U.S. Employees Are Weakest Link In America’s Cybersecurity

The Chinese People’s Liberation Army knows this vulnerability and attacks American employees every day to steal trade secrets and gain commercial advantage for state controlled businesses.

Gu Chunhui

Criminal hackers can cause tremendous damage, whether trained in China or not. If a high level expert, such as any member of China’s elite Unit 61398, aka Comment Crew, gets into your system, they can seize root control, and own it. They can then plant virtually undetectable back doors into your systems. This allows them to later come and go as they please.

A member of the Comment Crew could be in your computer system right now and you would not know it. For instance, Gu Chunhui, who often goes under the online alias, Kandy Goo, and is a high ranking military officer of Unit 61398, could be looking at your computer screen now. Captain Goo could be running programs in the background without your knowledge. Or he could be reading your email. He would be looking for some information of value to his country, or of value to any of the thousands of businesses controlled by the Chinese government. Captain Goo may have a cute Internet name, and look more like a movie star in a martial arts film than an army man, but do not be fooled. Do not underestimate his considerable computer skills and strong patriotic intent. Yes. Breaking into your computer systems and stealing data is a matter of patriotic duty for him and other hackers trained by the government of communist China.

Unit 61398 of the Third Department of the Chinese People’s Liberation Army is reported to be the best of the best in China. Gu Chunhui is a determined military officer. Although  DOJ documents show that Gu, like everybody else in Shanghai where he is stationed, takes a two hour break every day for lunch,  he still works hard the rest of the day to break into your computer system and steal your data (and your client’s). He and others in Unit 61398 are armed and dangerous. They have both viruses and guns. They should not be taken for granted. All of the Unit 61398 Comment Crew, including Captain Goo, are very good at what they do. I am worried, you should be too.

Do not get me wrong. The Chinese do not have a monopoly on black hat hacking. The whole idea was born in the United States. It could also just as easily be a criminal hacker from Russia, the Ukraine, Poland, the U.K., or Israel, who has taken control of your system. They could be from anywhere, although if they are after trade secrets, not money, it is probably one of the thousands of hackers who works for the Chinese government. It could even be one of the five officers in Unit 61398 in Shanghai that were indicted by the DOJ this week.


31 Count Criminal Indictment Against Five Military Officers
of Unit 61398 of the Third Department of the Chinese People’s Liberation Army

Five military officers of Unit 61398, including Gu Chunhui,  are alleged to have stolen commercial trade secrets from Alcoa, Westinghouse, Allegheny Technologies, SolarWorld, U.S. Steel, and the United Steelworkers Union. It is especially notable to those of us in the legal profession that the secrets allegedly stolen include highly confidential attorney-client communications. See the 31 count indictment against five Chinese military officers for details. The chart below provides a high level overview. Every count is against all five officers.

Count(s) Charge Statute Maximum Penalty
1 Conspiring to commit computer fraud and abuse 18 U.S.C. § 1030(b). 10 years.
2-9 Accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain. 18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2. 5 years (each count).
10-23 Transmitting a program, information, code, or command with the intent to cause damage to protected computers. 18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2. 10 years (each count).
24-29 Aggravated identity theft. 18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2 2 years (mandatory consecutive).
30 Economic espionage. 18 U.S.C. §§  1831(a)(2), (a)(4), and 2. 15 years.
31 Trade secret theft. 18 U.S.C. §§ 1832(a)(2), (a)(4), and 2. 10 years.

Hacker Threat

cyber-attackCriminal hackers from any country, including our own, can pick and steal whatever data you have, whenever they want, and they can do so without your knowledge. All they have to do is get inside your systems. Once in, they can also use your computer to do whatever they want, including launch attacks on other computers systems. Does your computer system seem to be running slow? That might explain why. It could be someone in Unit 61398 in Shanghai or a criminal down the street.

Once in, the criminal hacker can also spy on you and take photographs and videos of your without your knowledge. They can even record and report back your every keystroke that you make. They can then later search and steal all of your account usernames and passwords, even if you took the precaution of never writing them down. They will watch you enter them. In a short period of time a skilled criminal hacker can access all of your online accounts.

computer-virus-warning-signHave you ever seen your cursor move on it’s own? Have you ever seen your camera light come on, seemingly on its own? Is you computer sometimes sluggish for no apparent reason? A criminal hacker could be running your machine right now. When was the last time you updated your virus protection? It at least provides some protection from known attack malware. What, you do not have any virus protection? No firewall? You might as well put a Hackers Welcome sign up on the Internet. We are all under near constant cyber attack, maybe not from the Chinese military elite, they are only after people with data that can help their country, but from all kinds of cyber criminals big and small.

These crackers pose a serious threat to all computer users. Obviously we want to make it as difficult as possible for criminal hackers to break into your computers. There are many sophisticated technological defenses to help you defend your systems. They can make intrusion very difficult, and at least compartmentalize and limit the damages that can be caused when this happens. Virus detection software is just one link in a chain of cyber defenses available. Unfortunately, a chain of defenses is only as good as its weakest link. The bad new is, human computer users are the weakest link.

Employees Are The Weakest Link

Most cybersecurity experts agree that the weakest link in every organization’s cybersecurity systems is its own employees. See eg., Jordan Robertson Chinese Hackers Show Humans Are Weakest Security Link (Bloomberg News, May 19, 2014). All it takes is one naive untrained employee to let a hacker into a computer system. According to Dmitri Alperovitch of CrowdStrike Inc., a cybersecurity consulting firm, they have found that between 5% to 10% of employees will click on almost any email. Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam (WSJ, May 19, 2014). That’s very dangerous because once a hacker gets in, your secrets go out. Once they get it, it is a matter of damage control, detection, and eradication.

Cyber_shield_knowledgeThe answer is training of all employees as to the danger of hacking, not just a few specialists in charge of IT systems. For instance, it is just as important to train a lawyer’s assistant, as it is the lawyer, perhaps even more so. I agree completely with the Bloomberg article where Robertson states:

Some of the main targets are personal assistants, who play a central role inside companies and are targeted because they often have access to executives’ calendars, contact lists and e- mail accounts, according to Kevin Haley, director of Symantec Corp.’s Security Response team. The other type of workers targeted most often are public-relations professionals, whose names and e-mail addresses are easy to harvest from public Web pages. They’re also accustomed to hearing from people they don’t already know, Haley said. … Support staff are particularly vulnerable because many companies overlook them as cybersecurity risks and don’t spend enough time on training, Haley said. One of the most successful techniques for teaching employees of all levels about hacking risks is deploying mock spearphishing campaigns with the help of outside firms, he said.

The charges against the Chinese military officers should prompt more U.S. firms to work with the government and share information about hacking incidents, Alperovitch said.

Employee education is also key. Riptide IO Inc., a Santa Barbara, California-based firm that helps companies manage data from their buildings, issues frequent warnings about not putting passwords in e-mail and other basic cybersecurity measures to ensure that every employee — including support staff — is aware of hacking risks, CEO Mike Franco said. “Everybody has to realize that exposure does come from people, not technology,” Franco said. “You can’t stop this kind of intrusion with good technology. You have to do it with learning and education and attitude changes and awareness.”

If an employee is allowed to use a computer, and they are allowed anywhere on your network, then they must be trained in the basics of cybersecurity, including social engineering and phishing. The training should be especially intensive for personal assistants, receptionists, and marketing, but should include everyone, including the top brass. Otherwise, your employees will be easily tricked into letting a hacker into your systems.

Armies of Chinese Hackers

Chinese-cyber-war_DOJAny army officer in China with training in the basics of criminal hacking, including social engineering, can fool many naive Americans untrained in cyber defenses. They can do so with just one a clever email. They do it everyday. They have been doing it for years. See eg. Suspected Chinese spear-phishing attacks continue to hit Gmail users. They do it against our government employees to steal state and military secrets, or at least try too. They also do it everyday against U.S. corporations, law firms, and unions to steal commercial trade secrets. Since our government and military employees are better trained in cyber security, and have better defensive infrastructure, hackers enjoy greater success against our commercial sector than they do against our military and government. It is easier to hack civilians.

Spying on our government and military, and spying on our corporations, or us, on civilians; it is all the same thing to the Chinese. They do not seem to understand the clear line and so we are now forced to spell it out to them by the criminal indictments. You do not attack civilian targets without consequences, including criminal indictments. The FBI and DOJ have promised that this is just the beginning, not just a warning shot. In the words of FBI Director, James Comey:

For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries … The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.

I hope our government is now serious about protecting us from criminal hackers who would take over our home and business computers and steal our data. But we should not depend on the government to protect us. I for one am suspicious of our government anyway. I am suspicious of any government. So too is the U.S. Constitution. It is designed to protect us from big government. We should not wait for government regulations. We must take the initiative now. We the people must be proactive in protecting ourselves. That includes especially all American businesses, trade unions, and law firms that represent any companies that compete against businesses in China. All organizations that hold confidential computer data should take action now to protect themselves from hackers of all nationalities.

Phishing Attacks

phishingA careless mistake by just one employee opening an email attachment from one hacker can open the door to an entire army of hackers. The attachment sent by hackers is actually a small software program designed to take over your computer system. It is a virus. Often all that needs to happen is for the attachment to be downloaded onto the employees computer. You do not even have to open it. It is self executing. All your gullible employee has to do is click on it once to download it, and then you are screwed.

It will probably look like nothing happened, even if you click on it again to run it. But in actuality, the attachment will automatically start to run as soon as it is downloaded onto your computer. It is usually a compressed file and so it first unpacks, and then automatically executes one or more of its many programs, all without any visible sign. The programs, viruses all, then automatically spread out and take control of as many parts of the computer network as possible.

The viruses exploit defects in your operating system software and firewalls. Hackers often discover mistakes in coding before the program manufacturers do. That is why so many of these viruses are nearly impossible to detect or prevent.

The viruses now living in your computer system after download will probably begin their life there by changing their identity, their hashed  signatures, to one that is unique to your system. The file names will even change. They then become invisible to virus detection.

The use of emails with virus attachments is one variant of one type of hack attack known as Phishing. As Wikipedia defines it:

Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. … Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

The kind of phishing I have described here only requires you to trust the sender of an email enough to open an attachment. You do not have to go to any other Internet web page or fill out any forms. That still goes on, of course, but is somewhat old school, kind of like the Nigerian government official or Irish Lottery. The more modern email attachment approach is the kind of phishing attack used by Unit 61398 to steal industrial secrets from both Alcoa and U.S. Steel from 2006 to 2014. I will spell out the details of how they pulled it off in part two of this blog.

Phishing in general is one of the easiest types of cyber attacks to launch. The alarming truth is that since most employees today are so ill informed about cybersecurity, and thus so vulnerable to social engineering tactics like phishing, any bright, but terribly misguided teenager today could probably pull it off. It is a mere script kiddie maneuver, and, if you did not have your own army,  you could easily hire a hacker online to do it for you. Even though relatively easy, phishing is still very effective. It is part of every criminal hacker groups arsenal, and, as we now know from this week’s DOJ indictment, it is also used by Unit 61398 of the Third Department of the Chinese People’s Liberation Army.

DOJ Allegations of a Simple Phishing Expedition that Was Able to Hack Trade Secrets from both Alcoa and U.S. Steel

The recent DOJ indictment proves the point that employees are the weakest link in cybersecurity, that they are easy victims of simple spearphishing hacks. Here are the introductory allegations in paragraph 6.f.:

6.f. In or about 2008, Alcoa Incorporated (“Alcoa”),  an aluminum manufacturer whose principal office is located in the Western District of Pennsylvania, announced a partnership with a Chinese state-owned aluminum company to acquire a stake in another foreign mining company. Approximately three weeks later, Defendant SUN targeted senior Alcoa managers with spearphishing messages designed to trick the recipients into providing SUN with access to the company’s computers.

Jack_Sun_61398_smallThe specific allegations on this hack attack begins at paragraph 41. Defendant Sun Kailiang, who uses the alias “Jack Sun,” shown right in his full military uniform, is alleged to have performed a directed phishing attack (“spearphishing”) against select employees of Alcoa and U.S. Steel:

41. Spearphishing activity targeted Alcoa including near  in time to significant events in its business relationship with SOE-3. For example, on or about February 20, 2008, about three weeks after Alcoa announced the partnership with SOE-3, Defendant SUN targeted Alcoa with a spearphishing campaign. Specifically, Defendant SUN sent e-mails to approximately 19 senior Alcoa employees, at least some of whom were located in the Western District of Pennsylvania, using an account designed to impersonate a member of Alcoa’s Board of Directors. In all but one of the e-mails, Defendant SUN attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.

42. Thereafter, in or about June 2008, unidentified individuals stole at least 2,907 e-mail messages along with approximately 863 attachments from Alcoa’s computers, including internal messages among Alcoa senior managers discussing the foregoing acquisition. . . .

44. In furtherance of the conspiracy and to achieve the objects thereof, the conspirators committed the following overt acts, among others, in the Western District of Pennsylvania and elsewhere:

a. On or about April 18, 2006, Defendant SUN created e-mail account c********8@yahoo.com.

b. On or about July 17, 2006, Defendant SUN created domain account j*****r at a domain provider in the United States.

c. On or about December 12, 2006, Defendant WEN sent Defendant WANG two executable files containing tools that would be useful for intrusions.

d. On or about July 12, 2007, Defendant GU designed and tested a spearphishing message.

e. On or about February 20, 2008, Defendant SUN  created an e-mail account using the misspelled name of a person with the initials e.G., who was then a member of Alcoa’s Board of Directors (the “C. G. Spearphishing Account”).

f. On or about February 20, 2008, Defendant SUN, using the C.G. Spearphishing Account, transmitted e-mail messages with a file named “agenda.zip,” which contained malware, to approximately 19 Alcoa employees.

That is a pretty detailed description of how a spearphishing cyber attack works. Captain Jack was just doing his job as a military hacker, just following orders to steal secrets from U.S. corporations so that the Chinese government can give their state sponsored business an unfair advantage. A little research shows that the member of Alcoa’s Board that Jack Sun pretended to be was a brand new board member, a business celebrity at that, and one who has an oddly spelled name, Carlos Ghosn. Jack Sun did his social engineering background work very well. Ghosn was the perfect new guy to impersonate. All they had to do was trick one naive Alcoa employee to click on a mail attachment that supposedly came from Ghosn, or was it Ghosen? Oh well, he’s the new boss, so we had better click on the agenda items attachments that he sent to us. And that they did. The DOJ indictment does not reveal how many were so tricked, but it only takes one.

Jack_Sun_Close-upThe indictment also describes another successful spearphising campaign against U.S. Steel, but with fewer details. All we know is the counterfeit email with malware attachment supposedly came from the CEO. Jack Sun sent the email to twenty U.S. Steel employees, and at least one of them fell for it and opened the virus ridden attachment. Who has the guts to ignore a direct request from the CEO? Very clever again Captain Jack. What happened to Alcoa and U.S. Steel could have happened to any organization. A cybersecurity consulting firm, CrowdStrike Inc., has found that between  5% to 10% of employees will click on almost any email. Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing ScamThis kind of statistic is ridiculous. Our employees really need to be trained not to be so gullible. Everyone needs basic cybersecurity training in today’s world. Even our senior military officers are vulnerable to tricky social engineering, as I will explain next. Most of the older CEOs and military officers are, like most of my generation, clueless when it comes to technology and the Internet. One has only to think of the recent scandal with David Petraeus, CIA Director, and four-star general whose unencrypted, sex-filled, webmail showed he was carrying on an extramarital affair with his biographer.

Train All Employees in Cybersecurity, Including Especially Social Engineering Threats

The DOJ says indictment does not specifically identify who was tricked by Sun, no doubt to avoid unnecessary public disclosure and embarrassment, but does say the phishing emails were sent to 19 senior Alcoa employees. I am willing to bet that included one or more administrative assistants to top officers of the corporation. They are the ones used to receiving emails like this pertaining to agenda items. They are also the ones most likely to open attachments for their boss. Maybe it went to some V.P.s, and they forwarded it to their assistants to deal with it. They did not want to be bothered with attachments and such. Or maybe their assistants screen all of their email for them. Believe it or not, this is still common on the senior level for people my age or older.

My email observations are based on very long experience with business email. Due to my peculiar background as a computer hobbyist and a lawyer, I have probably used business email longer than most everybody else still practicing in the legal world. Remember The Source and Compuserve? I used those for online communications when they were dial-up BBS systems in the early 1980s. That was way before the Internet was opened for non-academics. I remember when sending computer mail or text messages for communications with a client was considered very exotic. We would anxiously wait for confirmation that the message was received. I remember the same for faxes too, but that’s another story.

The observation on secretaries screening email for bosses is also in accord with the experience of Kevin Haley, director of Symantec Corp.’s Security Response team. As the previously cited Bloomberg article mentioned, personal assistants are a prime target because they have access to key information and are opening email attachments all day. This is one reason that Kevin Haley recommends that all employees be required to receive cybersecurity training. Training, especially in social engineering, should include the top brass too, the C-Suite.

This point was recently proven by one of the largest, ongoing social engineering cyber attacks yet discovered. This one was orchestrated by the Iranian government. The hack attack was discovered by a private cybersecurity consulting firm, iSight Partners. The Iranians were able to trick many leaders, including a four-star Admiral in the U.S. Navy. They did so over three years with an elaborate Facebook friending and fake newscaster scheme. Iranian hackers ‘friended’ four-star U.S. admiral on Facebook to steal data using social media espionage.

4-star-admiral_flagCan you believe it? One of our four-star Admirals was tricked by fake Facebook pages and friend requests into revealing secrets to the Iranians. Hey, fellow senior citizens, especially you generals and admirals – just say no! You don’t need online friends any more than you need sexy biographers. Take our national security more seriously than that. Our four star Admiral was not the only gullible victim in the Iranian online fraud attack. According to the Reuters report, hackers used 14 fake online personas to make connections with more than 2,000 people. Then the hackers targeted several hundred high-ranking individuals to get them to visit poisoned website or open malware ridden attachments. The top brass targeted included the famous admiral (identity not yet revealed), U.S. lawmakers, U.S. ambassadors, and personnel from several other countries.

Our fearless leaders are the biggest fish of all to target. Somebody should make them attend full cyber training. Congress is the only one with the power to do that. Perhaps they should pass a law requiring all military officers and high-ranking government officials to take basic cybersecurity training. Then they should be subject to random pentesting after that, as I will described in more detail in my conclusion. I do not care about generals and admirals failing a drug test, or a sex test, but failing a pentest, well, that really worries me.

Law Firms Are Targets Too

Law firms are all run my lawyers about my age; great lawyers all, but most of them are quite naive when it comes to technology and cybersecurity. As Alan Brill of Kroll is known for saying, a popular cybersecurity myth in most corporations is that “we are not a target.” He “mostly hears it from victims” and “they are usually wrong.” Law firms are targets, just like every other organization in the world. The nickname of phishing aimed at lawyers is called Shark Phishing, a tip of the hat to our evil reputation.

All lawyers are under constant attack, most likely by simple criminals, but you never know. In my world, several emails a week slip through my firm’s spam filter and I see urgent pleas for help. It is usually from people I do not know that seek my legal services for something or another. They may claim to be seeking help for payment of child support. Think of the hungry children that need your help! The emails are often personalized and mention my name in the body of the email. They may also claim to be owed money by a U.S. corporation, or otherwise need a lawyer to close on a deal or get a big inheritance. They may claim to come from a CEO of a foreign company or from another lawyer. Often the emails are accompanied by attachments that supposedly explain their problem.

I know that all lawyers everywhere get this kind of malware junk mail every day just like I do. They are very adept at fooling spam filters. I do not think twice. I mark as spam, delete, and move on. Sometime I will read the pitch for my own perverse enjoyment. They can be very clever, in an evil sort of way. Look, if you wish, but do not click. Never, never open the attachments, or click on any links. And do not respond in any way. It may not be the now indicted Captain Jack doing his job as an industrial espionage hacker, but it is certainly is not a real client. It is some kind of hacker crook after your money or your client’s secrets.

Once any lawyer takes the bait and responds to the email, or clicks on link, an elaborate fraud starts. It usually results in either a bounced check to you, and loss of your money, or release of malware. Sometimes you will get both. You will not get a client anymore than our four-star Admiral got a real Friend on Facebook. I have heard of several law firms losing hundreds of thousands of dollars in these scams. They usually involve their bank accounts. Sometimes the banks will reimburse them, but more and more lately, they will not. Yes, lawyers, sharks or not, can be quite gullible and fall for various social engineering fraud tricks just like everyone else.

Common Sense Advice on How to Avoid Phishing Frauds

click-notThe basic advice is really very simple. Never click on a link or download an attachment in an email unless you are absolutely sure that they are legitimate. The same goes for or a text message or other kind of online communication. If you have any doubt at all, do not do not click it. Do not be a victim. Remember spoofing too. Just because an email  is apparently  from someone you know and trust, like your banker for instance, does not mean that it is legitimate.  It is easy to copy logos and even set up fake websites. Inspect carefully the email address that an email is sent from. That will often reveal the fraud. But even if all looks legit, still resist the urge to click. Why, for instance, would your banker or broker send out an email like that?

Bottom line, never click on a link, or download an attachment, unless you have independently verified the identity of the person who claims to have sent you the message. You can do so through a telephone call, text message, or email. You cannot get a virus by calling your banker or broker or friend. Verify that they actually sent you the email with attachment or link. Like Reagan said, trust but verify.

Further, you should always make sure that your anti-malware software and anti-virus software is up to date. Even though your security software is not effective against the very latest malware programs, it can still catch many of the older known viruses out there. For a good source of information on all of this see the Anti Phishing Working Group. APWG is, in its own words, a global industry, law enforcement, and government coalition focused on unifying the global response to cyber crime through development of data resources, data standards and model response systems and protocols for private and public sectors.

As a semi-humorous interlude, you also might want to click on this YouTube video on phishing.

rebecca_greenfieldAnother useful article on how to avoid phishing attacks was written by Rebecca Greenfiled in 2013: How to Avoid Getting Spear-Phished by China’s Hackers Who Cracked Apple. She came up with six common sense steps to avoid being a spearphishing victim.

Step 1: Understand the Difference Between Phishing and Spear-Phishing. 

Phishing attacks are the more blatantly malicious. They are emails that pretend to come from big organizations, like your bank or broker. They are form emails from generic addresses and are sent to thousands of in-boxes. They are not custom designed, and instead rely on quantity. The bad guy hopes that a few out of thousands will be dumb enough to click a malicious link or download an infected file. Spear-phishing, on the other hand, targets a small group of specific users. As security firm Norton explains: Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. This is more fully explained with examples by ComputerWorld’s Gregg Keizer in a 2011 post. Spearphishing emails are designed to look like they come from colleagues or friends. They also tend to include personalized touches, which again Norton explains on its site:

The salutation on the email message is likely to be personalized: “Hi Bob” instead of “Dear Sir.” The email may make reference to a “mutual friend.” Or to a recent online purchase you’ve made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for.

Step 2: Check the Sender’s Full Email Address  

The full email address of the sender will often reveal that it does not exactly match with the supposed sender. The cyber-security firm Mandiant used this example when describing another spear fishing attackby the same Chinese “Comment Crew” back in 2012. In this attack the hackers tried to exploit the name of the CEO of Mandiant, Kevin Mandia.

Apart from the dubious details click here line in this email, it looks like a bona fide message from Mandiant’s CEO – kevin.mandia@rocketmail.com. But think about it. Why would the CEO of Mandiant, a major corporation in the security field, be using a Rocketmail account to discuss a press release? He wouldn’t. Still, maybe some that know him might think he had a new personal email account, and was using it instead of the corporate account for some reason. You should not click on that email until you first check with Kevin.

Step 3: Remember That Hackers Can Email Back, Too. 

One obvious way to test a suspicious email is to respond to the sender. But that often will just lead you right make to the fraudster, hacker. According to the Mandiant report, one of their experts as a test wrote back to one of the Chinese hackers and said: “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, the hacker from Unit 61398 responded back: “It’s legit.” The correct way to double-check the legitimacy of a sender is to contact the “friend” in a separate email, via phone, or by any other means. Do not just reply.

Step 4: Check the Attachment File Type Closely. 

According to the Mandiant report, most spear-phishing files come in .zip format. Still, the clever hackers will sometimes dress up Zip files as PDFs in disguise. They do it like this:

That looks like a standard .pdf file, and has the little Adobe icon, but the little ellipses give it away. Again, according to the Mandiant report, the file name continues after the PDF extension to include 119 spaces followed by .exe. Pretty tricky of these Unit 61398 military hackers, eh? I hope our military cyber teams are as good or better at spying on state, military secrets. Although, the U.S. military, unlike the Chinese, does not steal trade-secrets to benefit purely commercial interests. That’s the government’s story anyway, and I for one am inclined to believe it.

Step 5: Check for Vague Filenames. 

While spear-phishing emails are usually very personalized, the message content, and infected file names,  tend to be fairly generic.  Something like “updated_office_contact.zip” is common. The file names also tend to include military, economic, and diplomatic themes, largely because of the kind of organizations that military hackers attack. Criminal hackers, the ones who are just in it for the money, tend to have other investment and business type themes. They may suggest that you open an attached marketing plan pertaining to a new product you are working on.

Step 6: Be Paranoid. 

Andrew_HowardRebecca Greenfiled‘s last recommendation is from a security research report by the Georgia Tech Research Institute (GTRI), featuring the work of Andrew Howard, their malware expert and Chief of Emerging Threats and Countermeasures, who said:

Spear phishing is the most popular way to get into a corporate network these days. Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.

The success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.

Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it.

As to what to do about it, Howard is working on new types of AI based phishing detection software. It sounds much like predictive coding for malware and phishing. But in addition to that, Howard recommends a healthy dose of paranoia:

It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time. Users are the front line defense. We need every user to have a little paranoia about email.


In addition to the good advice of Rebecca Greenfiled and Andrew Howard, I strongly recommend employee training as a key component of cybersecurity. So to do many others, including PhishMe.com, which offers employee training in phishing avoidance, and KnowBe4, which offer both testing and training. Training alone is insufficient. Companies should do random pentesting to reinforce the training. The penetration attempts should focus on social engineering techniques against employees, including especially phishing and spearphishing. That would be a good way to reinforce a healthy paranoia, but not too much paranoia such that no work gets done. After all, we do have to send and receive email attachments all of the time.

The company should start by requiring training of all employees — high and low, no exceptions. The CEO should have to attend training, as well as the receptionist. After that (or sometimes before), the company CISO should contract with white hat hackers to do approved spearphishing. The tests would be unannounced, of course, and ongoing. Not one and done. The tests would feature clever social engineering hacks, including especially phishing and spear phishing, but would also include some bonafide email tests with links and attachments. The goal would be to reinforce healthy paranoia, but, at the same time, make sure that employee paranoia is not too intense, such that it is interfering with efficient operations. It is a difficult line to draw, but necessary.

In my opinion, this would be great fun to test; far better that the many law school exams I given and graded. Designing a special spearphish for the CEO or Admiral would be especially entertaining. Only the employees who failed a surprise pentest would have to endure further retraining. You know, the employees who were either fooled into taking the bait, and downloading virus, or were too paranoid, or too lazy, to open a valid attachment needed for work. Some attachments might require the tested employees to make a call first. Some may not. This kind of pentesting would be a relatively easy but effective way to strengthen the weakest links in every organizations cybersecurity.

If someone fails time and time again, even after counseling and retraining, well, maybe they should find another job. That should work, that is, unless they are a four-star admiral. ¯\_(ツ)_/¯ This means that even CEOs of companies should be tested and objectively graded by a third-party. Maybe every Board of Directors should require that, or every insurer. Maybe Congress and the Pentagon should require such training and tests of military officers. You should not get promoted unless you have good pentesting scores. The same requirements should apply to anyone who has a secrecy clearance of any level, including members of Congress and their staff.

It is not enough to just train and test employees. Your program is meaningless unless you also enforce reasonable care by employees. If employees fail, more then once, then they should be counseled and reprimanded, next step, counseled and disciplined, such as suspension without pay, and ultimately, gullible employees should be fired. This is good cause, especially if preceded by proper warnings and training. If you want more information on adding an enforcement leg to a cybersecurity training and testing program, please let me know. Without employee enforcement, a program of training and testing will be a two-legged stool.

1 Comment

  1. Great article! I receive those emails with links from my vulnerable friends all the time and I immediately respond and tell them that they have been hacked. Does changing passwords help once this happens to someone? That is my question of the moment.
    Also, I’d love to be able to share this article on FB with my friends, many of them are working for large organizations, but there is no link.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s