration-related email messages and contacts, he speculated.

The Presidential Records Act bars work communication outside of official email accounts. However, a 2012 House committee report showed that former White House Deputy Chief of Staff Jim Messina used his personal email account to conduct official business involving a deal between the pharmaceutical industry and the Senate Finance Committee. And in 2010, the Washington Post reported that administration officials reprimanded then White House Deputy Chief Technology Officer Andrew McLaughlin, a former Google official, after document requests revealed technology policy-related emails from Google employees in his personal Gmail account.

As for the purpose of cribbing Twitter IDs: This spring, a hacked Associated Press Twitter account informed the public that explosions at the White House had harmed the president. The Dow tumbled in response. 

The actual Web address hiding beneath the genuine-looking news links bears the markings of an apparent Islamic activist dubbed SeRDaR, according to cyber forensics firm CrowdStrike. 

The actor is tied to an organization called 1923Turk-Grup, an allusion to the year before Turkey's secularist founder Mustafa Kemal Ataturk dissolved the centuries-old Islamic state.

On 7/29/13, another Islamic group, the pro-regime Syrian Electronic Army, breached Thomson Reuters' Twitter account to blast political cartoons supportive of Syrian President Bashar Assad. 

"Given some of the tactics, techniques and practices of groups like Syrian Electronic Army it would not be out of character for a hacktivist group from Turkey to be targeting" White House communications, under aliases "pointing to potential Islamic ideology driven agenda,"  CrowdStrike Vice President of Intelligence Adam Meyers said. CrowdStrike also employs former FBI top cyber cop Shawn Henry and Dmitri Alperovitch, an investigator who uncovered several allegedly Chinese-sponsored cyberespionage operations.

The researchers traced the malicious link to an IP address -- the unique code for each device on the Internet -- for a webpage that SeRDaR is suspected of defacing in the past. 

sector

Government (U.S.); Social Media; Web Services

reported

July 29, 2013

reported by

Nextgov

number affected

Three

location of breach

Unknown

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

July 2013

date breach detected

July 2013