After White House Hack, State Incidentally Offered Spearphishing Training

After a White House hack that reportedly was instigated by a malicious email from a compromised State Department account, State in March held a phishing email workshop. All federal security employees were invited to participate in the 90-minute online training session. But no one from the White House watched. 

Attackers, allegedly from Russia, breached State's unclassified email system last fall and used it as a launching pad to mount a targeted "spearphishing" attack on the White House's unclassified network. 

The session last month was part of yearly State-run training series, Cybersecurity Online Learning, which is open to security personnel at all levels of government. 

For months, State has struggled to squelch suspicious activity on its networks, despite periodic shutdowns of email for maintenance and a massive endeavor to re-issue credentials, according to officials. The White House maintains the intruders did not breach classified material, but CNN reports they had access to sensitive data such as confidential updates on President Barack Obama's schedule.

The online cyber training course, which took place the morning of March 19, taught employees to be careful about the personal and professional information they post on social media. Such details often become fodder for tailored emails that look like they come from an acquaintance who knows the victim's colleagues or family members.

This tactic to gain trust, called social engineering, was the topic of the lecture. One of the subjects covered, according to State's website, was "organizational risk to social engineering through email and social media." 

"No one at the White House took the course," White House deputy press secretary Shawn Turner told Nextgov.

It is unclear whether the workshop was planned before or after the fall 2014 breaches.

A State official said all department employees complete mandatory annual cybersecurity training and that the Bureau of Diplomatic Security offered the March 19 governmentwide class as a supplement.  

“This training was designed primarily for domestic and overseas Department of State security personnel, as well as security professionals from other federal, state and local government entities,” the official said in an email late Thursday night. “We would caution against drawing conclusions from the content of these training courses about any particular cyber incident.”

According to a new CyberEdge research survey of 19 sectors, including government, spearphishing is the biggest concern to IT security professionals, more worrisome than even malware. And only 20 percent of officials expressed confidence their organizations have invested enough in educating employees how to avoid falling for phishing attacks.

(Image via Mark Van Scyoc/ Shutterstock.com)