KnowBe4, provider of the world's largest security awareness training and simulated phishing platform, analyzed the official indictment of the Russian GRU officers charged with interfering in the 2016 U.S. presidential election.
According to Stu Sjouwerman, CEO of KnowBe4, and Kevin Mitnick, KnowBe4's Chief Hacking Officer, the GRU officials used the same tradecraft that cybercriminals use daily and that white hat penetration testers use to test their client's controls: social engineering methods including spearphishing. This further proves that hackers of all motives continue to target humans as they're known to be the path of least resistance and one that can be easily broken.
The indictment showed that the Russian hackers targeted more than 300 people, covertly hacked and monitored dozens of computers, secretly implanting a hacking tool that the GRU called X-Agent. The malware allowed operatives in Moscow to remotely take screenshots and capture keystrokes of Democratic Party employees as they tapped on their computers, the indictment states. The GRU team then used another program, called the X-Tunnel, to extract gigabytes of stolen documents through encrypted channels.
"After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment," stated Kevin Mitnick, KnowBe4's Chief Hacking Officer. "The biggest takeaway was that spearphishing is still the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election."
KnowBe4's complete analysis is available on its blog titled, "Russian Indictment: They Used Criminal TradeCraft Like Spearphishing to Hack the Democratic Party"
It is important to know what percentage of your users are vulnerable to social engineering attacks. For customers and non-customers alike, KnowBe4 recommends using its free Phishing Security Test to find out what the Phish-prone percentage of your company's users is.