This is a special advisory
Over the past week we have noticed a spike in attacks targeting local businesses that may be a prime or subcontractor for government work. We suspect that because of the nature of this targeting, a nation-state actor may be behind them.
The attacks are being delivered as very believable, highly targeted emails that direct victims to a convincing copy of a Hawaii.gov website that is intended to harvest email credentials.
Why is this important?
You may likely have heard about cyberattacks by foreign governments like North Korea, Russia and Iran from the news. They’re unfortunately all too common. These are referred to as nation-state threats, directing their attacks on critical infrastructure, military and businesses. On their hit list is gathering federally protected infrastructure data such as blueprints and internal documents, personal information that could be used for extortion and backdoor access to government networks.
If your company currently has a cyber insurance policy, you may want to review the extent of coverage with your agent. Many carriers have recently updated their scope of coverage to exclude coverage if a breach at your company is determined to be linked in any way to a nation-state actor. This is a result of an onslaught of incidents that have occurred over the past few years that have been very expensive for insurance carriers.
What does this attack look like?
Step 1: A very legitimate email arrives from Jeff Davis’ office. The email lacks the characteristic poor grammar and spelling errors typical of phishing emails. There’s a big button at the bottom inviting victims to click and bid.
Step 2: Clicking the link goes to a compromised domain name, which redirects to a second compromised domain hosting a fake hawaii.gov website.
Step 3: The fake site displays an official statement to increase credibility for the victim. Clicking the “close” button further ropes in unsuspecting visitors as IP and computer information has already likely been gathered. Notice the compromised url – not the beginning, but the ending, ending in .org. That is the true compromised domain.
Step 4: The hacked site looks legitimate with links to hawaii.gov resources. These criminals did a good job replicating a convincing landing page.
Step 5: There’s a big red button at the center of the page. It’s baiting unsuspecting visitors into clicking it and giving the criminals login credentials.
Step 6: And of course, no matter what is entered into the form, it will kick back an error. It’s not actually validating anything, simply tricking those who are likely engaged in government contracting activities into handing over their usernames and passwords. The criminals will likely use this information to then infiltrate the company.
The Takeaway
If someone at your organization was duped into handing out their credentials to these scammers, best we chat right away.
You’re probably wondering how to prevent an incident from occurring at your company? The solution involves taking a multifaceted, multilayered approach to security:
• Make sure your business continuity plan includes a nation-state threat actor scenario.
• Take all cybersecurity risks more seriously. Understand what legitimate executables and files should be running on your devices and make sure you’re alerted when unusual file behavior occurs.
• Never underestimate the value of vulnerability management and asset management systems. These are critical to understanding your current risk profile, where your business-critical systems and data reside, developing your business continuity and disaster recovery plans and so much more.
• Educate employees to be hyper-aware of nation-state attacks and the potential impacts to your business. You shouldn’t just have one training session – they should be ongoing and include targeted communication, drills and unannounced tests to gauge people’s ability to identify and report on phishing attacks.
Nation-state attacks have changed. They’re more frequent, wider-spread, cause far more damage and are not just limited to government transgressions.
The real question is: What do you plan to do about it?
It’s time to get serious. Start today – we can help.
Stay safe out there.
-A