By Bob Brewin
Dec. 26, 2006
The Defense Department is battling a significant and widespread effort
to penetrate DOD information systems with sophisticated, targeted,
socially engineered e-mail messages in a technique known as spear
phishing, according to internal documents.
The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD
users last month in an internal presentation that everyone within DOD is
a spear phishing target. Attempts have been made against all ranks in
all services in all geographic locations. DOD civilians and military
contractors have also been hit by spear phishing attacks, the JTF-GNO
The Defense Security Service (DSS), which supports contractor access to
DOD networks, said in a bulletin sent to contractors in October that
JTF-GNO has observed tens of thousands of malicious e-mails targeting
soldiers, sailors, airmen and Marines; U.S. government civilian workers;
and DOD contractors, with the potential compromise of a significant
number of computers across the DOD.
U.S. Forces Korea echoed this warning in a recent information assurance
alert. It warns that outsiders target its information systems on a daily
basis by phishing and spear phishing attacks, which attempt to gain
access to operational and personal information through bogus e-mail
At this point, the true scope of compromise and exploitation is unknown,
but likely thousands more users and computers have been, or will be,
successfully targeted, the bulletin states.
The bulletin adds that the sophistication of the techniques spear
phishers use is reflected in their ability to obtain and apply
legitimate DOD documents and data. The spear phisers also use enticing
subject lines related to legitimate operations, exercises or military
The U.S. Forces Korea information assurance alert states that
unsolicited e-mail messages lure unsuspecting users to click on links to
Web sites or attachments that download malicious software, known as
malware, onto the system to steal data, including sensitive but
JTF-GNO illustrated the sophistication of spear phishing attacks DOD
faces in a DOD Spear Phishing Awareness Training presentation obtained
by Federal Computer Week. That presentation shows a faked message that
appears to come from the operations division at the Pacific Command
(Pacom) with a PowerPoint attachment concerning the Pacom Valiant Shield
exercise held this summer.
But the seemingly legitimate address and PowerPoint slides were fake,
and clicking on the attachment would launch malware that could infect
the users computer, the JTF-GNO presentation warned. All DOD employees
and contractors must spear phising awareness training by Jan. 17, 2007,
according to internal DOD messages.
JTF-GNO acknowledged its spear phishing challenges in its awareness
presentation which states, The attacker selectively chooses the
recipient (target) and usually has a thorough understanding of the
targets command or organization.
Spear phishing e-mail messages appear genuine, have legitimate
operational and exercise names, and may address the recipient by name
and use internal lingo and jargon, the JTF-GNO presentation states.
Last month, JTF-GNO mandated use of plain text e-mail. HTML messages
pose a threat to DOD because the code can contain spyware, and in some
cases, could contain executable code that could enable intruders to
access DOD networks, a JTF-GNO spokesman said.
The department also beefed up its network security and e-mail security
in November with a new generation of Common Access Cards, which include
public-key infrastructure to access e-mail. DOD users are also supposed
to digitally sign their e-mail messages.
But the JTF-GNO spear phishing awareness presentation makes it clear
that technology alone will not defeat the threats spear phishing pose.
JTF-GNO instructed DOD e-mail users to ensure that the source is
legitimate and the message is digitally signed before they click on any
link in a message or open an attachment.
E-mail messages from organizations or individuals outside DOD should be
viewed with caution, the JTF-GNO presentation states, and DOD e-mail
users should be suspicious of their formats and attachments.
DOD spokespeople have declined to identify the sources behind the spear
phishing attacks or e-mail messages infected with malware. But in a
presentation to the AFCEA LandWarNet conference this summer, Lee LeClair
of the Armys Network Enterprise Technology Command/9th Signal Command
said U.S. military networks are faced with attacks by state-sponsored
teams that control botnets and engage in spear phishing.
Jessica Kalish, a spokeswoman at iS3, which sells anti-phishing
software, said lone hackers do not carry out spear phishing attacks.
They are mounted by criminal enterprises, terrorist organizations,
malcontents or espionage operations, she said.
Spear phishing attacks are often enabled by spyware installed on a users
PC, which can, for example, capture keystrokes that indicate a target is
working on Valiant Shield, Kalish said. The attacker then crafts a fake
PowerPoint attachment loaded with malware, which is launched when
clicked by the unsuspecting recipient.
Kalish said the Anti-Phishing Working Group has developed a database of
phishing attacks that can help defend against spear phishing, but only
after it identifies an attack. Kalish said iS3s Stopzilla anti-spyware
and anti-phising software uses heuristics to proactively identify
potential spear phishing attempts.
Stopzilla warns users about potential fake Web sites or attachments
packed with malware before a user clicks through and launches a
dangerous program, Kalish said.
Max Caceres, director of product management at Core Security
Technologies, which sells software used by DOD and other federal
agencies to test how their employees resists spear phising attacks, said
the wide range of information available online makes it easy to gain
inside knowledge of an organization and craft targeted attacks.
Core Security Technologies has never failed in its spear phishing tests
against large organizations, Caceres said, an indication of the task DOD
faces as it attempts to battle its latest network threat. The human
factor which requires e-mail users to carefully examine their messages,
plays a critical role in defeating spear phishing, Caceres said.
The JTF-GNO spokesman is on holiday leave this week and did not respond
to detailed questions from FCW on the breadth of spear phishing attacks
against DOD. A Pentagon spokesman deferred to JTF-GNO to answer an FCW
Subscribe to InfoSec News