main

Attack Types & VectorsSecurity

How the German Government’s Network Was Breached – And Why It Could Happen To You

September 22, 2015 — by Werner Thalmeier1

The headline-making cyber-attack on the German Bundestag lower house of Parliament was recently solved. Reports state that attackers stole unknown amounts of data and government officials are now being forced to spend millions of euros on the cleanup to fix their entire computer system.

The attack (one of the biggest known against the German Government’s IT systems) first became public in May 2015 and while more background information has recently become available, understandably, even this available information is being handled with care. It has been revealed, however, that the majority of stolen data consisted of e-mails, Microsoft Outlook storage files (called PST) and office documents.

How Did the Attackers Operate and Get This Data?

The attackers placed a Trojan directly on government computers to gain administrative access.  How did they do it? Via old fashioned phishing e-mails.

The phishing e-mail had declared Angela Merkel as the mail sender and when sent to parliament members, they were asked to click on a link embedded in the mail. In the public debate that followed this hack, IT security professionals argued that this attack should have been easy to discover. The mail address from Angela Merkel was not the real Angela Merkel, it came from a market garden and it was visible this way. But easy to discover does not necessarily mean easy to prevent.

As part of this mail it was requested to click on a link to get more information on a specific topic, here it was more difficult to see that this is a spoofed address.  Behind this link there was a cluster of 12 infected servers located in Germany, Czech and Switzerland. Even with all the internal trainings and ongoing warnings that users should never click on suspicious links or attachments, it did not help and some users tried to access this content with all the known consequences.  Does this sound similar or to your day-to-day work and some of the mails you see on a daily basis?

The source of this cyber-attack is what has been occurring with a number of data breaches lately and many of my customers, colleagues, and personal friends have asked me, “how can this happen and how can I avoid this?”  They are justified in their concern, because if data can be stolen from a highly secured environment, like the German Parliament, with a simple phishing e-mail installing a Trojan, what does it mean for them?

What Can I Do to Protect and Secure My Data?

To give you some guidance on what you can (or better “should”) do, there are some key elements of data security and privacy that focuses specifically on e-mails.  Some of the points sound so fundamental and you may have heard them many times already.  Yet I am 100% sure that many of you (including those in your company) don’t follow them consistently or don’t have them in place.

#1 – Before you open an attachment or follow a link, ALWAYS verify the author or source

This is the most important rule! When you get an e- mail or go on a website, make sure it is valid and legitimate. Don’t click on it just because it looks interesting. This is such an old tactic and phishing mails or “drive-by” malware on websites have been out there for so many years, but, unfortunately, they are still successful and work as a proven cyber-attack.  One wrong click can screw up your system and instead of having a “personal computer” you will have a “Zombie” system, controlled remotely. All data can be stolen or compromised, exactly like it happened at the German Parliament.

Unfortunately, I have a personal example for this. A friend of mine visited me last weekend and he was desperate because he had clicked on an e-mail extension, disguised as an invoice from a “bank.” This is a classic phishing mail and right after the click, malware started to install. His computer started to run many tasks on the disc and after a first external screening (there are many good tools available for such an emergency, I used Desinfec’t, a LINUX-based tool kit in this case ) of his computer, we found over 115 malware pieces (Trojans, viruses, etc.).

It took nearly half of the weekend to clean up the system and at the end we could still not be certain that we caught all of malware on the computer. My final advice was to move forward with a fresh installation on a new hard disc or replace the complete system to be on the safe side again.

Was my friend inexperienced and did he not know what could happen? Actually not at all! He was working for a bank and has had much internal training on IT Security about how to handle such e-mails. But all that was needed was a moment of distraction and a wrong mouse click to create a mess.

#2 – Have a verified backup (and test it!)

The best option for my friend in the story was to have a fresh install on a new disk. Unfortunately, he had no backup of his data or of his operating system.

Here we are at rule #2, have an accessible and working backup, at least of your data and make sure you know how to use it. There are so many good tools available (such as Acronis True Image, Symantec Ghost, Paragon Backup, Disc Dump based on LINUX) and an external disk, connected via USB, is all you need in your private environment. Take a minute to ask yourself, do you have a current backup? Do you know if it works?

#3 – Encrypt your data and mails.

What would have happened with the attack on the German Parliament if e-mails and data had been encrypted? The damage (and awareness of the damage) would have been much less. Essentially, all e-mails and data that are not encrypted are public. Encryption is a major component that can increase your security.

What Can You Do As A Company To Help Keep Your Data Secure?

At the end of the day, you have to ask yourself about your personal and company’s security plans. It’s necessary to build the required lines of defense as well as adopt security policies to keep control of your data and privacy.

The first step is to raise awareness among your teams about threats. This needs to be a constant process and a habit to be successful and to reduce the risks of attacks.  Another major step is for companies to implement a specific detection solution, such as Radware Inflight. This solution uses real-time intelligence on the network and has the ability to identify security threats and Advanced Persistent Threats (APT’s) embedded in any kind of web transactions.  Being aware of the threats and reporting the threats can help avoid the need to defeat the threats. Networks can have weaknesses and motivated attackers will use a variety of tactics to get to the data and information they want.

Werner Thalmeier

As a Solution Evangelist, Werner Thalmeier is responsible for driving Security Product Strategy for Radware in the EMEA region. Before joining our team, he headed the global product management team at M86 Security as VP of Product Management and was also previously VP of Product Management at Finjan. An active member of IT industry for over 20 years, Werner has gained extensive field experience working with vendors, customers, technology partners and resellers in various management and engineering positions.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *