DHS Alerted Agencies to Malicious Email Attacks Days After Joint Staff Hack

The Department of Homeland Security's U.S. Computer Emergency Readiness Team warned agencies about targeted malicious emails, days after government officials reportedly detected that spearphishing was used to penetrate an unclassified Joint Staff network.

A threat analyst who helped establish US-CERT criticized the alert's paucity of information on what infected computer systems look like.

DHS would not comment on whether there is any relationship between the advisory for federal offices and private companies and the apparent military data breach. A DHS spokesman said Friday he had no comment regarding the Joint Staff incident, in general. 

FBI officials, as of Friday late afternoon, had no information to offer about the Joint Staff situation.

The warning said some of the spearphishing emails are tailored to copy sensitive government and business information. Others can roil an organization's entire network. 

"US-CERT is aware of three phishing campaigns targeting U.S. government agencies and private organizations across multiple sectors," DHS officials said in the notice, which posted Aug.1. "Most of the websites involved are legitimate corporate or organizational sites that were compromised" by the attackers. 

Over the past two months, there have been reports of "multiple, ongoing and likely evolving" attacks that unfold when an employee clicks a link to a website in the email, according to US-CERT.

An intrusion into an unclassified Joint Chiefs of Staff email system was identified around July 25, according to The Washington Post. 

The DHS notification does not describe the fake websites or list "indicators" -- like IP addresses or specific malware behaviors -- that could be used to flag threats before intruders infiltrate deeply, said Patrick Belcher, one of the original analysts at US-CERT who now serves as a director at security firm Invincea.

According to the DHS alert, danger unfolds when an employee receives an apparently legitimate email from a trusted contact, but the message is actually from a hacker and baits the worker to click on the link. The user sees a webpage that looks like a normal agency or business website that actually has been hijacked by the attackers. 

Employees whose computers are infected "act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations," the advisory states.

Two of the legit-looking sites breach a system by creeping in through a security vulnerability in Adobe's Flash software, according to US-CERT. The other seemingly authentic site does damage by downloading a file that triggers malicious code, officials said. 

"The US-CERT alert is a perfect example why information sharing to and from the federal government can be largely ineffective," Belcher said. "US-CERT only painted broad threats about links in emails, without providing any specific indicators of compromise."

Invincea researchers have spotted a couple of spearphishing campaigns over the past two weeks. 

"First was a weaponized document that beaconed to Russia," Belcher said. An attachment in the email runs a file that can "monitor for the use of USB thumb drives." The other attack, which also was traced back to Russia, seems to be on the lookout for banking information and is not zeroing in on government agencies, he said. 

There is no evidence of a link between these tainted emails and the spearphishing campaign that seems to have hit the Joint Staff, Belcher said.

Pentagon officials deferred to Homeland Security for comment on the US-CERT alert. 

Some open source intelligence experts say allegations of Russian involvement in the reported hack seem logical considering military tensions between that country and the United States.

"U.S. and EU sanctions in response to Russian incursions into the Crimea is cause for relations between Russia and the West to be at all-time lows since the Cold War," said Rich Barger, chief intelligence officer at cyber analytics firm ThreatConnect. "The Pentagon would be an obvious target for a variety of nation-states. Russian [advanced persistent threat] groups, in particular, leverage advanced malware and surreptitious techniques to conduct network exploitation."

On Friday afternoon, Defense spokeswoman Lt. Col. Valerie Henderson confirmed that recent cybersecurity threats have affected the Joint Staff, but would not comment on the effects or origins of those incidents. 

Speaking broadly about information sharing, Henderson told Nextgov the department relies on a joint effort with Pentagon contractors, called the Defense Industrial Base Cybersecurity and Information Assurance Program, "to share unclassified and classified cyberthreat information with DIB participants."

She added that a new cybersecurity strategy unveiled by Defense Secretary Ash Carter in April emphasizes that "we work closely with the Department of Homeland Security and other partners to engage the private sector to prevent and/or mitigate cyber risks."

Henderson on Friday said Joint Staff unclassified networks for all users are still down.

"We continue to identify and mitigate cybersecurity risks across our networks," Pentagon officials said in a statement last week. "With those goals in mind, we have taken the Joint Staff network down and continue to investigate." 

Officials aim to restore access as soon as possible. 

(Image via Finchen/ Shutterstock.com)