Rob Johnston on MSNBC with Hallie Jackson
Author: adlumin
Responding to the Rise of Fileless Attacks
Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.
Cybercriminals take the path of least resistance — which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.
Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don’t need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.
Yet businesses still aren’t paying attention.
“Our focus in this industry is still on traditional attack vectors we’ve been dealing with for most of our careers,” says Heath Renfrow, CISO at Leo Cyber Security.
It’s time for businesses to take a closer look at how these threats work, how they can be detected, why they’re predicted to grow, and the steps they can take to protect themselves.
The Evolution of Modern Fileless Attacks
Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.
“What’s different about today is not the fact of fileless — both Code Red and Slammer used this — it’s the fact that the bulk of the attack chain, the steps of the attack, are all fileless,” she says. “If they do involve a payload it often looks legitimate and therefore, it’s very hard to detect.”
The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.
“Within a network, what’s breaking the backs of organizations is the theft of usernames and passwords,” he explains. “It’s not the malware that’s doing the trick.”
Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.
All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they’re not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.
Why You’re Vulnerable
Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can’t monitor their full ecosystem. Many are “drowning in data” and are unable to bring account and user activity into a single place for analysis.
“If they can’t track it, they can’t understand which accounts have access to what,” Johnston explains. “They have no way to visualize, and no way to track and scale, all of these different identities that don’t always line up to a human.”
The challenge escalates when employees don’t adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.
Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.
“What hackers are doing is trying to get into personal accounts, and using that to get into corporate,” Buduri explains. Many threat actors target low-level employees with the idea that once they’re in, they can monitor email activity to learn the addresses of high-ranking workers.
Poised to Grow
Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking “significantly increases the risk to the infrastructure,” he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.
Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. “Think about a cloud environment,” he says. “How much insight does a CISO have into who’s logging in and where?” Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned — legitimate creds within attackers’ reach.
While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. “The sad reality is we’re seeing an increase in the number of destructive attacks that are being leveraged,” she points out.
What Can You Do About It?
Protecting against phishing starts with employee education. “Trick them, test them, teach them,” says Lovejoy. “The goal is to immunize enough people so the disease can’t take hold.” Employees should also have a means to report activity they feel is suspicious.
“Always enact the policy ‘If you see something, say something,'” she adds.
On top of this, businesses should take a close look at activity in their ecosystems.
“One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure,” says Renfrow. “It was eye-opening … we had more credentials running through our infrastructure than we had people.”
After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine’s infrastructure, he says automation was necessary for this.
He advises organizations to go back to the “old-school” method of looking at their traditional identity and access management. From there, if they’re mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.
“I think it would be eye-opening for any organization,” Renfrow says.
https://www.darkreading.com/endpoint/responding-to-the-rise-of-fileless-attacks/d/d-id/1330810?
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say
In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software, and hid its existence from the FBI, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could compromise law enforcement computer systems.
BuzzFeed News; Getty Images
The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.
The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.
In recent years, Russian hackers have gained access to everything from the Democratic National Committee’s email servers to the systems of nuclear power companies to the unclassified computers of the Joint Chiefs of Staff, according to US authorities.
Sergei Savostyanov / Sergei Savostyanov/TASS
The headquarters of the Russian cybersecurity company Kaspersky Lab.
This September, the Department of Homeland Security ordered all federal agencies to stop using products made by the Moscow-based company Kaspersky Lab, including its popular antivirus software, and media outlets reportedthat Russian hackers had exploited it to steal sensitive information on US intelligence programs. The department later clarified that the order didn’t apply to “Kaspersky code embedded in the products of other companies.” The company’s founder, Eugene V. Kaspersky, has denied any involvement in or knowledge of the hack.
The Russian company whose code ended up in the FBI’s fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service — the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of US targets.
“The fact that there were connections to the FSB would make me nervous to use this software.”
Cybersecurity experts said the danger of using the Russian-made code couldn’t be assessed without examining the code itself. But “the fact that there were connections to the FSB would make me nervous to use this software,” said Tim Evans, who worked as director of operational policy for the National Security Agency’s elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin.
The FBI’s overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau’s use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
In hopes of winning the FBI contract, the Safran subsidiary Sagem Sécurité, later renamedMorpho, licensed the Papillon technology to boost the performance of its own fingerprint-recognition software, the whistleblowers said. Both of them worked for Morpho: Philippe Desbois was the former CEO of the company’s operations in Russia, and Georges Hala worked for Morpho’s business development team in Russia.
Jean-Paul Ney / Getty Images
Sagem presented a new biometric passport in 2007.
BuzzFeed News reviewed an unsigned copy of the licensing agreement between the French and Russian companies, which both men said they had obtained while working for Morpho; it is dated July 2, 2008 — a year before the company beat out some of the world’s largest biometric firms, including an American competitor, to secure the FBI business. It grants Sagem Sécurité the right to incorporate the Papillon code into the French company’s software and to sell the finished product as its own technology. It also stipulates that Papillon would provide updates and improvements during the five-year period that ended on the last day of 2013. In return, Sagem Sécurité agreed to pay an initial fee of roughly 3.8 million euros — equivalent to almost $6 million at the time — plus annual fees.
Got a tip? You can email tips@buzzfeed.com. To learn how to reach us securely, go to tips.buzzfeed.com.
The contract, which is also referenced in court documents, says that to Papillon’s knowledge its software does not contain any “undisclosed ‘back door,’ ‘time bomb,’ ‘drop dead,’ or other software routine designed to disable the software automatically with the passage of time or under the positive control of any person” or any “virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data.”
The contract reviewed by BuzzFeed News also contains a section titled “Publicity” that says, “The parties agree to keep strictly confidential and not to disclose by any means to any third party the existence and the contents of this Agreement.”
Desbois — who has filed a whistleblower lawsuit in US federal court accusing Safran of fraudulently collecting about $1 billion from federal, state, and local agencies — said at least three high-level company officials stressed to him on multiple occasions that the existence of the agreement needed to remain a closely held secret. Disclosure, he said he was told, might jeopardize contracts in the US market, which the company coveted.
“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm.’”
“They told me, ‘We will have big problems if the FBI is aware about the origin of the algorithm,’” he recalled
Neither Desbois nor Hala was personally involved in the integration of Papillon code into the French company’s products or the sale of the software to the FBI, but both said they had conversations with engineers who did work on the integration. Desbois said multiple company officials told him that the technology sold to the FBI contained the Papillon algorithm.
“You know the word omertà?” Desbois said, referencing the Mafia code of silence made famous by the movie The Godfather. “It was always the intonation like we have done something bad that is a secret between us and that we should not repeat it to anybody.”
Jean-Paul Ney / Getty Images
Sagem demonstrated a new biometric passport in 2007.
“Deep collaboration”
In promotional material and on its website, Papillon boasts of its work with Russia’s Ministry of Internal Affairs, which oversees police and immigration agencies, among others, and is run by a longtime police official who was appointed to the post in 2012 by President Vladimir Putin. The products that Papillon sells “are created with the instructional assistance” of the ministry, and the company is “closely cooperating with the Ministry of the Interior, Ministry of Defense and Ministry of Justice of Russia,” according to company publications. A Russian government website says that the Internal Affairs Ministry “renders methodic assistance” to Papillon.
“Papillon is not an independent company,” said Hala, one of the whistleblowers. “Papillon was an emanation of the Internal Affairs Ministry, so Papillon was always under the control of the ministry.”
Papillon’s deputy director for marketing, Ivan Shapshal, disputed that. “We are fully a private company,” he said. “Do we do special tasks for the intelligence agencies of Russia? No, there is no reason for us to do this. It is just a risk. It does not help us make money.”
Among the Russian agencies that use the company’s fingerprint-recognition technology is the FSB. “Year by year,” one Papillon publication says, “the company expands its cooperation with” the FSB, as well as Russian agencies in charge of immigration, customs, and drug control. Other clients include the governments of Turkey, Kazakhstan, Serbia, and Albania.
“We will be happy to be close to any security agency in the world for money.”
Shapshal said his company’s fingerprint-recognition technology helps Russian police solve roughly 100,000 cases per year. “If our software can help police solve more crimes, we are happy to be ‘very close’ to them, as you say,” he said. “We will be happy to be close to any security agency in the world for money.”
Papillon’s founder and director is Pavel Zaitsev, who worked as an engineer and programmer at Russian military installations from 1985 to 1991, according to a biography published with an article he wrote for a trade publication. Many of the company’s staffers, a Russian government website says, “gained experience working at the plants of Military-Industrial Establishment in Miass” — the city in the Ural Mountains where the company later established its headquarters.
Hala said there was “deep collaboration” between Papillon and the FSB. “It’s not a secret,” he said. Hala said he attended multiple meetings involving Russian government officials and Papillon executives in which FSB officials expressed strong support for Papillon and “controlled absolutely the discussion.”
The Internal Affairs Ministry, the FSB, and the Russian Embassy in Washington, DC, did not respond to requests for comment.
Neither the FBI nor any of the companies involved denied directly that the fingerprint software used by the bureau contains Russian code.
The FBI declined to answer repeated questions about the software but said in a statement, “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”
Safran declined to respond to questions about its actions as owner of the subsidiary that provided the software to the FBI, noting that it has since sold that subsidiary. But in legal filings, Safran has not denied the existence of the contract to license the Russian code, instead arguing that the allegations of fraudulent sales were not specific enough and that the company was not legally responsible for the actions of its subsidiary.Safran sold the subsidiary this year to a US private-equity firm, which renamed the company Idemia. An Idemia spokesperson said the fingerprint-recognition technology was “almost entirely developed and manufactured in France or in the United States” but that two software components contained source code developed “by other companies.”
The spokesperson, Céline Stierlé, refused to name those companies.
“We don’t comment on such things because we cannot confirm or deny.”
More broadly, she said the whistleblowers’ claims “are old allegations that are not supported by facts and that have been rejected by federal and state authorities and by the courts,” referring to the lawsuit filed by Desbois, one of the former employees who spoke with BuzzFeed News.
This year, a federal judge dismissed the case but did not evaluate the merits of most of the allegations. Instead, the judge focused on technical issues, finding that the suit hadn’t alleged enough specifics about, for example, when and how fraudulent claims for payment may have been submitted to the government. Also, the judge wrote, any false claims would have been submitted by a subsidiary that was not named as a defendant in the case — and the parent companies that were named couldn’t necessarily be held legally responsible. The case is on appeal.
As for the Russian company, Papillon, executive Shapshal responded to a question about the contract giving the French company rights to its code by saying, “We don’t comment on such things because we cannot confirm or deny.”
But he insisted that the company’s code did not include any vulnerabilities, saying that if anyone were to check “then you will see there is no back door.”
Regis Duvignau / Reuters
A Safran Group building in France.
“Weigh carefully the risks”
As the FBI evaluated the companies vying to provide the fingerprint-recognition software in 2009, the possibility that the contract might go to a company subject to influence by a foreign government, even an ally, unsettled some members of Congress. The part-ownership of Safran by the French government prompted a letter to then-FBI director Robert Mueller from former Rep. John Kline of Minnesota, a Republican member of the House Intelligence Committee.
“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat to the US government,” Kline wrote. “I urge the FBI to assess whether any domestic companies are capable of this work and weigh carefully the risks versus the benefits of granting a foreign government access to this sensitive data.”
“Allowing a foreign government to provide services regarding sensitive information to our law enforcement and intelligence communities could potentially pose a grave counterintelligence threat.
An FBI spokesman at the time said that the bureau “assesses all risks and vulnerabilities associated with any foreign influence or security concerns for vendors under consideration for contracts, including subcontracts, with the FBI.”
Later that year, the FBI and Lockheed Martin — the primary contractor in charge of incorporating various vendors’ products into the bureau’s system — announced the selection of a Morpho subsidiary, MorphoTrak. Among the competitors not chosen was the US company Cogent Systems.
A Lockheed Martin spokesman refused to discuss the contracting process and said the company had divested its unit responsible for the FBI program. A representative for Leidos, which is now the project’s primary contractor, declined to comment.
Desbois’s whistleblower lawsuit alleges that a US-based MorphoTrak engineer named Frank Barret was aware of the Papillon deal and led a team that helped prepare the software for use by the FBI. On the front step of his home in California, Barret refused to read and respond to the allegations in the complaint but said, “Everything I’ve said to the investigators, everything I’ve said in this trial, is true.” Asked to clarify, he closed his front door. When BuzzFeed News followed up the next day, Barret threatened to call the police.
Both Desbois and Hala said they discovered the existence of the agreement licensing the Russian company’s code after they questioned their bosses’ instructions not to compete with Papillon for certain contracts. It was then, they said, that company officials explained that the two companies had an unwritten agreement not to encroach on each other’s business in certain countries — an arrangement that violates antitrust laws, the whistleblower claim alleges. Desbois and Hala said that they obtained a copy of the licensing agreement because they wanted to see for themselves whether it spelled out the terms of the noncompete pact; it did not.
Papillon executive Shapshal declined to comment on the antitrust allegations. Idemia spokesperson Stierlé said that “this allegation, like the others, was part of the litigation” and that “it too was found to be deficient and lacking in even the most basic level of detail and was rejected by the court.” The judge found that the whistleblower suit did not provide specifics on who falsely certified to the US government that the company hadn’t violated antitrust laws, or when and how this had occurred.
Desbois’s whistleblower lawsuit accuses Safran of defrauding the US government out of about $1 billion, and if the suit is successful he stands to collect millions. Hala is not involved in the case. Both Desbois and Hala said they left Morpho voluntarily and on good terms.
The Washington Post / Getty Images
Inside the FBI’s background check center.
The federal government so far has declined to intervene in the lawsuit, as it has the option to do in whistleblower suits alleging fraudulent claims for payment. In court filings, however, Justice Department lawyers noted that this wasn’t necessarily an indication that the case lacked merit, and they preserved their right to step in later. The complaint also accuses the defendants of misrepresenting the fingerprint technology in sales to the government of California; lawyers for the state also have declined to intervene.
The FBI contract is now a centerpiece in much of MorphoTrak’s marketing material. In 2011, the FBI said the new fingerprint-recognition software significantly increased both the speed and accuracy of matches, boosting the latter from 92% to more than 99.6%.
“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales.”
“In terms of prestige, to be able to say ‘My technology is used by the FBI,’ it really helps with sales,” said former employee Stephane Guichard, who led a US-based team that implemented and maintained the fingerprint-matching software for state and local agencies that had purchased it but was not involved in the software’s development or the FBI contract.
Guichard and two other former MorphoTrak employees who worked on government contracts in the US said they didn’t know about the licensing agreement with Papillon, and they expressed surprise that their former employer would use Russian technology. “Personally, it would have concerned me a little bit,” said Phillip Moore, who worked as an account manager and sales manager. It would have raised “basic trust issues with what they would supply us,” he said.
By the end of 2013, as the final stage of the FBI project phase-in became operational, Morpho reported that the US market accounted for more than a third of its roughly $2 billion in revenues.
Safran recently announced that it planned to refocus solely on aerospace and defense, and, earlier this year, it sold Morpho, which had recently been renamed Safran Identity & Security, to the US private-equity firm Advent International, with the French government investment bank Bpifrance also taking a stake. The reported price was about $2.5 billion.
The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department. Through its subsidiaries, Idemia is a powerful lobbying force in Washington, and it is currently fighting to kill legislation that would endanger its status as the sole provider of fingerprint services for the TSA PreCheck program. ●
Chris Hamby is an investigative reporter for BuzzFeed News and is based in Washington, D.C. He won the 2014 Pulitzer Prize for Investigative Reporting and was a finalist for the 2017 Pulitzer Prize for International Reporting.
Contact Chris Hamby at chris.hamby@buzzfeed.com.
Got a confidential tip? Submit it here.
Tim Evans, Esq., LL.M. Speaks at NH-ISAC 2017 Conference
“Why corporate breaches continue to succeed” – Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware-based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics can detect and stop these attacks.
Rob Johnston on MSNBC with Andrea Mitchell
Rob Johnston on MSNBC
CRACKING THE CODE: He Solved The DNC Hack
Stephen Voss for BuzzFeed News
He Solved The DNC Hack. Now He’s Telling His Story For The First Time.
Less than a year before Marine Corps cyberwarrior Robert Johnston discovered that the Russians had hacked the Democratic National Committee, he found they had launched a similar attack at the Joint Chiefs of Staff.
At 30, Johnston was already an accomplished digital detective who had just left the military’s elite Cyber Command, where he had helped stanch a Russian hack on the US military’s top leadership. Now, working for a private cybersecurity company, he had to brief the DNC — while it was in the middle of a white-knuckle presidential campaign — about what he’d found in the organization’s computer networks.
Their reaction was “pure shock,” Johnston recalled. “It was their worst day.”
Although the broad outlines of the DNC hack are now well-known, its details have remained mysterious, sparking sharp and persistent questions. How did the DNC miss the hack? Why did a private security consultant, rather than the FBI, examine its servers? And how did the DNC find Johnston’s firm, CrowdStrike, in the first place?
“It was their worst day.”
Johnston’s account — told here for the first time, and substantiated in interviews with 15 sources at the FBI, the DNC, and the Defense Department — resolves some of those questions while adding new information about the hack itself.
A political outsider who got the job essentially at random — the DNC literally called up CrowdStrike’s sales desk — Johnston was the lead investigator who determined the nature and scope of the hack, one he described less as a stealth burglary than as a brazen ransacking. Despite his central role, Johnston has never talked with investigators probing Russian interference, let alone with the media. But to people dealing with the crisis, “He was indispensable,” as a source close to the DNC put it.
Johnston was also largely on his own. The party had hired CrowdStrike essentially in place of the FBI — to this day, the Bureau has not had access to the DNC’s servers. DNC officials said they made the eyebrow-raising choice to go with a private firm because they were worried they’d lose control of their operations right in the middle of the campaign. Not only that, but the FBI was investigating Hillary Clinton’s use of a private email server. Better, the DNC figured, to handle things privately.
It was a decision that would cast a shadow of doubt over the investigation, even though cybersecurity experts have widely accepted Johnston’s main findings.
Mandel Ngan / AFP / Getty Images
Debbie Wasserman Schultz.
In the conference room that day, as he unveiled his findings to Democratic Party officials and lawyers, then-chair Debbie Wasserman Schultz listened in via speakerphone. Johnston told them that their computer systems had been fully compromised — not just by one attack, but by two. Malware from the first attack had been festering in the DNC’s system for a whole year. The second infiltration was only a couple of months old. Both sets of malware were associated with Russian intelligence.
Most disturbing: The hackers had been gathering copies of all emails and sending them out to someone, somewhere. Every single email that every DNC staffer typed had been spied on. Every word, every joke, every syllable.
There was still no warning that Russia might try to interfere on Donald Trump’s behalf. So the DNC officials hammered Johnston with questions: What would happen with all their information? All that stolen data? What would the computer hackers do with it?
Johnston didn’t know. The FBI didn’t know.
The answers would come when the stolen emails were published by WikiLeaks in a series of devastating, carefully timed leaks. And the implications of what Johnston had found would come later, too: The Russian government may have been actively working against Hillary Clinton to help elect Donald Trump.
Stephen Voss for BuzzFeed News
Robert Johnston.
Growing up, Johnston was a jock, not a cybergeek. He wrestled for his high school in Satellite Beach, Florida, in the 165-pound weight class. As a teenager, one of his unusual hobbies was picking locks with paper clips and hairpins.
He had stellar grades, and he was admitted into the Naval Academy in Annapolis, Maryland, in 2004. “I never tinkered with computers,” he said. “I entered the Naval Academy as a wrestler, and that’s all I cared about.”
The only reason he ended up on the front lines against Russian hackers is that during his second semester he was required to choose a major, and he chose computer science because it was “marketable.” At first, he found it boring. Then, during his junior year, he took a computer security class. It changed his life.
“Right then and there I wanted to do anything and everything cyber.”
The discipline of white-hat hacking, he said, was a bit like picking locks, back when he was a teenager. “This was like doing it with computers,” Johnston said. “We would learn how to break into computers, how to investigate, do forensics. It just interested me right away. Right then and there I wanted to do anything and everything cyber.”
Johnston graduated from the Naval Academy in 2008, and was commissioned as a second lieutenant in the Marine Corps, just when some branches of the military started to see cyber as the new battlespace. To “fly, fight and win,” an Air Force mission statement from the time boasted, “in air, space and cyberspace.”
But “the Marine Corps mindset” — with its proud emphasis on aggressive tactics — “hadn’t changed yet,” Johnston said. And that, paradoxically, made it a perfect place for him to learn and gain rank in the cyberworld. “Ascension was easy because nobody wanted to go into these jobs. They didn’t really understand that cyber was a battleground.”
He directed the Marine Corps Red Team, which tries to hack into the Corps computers to test its defenses. He was surprised how many well-trained military personnel fell for fake attacks. Right after the Snowden leaks in 2013, he said, the team sent out to 5,000 people inside the military a test: a phishing email, one that tries to trick recipients into clicking on a link, which installs malware. The subject line was: “SEAL team six conducts an operation that kills Edward Snowden.”
“We actually had to shut down the operation,” he said. “The phishing attack was too successful. The click rate was through the roof.”
Chip Somodevilla / Getty Images
The seals of the US Cyber Command, the National Security Agency, and the Central Security Service at the campus the three organizations share in Fort Meade, Maryland.
In the spring of 2015, Johnston was a captain in the Marine Corps leading newly formed Cyber Protection Team 81, based near the NSA in Fort Meade, Maryland, as part of the military’s Cyber Command, or Cybercom.
On a Saturday around 2 a.m., Johnston received a call on his cell phone from his commanding officer. “The major said, ‘How fast can your guys be back in DC?’” Johnson recalled. “‘Tell them to meet at the Pentagon and you’ll find out more there.’”
A malware attack against the Pentagon had reached the unclassified computers of the Joint Chiefs of Staff, the military’s top brass who advise the president. The malware had spread fast — in just five hours, it had compromised all five of the chairs’ laptops and all three of the vice chairs’ laptops and desktop computers.
Soon, Johnston and the others identified the malware. It was associated with APT 29, for “advanced persistent threat,” a hacker group widely believed to be linked to the FSB, Russia’s federal security service.
“Their operations are very surgical. They might send five phishing emails, but they’re very well-crafted and very, very targeted.”
By “noisy,” he means that the attackers were drawing a huge amount of attention, sending out 50,000 phishing emails, as if they didn’t care that anyone knew what they were doing.
Along with Johnston and his military cyber team, NSA employees, and contractors from McAfee and Microsoft were also on site, working on the hack, wiping the system and rebuilding it. Johnston and his team worked around the clock, in two shifts. “Host forensics guys are finding malware, handing it to the malware reverse engineering team who’s reversing it, finding network indicators, giving it to the network guys,” he recalled. “Network guys are scoping, finding out where else they are, and tracking down all the compromised machines.”
Johnston’s team concluded that the Russian hackers took some nonclassified emails and other information but not a lot. The biggest challenge after containing a breach of this magnitude, he said, is you can never be 100% sure that the hackers have been “kicked out” of the system.
Retired Lt. Gen. Mark Bowman, who oversaw cyber at the Joint Chiefs at the time, worked closely with Johnston on the operation. He told BuzzFeed News, “We had to build the network back from bare metal. Watching Robert and his team do that was unbelievable. That guy flat-out amazed me.”
Still, the mission was a big one for Cybercom, and Johnston felt like he had hit a career “home run.”
He left the Marine Corps as a captain, and in November 2015, he signed up to work for CrowdStrike, a well-known cyberprotection company whose president, Shawn Henry, is a former head of the FBI’s Cyber Division. CrowdStrike declined to comment about Johnston’s work.
Stephen Voss for BuzzFeed News
Johnston in Washington, DC.
Johnston didn’t know it, but in September 2015 as he was getting ready to leave the Marines, the NSA informed the FBI that DNC computers had likely been hacked, three sources said. An FBI agent then called the DNC’s IT office and said that the organization’s servers had been compromised.
That part of the story has been told — how little was done for seven months. The FBI periodically tried to get in touch with the organization, but the DNC did not believe the threat was real.
Finally, in April, the DNC IT department became convinced that there was a problem, and top Democratic officials became worried. But even then, they didn’t call the FBI. They called the sales desk at CrowdStrike. (Last week, lawyers for BuzzFeed subpoenaed both the DNC and CrowdStrike for information about the hack and the investigation into it. The subpoena was not related to this story but to a libel suit filed by a Russian businessman named in the Trump dossier published by BuzzFeed News in January.)
Got a tip? You can email tips@buzzfeed.com.To learn how to reach us securely, go to tips.buzzfeed.com.
At CrowdStrike, the case was assigned to Johnston, new to the company but with battle-tested skills, who soon ended up on the phone with the DNC IT chief.
“The FBI thinks we have a problem, something called ‘Dukes,’” Johnston said the IT employee told him. The Dukes is another name for APT 29, the hackers who Johnston had battled before, at the Joint Chiefs.
Johnston sent the DNC a script to run on all its servers, and then collected the output code. To an outsider it might have looked like a tedious job to examine long strings of data. But within an hour Johnston had it: an unmistakable string of computer code — sabotage — that didn’t belong in the system. It was “executable file paths” — evidence of programs — that didn’t belong there. They stood out like a shiny wrench left in a car engine.
And in fact, Johnston had seen this particular piece of code before, back when he was at the Pentagon. So it was easy to recognize this nemesis. He knew who had sent it by the telltale signatures. “This was APT 29,” he said. Later, when he had spent more time analyzing the DNC hack, he would come to believe that the Democrats had been compromised by the same blast of 50,000 or so phishing emails that had breached the computers of the Joint Chiefs.
Stephen Voss for BuzzFeed News
From left: Adlumin VP, Chief of Strategy, Timothy Evans Esq., LL.M., lead engineer Don McLamb, and Robert Johnston.
When he briefed the DNC in that conference room, Johnston presented a report that basically said, “They’ve balled up data and stolen it.” But the political officials were hardly experienced in the world of intelligence. They were not just horrified but puzzled. “They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to do with the data that was taken?’”
Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.
So, Johnston said, “I start thinking back to all of these previous hacks by Russia and other adversaries like China. I think back to the Joint Chiefs hack. What did they do with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”
“They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to do with the data that was taken?'”
So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts have become the norm, and the hackers did not plan on doing anything with what they had purloined.
Johnston kicks himself about that now. “I take responsibility for that piece,” he said.
The DNC and CrowdStrike, now working with the FBI, tried to remove all remaining malware and contain the problem. And they decided on a public relations strategy. How could the DNC control the message? “Nothing of that magnitude stays quiet in the realm of politics,” Johnston said. “We needed to get in front of it.” So, Johnston said, in a story confirmed by DNC officials, CrowdStrike and the DNC decided to give the story to the Washington Post, which on June 14, 2016, published the story: “Russian government hackers penetrated DNC, stole opposition research on Trump.” “I thought it was a smart move,” Johnston said.
But it may have backfired.
One day after the Post article, a Twitter user going by the name Guccifer 2.0 claimed responsibility for the hack and posted to the internet materials stolen from the DNC’s server.
Johnston thinks the Washington Post story changed the tactics of the cyberattackers. “We accelerated their timeline. I believe now that they were intending to release the information in late October or a week before the election,” he said. But then they realized that “we discovered who they were. I don’t think the Russian intelligence services were expecting it, expecting a statement and an article that pointed the finger at them.”
A month later, in late July 2016, WikiLeaks began to release thousands of emails hacked from the DNC server. Those leaks, intelligence officials would say, were carefully engineered and timed.
The stolen emails wreaked havoc. Wasserman Schultz, then the chair of the DNC, was replaced by Donna Brazile, who just published a new book, Hacks, about the Russian break-in at the DNC.
“CrowdStrike did a remarkable job helping the DNC remediate our system post hacking. Sadly, we should have known more, but that’s all part of history,” Brazile told BuzzFeed News.
Johnston wrapped up his work with the DNC in July 2016. He also left CrowdStrike and started his own cybersecurity firm, Adlumin, based in Washington, DC.
He’s well aware of the grim fact that it was his analysis that helped lay the groundwork that would eventually lead to the investigation by special counsel Robert Mueller, to multiple probes on Capitol Hill, and to the findings about Russia’s intervention on Facebook and Twitter. If the DNC hack hadn’t been traced to Russia, much that might never have emerged.
Johnston has managed to maintain a low profile for the last year and half, even as Washington has obsessed over Trump and Russia. He hasn’t been in hiding, he said. Over a steak and Scotch at a DC restaurant, he said he just hadn’t talked about it for a simple reason: No one asked him to. ●
Jason Leopold is a senior investigative reporter for BuzzFeed News and is based in LA. Recipient: IRE 2016 FOI award; Newseum Institute National Freedom of Information Hall of Fame. PGP fingerprint 46DB 0712 284B 8C6E 40FF 7A1B D3CD 5720 694B 16F0. Contact this reporter at jason.leopold@buzzfeed.com
Contact Jason Leopold at jason.leopold@buzzfeed.com.
Got a confidential tip? Submit it here.
Adlumin Sponsors APHSA ISM 2017 Technology Conference
Timothy Evans, J.D., LL.M., Co-Founder and Chief of Strategy
Corporate breaches continue to succeed because attackers can steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how next generation machine learning and analytics hunting on your network 24/7 can detect intruders and malicious insiders without you hiring a single person.
Robert Johnston, CEO, Speaks at EDGESECURITY 2017
Identity Based Attacks – Insights on the DNC Hack
Why do corporate breaches continue to succeed? Corporate breaches continue to succeed because attackers are able to steal the legitimate identities of your employees and use those identities to attack your infrastructure. Far deadlier than malware based attacks, identity based attacks can go undetected for months or years because perpetrators impersonate the methods used by your various privileged accounts as if they were that user. Attackers have changed their methods from the now outdated malware based attacks to the evolved identity based attacks. Learn how analytics, deception, and data streams are saving the security industry, or would have at least saved the Democratic National Committee.
New N.S.A. Breach Linked to Popular Russian Antivirus Software
WASHINGTON — In the latest case of an insider removing sensitive data from the nation’s largest intelligence agency, Russian hackers obtained classified documents that a National Security Agency employee had taken and stored on his home computer. Investigators believe the hackers may have penetrated the computer by exploiting Kaspersky Lab antivirus software, a Russian brand widely used around the world, that the employee was using, according to officials briefed on the matter.
The highly classified material involved the agency’s techniques for breaking into foreign computer networks to collect intelligence, the officials said. The case appears to be separate from a larger breach ofsecurity, by a group calling itself the Shadow Brokers, which has been publicly posting samples of the agency’s hacking tools periodically for more than a year. The case was first reported by The Wall Street Journal on Thursday.
Investigators say the employee does not appear to have intended to let the sensitive cybertools escape to the outside world. Officials believe he took the material home — an egregious violation of agency rules and the law — because he wanted to refer to it as he worked on his résumé. The maker of the antivirus software installed on his home computer, Kaspersky Lab, is a Russian company that American security officials have long feared may cooperate with, or be infiltrated by, the Russian government.
The officials did not make their concerns public, and the antivirus software remains popular. But last month the federal government ordered the Kaspersky software removed from all government computers. The F.B.I. has been investigating whether Kaspersky products, especially the well-reviewed antivirus programs, contain “back doors” that could allow Russian intelligence agencies into any computers or networks on which they are running. The company has always denied that it has any links to Russian intelligence.
It is unclear whether the National Security Agency breach played a major role in the government’s decision to ban Kaspersky products. While the Russian theft was first discovered two years ago, the Kaspersky link was understood only more recently.
The concerns about Kaspersky Lab date back many years, in part because its founder, Eugene Kaspersky, attended a K.G.B. technical college and served in military intelligence. Tim Evans, a former National Security Agency lawyer, said that in 2008 he was dispatched by the agency to the United States Patent Office to retrieve every patent application filed by Kaspersky so that the agency could study the names of its employees for known officers of the F.S.B., the K.G.B.’s successor.
“This is an old question for N.S.A.,” said Mr. Evans, now with Adlumin, a cybersecurity contractor.
While federal prosecutors in Maryland are handling the case, the agency employee who took the documents home does not appear to have been charged. In the past, taking classified information from agency premises and storing it on an insecure computer has been considered a prosecutable offense. John M. Deutch, who served as director of the C.I.A. in 1995 and 1996, was investigated after classified information was found on his unclassified laptops. He agreed to plead guilty to a misdemeanor but was pardoned by President Bill Clinton.
The breach is only the latest blow to the National Security Agency, which for decades has broken foreign codes and eavesdropped on telephone and other communications. Today it devotes a huge effort as well to penetrating computer networks overseas to gather information.
In 2013, Edward J. Snowden, an agency contractor in Hawaii, took hundreds of thousands of classified documents, flew to Hong Kong and turned the material over to journalists. Last year, another contractor, Harold T. Martin III, was discovered to have taken an even larger quantity of agency data to his Maryland home, where he stored it in his car and in a shed in his yard. About the same time Mr. Martin was arrested, the unidentified Shadow Brokers began to post some of the agency’s most guarded software tools on the web.
“They just keep getting hammered,” said Robert S. Johnston, the president of Adlumin and another former agency officer. “N.S.A. used to say they’d never had a spy. That’s totally changed since 2013.”
Several former agency officers said the breach might not necessarily require complicity on the part of Kaspersky Lab. Antivirus software routinely scans files to hunt for malware and even uploads files to the cloud for particular study. By redirecting data between the employee’s computer and Kaspersky back to their own servers, via a “man in the middle attack,” or hacking Kaspersky’s software and adding a back door, Russian operators could have potentially downloaded the employee’s files without Kaspersky’s knowledge.
“Antivirus software could totally be used for espionage,” said Jake Williams, a former officer at the agency and the founder of Rendition Infosec, a cybersecurity contractor. “It looks damning for Kaspersky, but we don’t yet know the whole story.”
Your Social Media Is the Weakest Link for Cyber Criminals
According to a recent survey by Norton, 94 percent of users on the internet think they can spot phishing emails. Unfortunately, they couldn’t be more wrong.
The fact is that hackers are becoming savvier when it comes to finding personal information and tricking not only you, but your friends into providing more.
Jere L. Simpson, CEO and founder of Arlington-based KITEWIRE said these days hackers are using social engineering to nab your personal information and use it for mining information, gaining account access and blackmail.
“Social engineering is the easiest method to breach accounts. Your best friend, date of birth and mother’s maiden name are extremely easy to find on Facebook. Criminals will duplicate one of your friend’s accounts using the same photo and private message you that they created two accounts for business and friends in order to gain access to your information.” Jere said.
Once cyber criminals gather enough information about a person/owner of a company, then they go to work in figuring out details to breach the network.
Colonel Timothy Evans (Ret), cofounder and vice president of strategy of Arlington-based Adlumin said, “Health care data is the most valuable because it provides enough information for an intruder to apply for credit, loans, etc. without the individual even knowing that someone else has applied for credit in their name.
“Once the intruder steals legitimate credentials, they can move freely throughout the network without setting off any alerts. Their next task is to escalate their privileges to administrator so they can move about the network freely.”
Then you’re really screwed.
For a small startup or business owner, dishing out tons of cash for a high performing network server and IT consultant isn’t a reality when you’re bootstrapping. However, our cyber experts have some advice and inexpensive ways to protect your data from potential threats.
Let’s Start With the Facebook Feed
Taking photos at work to show off the team, work environment or the latest coffee machine is great, but you need to consider what is in the background of your photos, and if are you unintentionally posting personal or confidential information.
“Be extremely careful what information is put on social media. Look for information that is in the background of photos like screen or paper information. Latergram as many photos as you can instead of posting them in the moment,” Jere said.
Don’t Open The Flood Gates
Reducing the number of people who have administrative access to files, a network, etc. can decrease chances for a breach.
“Probably the key for a small company is to limit the user’s authority on its network to conducting activities that a general user should do. In other words, do not make everyone on the network an administrator, they do not need that authority,” Timothy said.
It’s also a good idea to have monitor logs to understand who is accessing certain files and online tools.
“Ensure that your users are doing what their logs say they are doing. If the system says that you used a USB drive to download gigabytes of information, the follow-up question is, did you do that. There are free tools that you can use to check your own logs to ensure that the actions that are being taken on your network. At a minimum, a small company should audit the company’s privileged access users to ensure that their activities are in line with their duties and actual activities,” Timothy said.
Newbie Doesn’t Get the Keys to the Kingdom
While founders want to trust that every tech employee is honest, Jere said it’s not a bad idea to gradually ease them into full access of the network. Most importantly, change your network password often enough to avoid any potential problems.
“Don’t give every new tech SaaS access to your calendar, email, contacts, drive, location etc. Also, use a formula for your passwords so that each password is unique and you can always figure it out…and never write it down.” Jere said.
Yes, You Must Change the Passwords
Changing your passwords is the oldest, yet most important, advice any cyber expert can offer you, because it works, so do it. Also, our experts want you and your employees to stop sending your username and password over the network, email or communication tools like Slack.
“If you need to give someone a username and password, don’t send both over the same communication,” Jere said. “Calling on the phone or video chat is often the most secure method.”
Did I mention changing the password? Timothy recommends conducting privileged account password resets every 30 days. Seriously.
Employees Can Be Your Superheroes
Your employees can be the first line of defense when it comes to thwarting cyber attacks. Take time to educate them on what to look for if faced with a potential threat.
“Be very unified as a small company that no employee will click on an email link or document received without being sure that the document or link is from a known vendor, partner, or trusted party. This takes a lot of discipline, however, it is the absolute best method to prevent an attack,” Timothy said.
“Talk with your employees and let them know that simple carelessness could result in putting a company out of business. Breaches of customer data or credit card information will result in damage to the company’s name at a very minimum.”