[BreachExchange] Hackers Trawl User Data in Hopes a Small Target Will Lead to a Big One

[Audrey McNeil]

http://www.nytimes.com/2016/09/24/technology/hackers-
trawl-user-data-in-hopes-a-small-target-will-lead-to-a-big-one.html

In disclosing that at least 500 million of its user accounts had been
hacked, Yahoo blamed an unnamed “state-sponsored actor” for the intrusion.
While Yahoo customers were caught by surprise, officials in Washington were
not.

For more than a year, they had been getting warnings from threat
researchers that hackers were targeting their personal Yahoo email. Even
the accounts of their friends and family were in the cross hairs.

These days, intelligence and security experts say, nearly anyone can be the
target of government-sponsored hackers. By perusing the personal accounts
of people with even the thinnest thread of a connection to power, hackers
can unearth the occasional gold nugget, like the low-level Democratic
operative whose private email correspondence, published online by hackers
on Thursday, detailed the movements of Vice President Joseph R. Biden Jr.
and Hillary Clinton and what appears to be Michelle Obama’s passport.

This expanded hacking strategy presents a new challenge: While top-secret
material is usually kept in more secure computer systems, it is hard — if
not impossible — to predict what information people are exchanging in
personal email accounts. And it is even harder to know if hacking into one
person’s account can set off a cascading chain of events that could lead
foreign spies to more useful information.

In 2014, Yahoo also investigated attacks by Russian hackers that targeted
dozens of private Yahoo accounts, one person with knowledge of Yahoo’s
investigation said, but it is not yet clear whether the same hackers were
behind the larger hack.

“The Yahoo attack alone may not make sense, but when you combine the stolen
data from Yahoo with other stolen data sets, it makes a lot more sense,”
said Sean Kanuck, the former national intelligence officer for online
security issues at the Office of the Director of National Intelligence.

Hackers working on behalf of governments can match stolen Yahoo account
data with their own material or information available on the criminal
underground and published on the website WikiLeaks for a variety of
purposes, Mr. Kanuck and other intelligence officials say.

At this point, they’d have a lot to work with. In the two years since Yahoo
believes the hackers first penetrated its network, state-sponsored hackers
have stolen tens of millions of records from the insurance companies Anthem
and Premera Blue Cross, including Social Security numbers, health records,
birth dates, addresses, emails, passwords and employment information —
basically, everything you’d need to know about a person.

Hackers amassed a vast collection of security clearance records, even
fingerprints, in a yearlong hacking of the United States Office of
Personnel Management. They have breached law firms and accounting firms,
and last year they even made off with flight records for millions of United
Airlines passengers.

It may sound like a crazy collection of unrelated information. But it is
not that difficult to make connections among seemingly random bits of
information using data-sifting technology.

Just as a corporation may use big data to figure out what a consumer might
buy based on their past purchases, a spy agency can use big data to make
connections to useful intelligence. A Palo Alto, Calif., company named
Palantir sells this technology to American intelligence agencies, allowing
them, for example, to match travel records and personal data to identify
possible terrorists.

So while Yahoo’s announcement on Thursday that state-sponsored hackers —
the company did not say what country it believes they are working for — had
made off with more than 500 million customers’ personal records was
stunning to many, intelligence officials say it can be seen as just the
latest step in an escalating nation-state digital warfare campaign.

“A lot of people overlook why some of these seemingly purposeless breaches
matter,” said Mr. Kanuck.

Intelligence services could use this information for a range of things —
some trivial and some intrusive. They could match international flights
taken by their own officials with those taken by American personnel to the
same cities at the same time. They could comb the user names and emails
released in a hacking of Ashley Madison, the online affairs site that was
breached last year, with the personal Yahoo accounts of government
officials and contractors or their spouses, and leak that information
online or use it for blackmail.

And they can use the most intimate details of people’s lives — their
medical records — to undercut the reputations of prominent American
athletes, as Russian hackers did in a release of medical records stolen
from the World Anti-Doping Agency that belonged to the gymnast Simone
Biles, the tennis stars Venus and Serena Williams and other Olympic
athletes.

The biggest worry, Mr. Kanuck and other American intelligence officials
say, is the impact these data thefts can have on global politics. James. R.
Clapper, the director of National Intelligence, warned Senate officials
earlier this year that Russia was escalating its espionage campaigns
against United States targets.

“Russia continues to take information warfare to a new level, working to
fan anti-U.S. and anti-Western sentiment both within Russia and globally,”
Mr. Clapper said in his annual worldwide threat briefing in February.

Intelligence officials and private security researchers say it’s not just
prominent United States government officials that Russian hackers are
after. It’s their spouses, staff members, lawyers, accountants and business
partners, who may not have the same level of security on their data and
communications.

“In the past year, we’ve seen personal webmail accounts and social network
accounts specifically being targeted by Russian, Chinese and Iranian
espionage operators, on several occasions,” said John Hultquist, an
espionage analysis manager at FireEye, the security software company.
“That’s where some of the most sensitive conversations take place, and
hacking private accounts leaves a much lighter footprint.”

One of the most adept at this approach, Mr. Hultquist and other security
researchers say, has been a Russian intelligence hacking group alternately
known in the security and intelligence community as APT28, Fancy Bear or
Pawn Storm. The group regularly uses the compromised personal webmail
accounts of staff members, spouses and their colleagues as tools to glean
more information on high-level government targets.

In just the last few months, the group has been blamed for attacks on
theDemocratic National Committee, the White House and the World Anti-Doping
Agency.

Going back to last year, the Russian group also has been trying to break
into the online accounts of 2,600 members of the Washington elite —
lobbyists, journalists, officials, contractors and even their spouses,
according to private security researchers at Trend Micro, the global
security company, who briefed intelligence agencies on the hacking.

Among the Russians’ targets were Colin L. Powell, the former secretary of
state, whose personal emails caused a sensation when they were leaked
online last week, according to people with knowledge of the briefing who
spoke on the condition of anonymity.

“This is the new normal,” said Tom Kellermann, one of the security experts
who briefed intelligence officials last year in his former role as chief
security officer at Trend Micro. “It’s not just the usual targets who are
being hunted. It’s their spouses.”

Mr. Kanuck said no one should be shocked that this is going on. “Every
prominent person in Washington, every publicly known intelligence official,
congressman and significant staffer should presume they have been
targeted,” Mr. Kanuck said. “You’d be a fool not to think that’s the case.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160927/439d466a/attachment.html>