Federal agencies dodged a proverbial cyber bullet in January when the Department of Homeland Security (DHS) issued its first-ever emergency directive giving agencies 10 days to implement protections against a global campaign to hijack Domain Name Servers (DNS). While the attack was aimed at governments worldwide, DHS found no evidence of U.S. government domains being altered (insert sigh of relief here). The warning did serve as a wake-up call for the increasing pace and evolving tactics of cyber criminals.
The DNS attack was just one of many threats aimed at federal agencies. Symantec’s Internet Security Threat Report (ISTR, Volume 24) found a number of threat trends to keep federal agencies on alert. Providing an overview of the global threat landscape, the ISTR is a result of data analyzed from the company’s Global Intelligence Network, which records events from 123 million attack sensors worldwide, and helps block 142 million threats daily.
Findings of concern for feds
Of the many threat vectors identified by the report, the following are of particular concern to federal agencies:
- Cloud. As federal agencies continue to migrate to the cloud, they have a sense of deja vu while encountering threats. That’s because when it comes to security, cloud is the new personal computer, the report says, showing that a single misconfigured cloud workload or storage instance could cost millions of dollars or become a compliance nightmare. In the past year, more than 70 million records were stolen or leaked from poorly configured S3 buckets. There are also numerous, easily-accessible tools that allow attackers to identify misconfigured cloud resources on the internet.
- Supply chain. This has become one of the biggest security concerns in the federal government – so much so that a recently released report by the Navy found military systems have been so extensively targeted and compromised “their reliability is questionable.” Many of the supply chain threats worldwide were driven by living-off-the-land techniques, which uses tools that are already installed on targeted computers, especially those in newer versions of Microsoft Windows, and runs scripts or shellcode that becomes embedded in memory. The use of PowerShell scripts, for example, increased by 1,000 percent last year.
- Election security. The report indicates that Microsoft discovered and shut down multiple malicious domains that mimicked those of U.S. political organizations, as part of foreign interference in the 2018 elections. The domains are believed to have been created by the cyber espionage group APT28 – identified by the FBI and DHS as a Russian asset – as part of a spear-phishing campaign.
- Formjacking. Last year, company officials found significant increases in formjacking – essentially, virtual ATM skimming – by which cyber criminals inject malicious code into retailers’ websites to steal shoppers’ payment card details. On average, more than 4,800 unique websites are compromised with formjacking code every month. While formjacking was concentrated in online retailing, the increase shows a significant weakness as only a few simple lines of code can disrupt any organization that collects personally identifiable information on their website.
Formjacking is a growing threat in the federal government where agencies increasingly turn to online buying. As one example, agencies’ purchases using the General Services Administration’s SmartPay card grew to $30.6 billion last year in 95.7 million transactions, compared to $28.6 billion and 93 million transactions in fiscal 2017, according to the agency. Federal spending online is expected to grow as GSA prepares to roll out e-commerce portals, as directed in last year’s National Defense Authorization Act.
- Mobile devices. There are many ways information can be breached, but the Symantec report shows that smart phones still are one of the biggest culprits. The findings should alert federal agencies to the importance of mobile endpoint security for initiatives such as bring-your-own-device policies. Symantec found that one in 36 devices used high-risk apps, and it blocked an average of 10,500 malicious mobile apps per day. About 65 percent of attacks occurred on devices in the U.S., followed by China at 13 percent. The top malicious mobile app category was tools, accounting for 39 percent, followed by lifestyle apps at 15 percent.
Other interesting findings in the report include:
- Among targeted attack groups, the use of malware went up 25 percent, so that one in ten are using it to disrupt operations. As many as 96 percent of attack groups are seeking intelligence.
- Email remained a major threat. While phishing decreased for the fourth year in a row, spam increased to the point that 55 percent of emails can be labeled as such. The U.S. had the highest rate of email attacks, with most coming through as attachments, usually claiming to be a bill or delivery failure.
The results from this report cannot be looked at, or responded to, in a vacuum. Federal agencies still require an integrated approach to cyber operations, one that considers all aspects of a network – whether it’s the roaming endpoint, on-premise infrastructure, or the cloud.
Ken Durbin is senior strategist of global government affairs and cybersecurity at Symantec.