A warning from Google underscores the risk posed by ignored or little used email infrastructure.
Political campaigns are chaotic affairs: complicated, multi-faceted and months-long charges that culminate on election day, and then quickly fade to black after.
That’s also true of the IT infrastructure that supports them. In the heat of a 3, 6 or even 12 month campaign, they must juggle the needs and activities of hundreds or even thousands of volunteers. Email and social media accounts, banking, content management systems, accounting, scheduling – all the machinery of any complex organization – must be spun up quickly and effortlessly.
At the height of a campaign, that machinery is spinning almost non stop. A day after the voters have had their say, much of it falls into disuse and is forgotten about – at least until the next election. Or is it? A recent story about an incident of attempted hacking targeting a US Senator suggests that malicious actors – even nation-state hackers – may be taking an interest in some of the mothballed accounts that political campaigns generate.
The website Cyber Scoop reported last month that Google has warned the office of Senator Pat Toomey (R-PA) about phishing email sent to accounts set up for his 2016 Senate run. While the status of the accounts isn’t clear, Toomey is not up for re-election again until 2022. The probing involved the sending of phishing e-mail to campaign accounts, but did not include malicious attachments, Cyberscoop reported. Further, it doesn’t appear that the phishing campaign resulted in the loss or theft of data from Toomey’s campaign.
Google hasn’t indicated who was behind the attack. However, a recent report by Microsoft claims that hackers with links to The Kremlin have stepped up attacks on conservative think tanks and the U.S. Senate, including individuals believed hostile to Russia.
Even putting nation state attacks to the side, however, the attack on Toomey’s dormant campaign underscores a growing security risk to organizations of diffuse and hard-to-track cloud-based applications including email. While cloud based platforms like those offered by Google, Microsoft and others promise security from phishing, malware and other threats, those built in security features are often inadequate to the job of protecting a large and complex organization – especially one that might be the target of sophisticated hackers.
Beyond that, the ease of provisioning new accounts and users on these platforms can also make it all too easy to overlook the exposure that organizations face from unused and unmanaged accounts. What’s the big deal if a disused, 18 month old account gets hacked? Well, we know from recent events that account takeovers are one of the favorite tools for sophisticated (aka “advanced, persistent”) hackers. For Senator Toomey’s would be hackers: even low value accounts, in the hands of attackers, provide vital information: email addresses and threads from high level campaign staff. Personal data – including account names and even passwords. And, of course, compromised email accounts can be used to spread the attack: sending convincing phishing email to other campaign and Senate staff that can open the door to other accounts, IT assets and networks. In the case of a campaign, the long stretches of inactivity around campaign accounts and assets can give malicious actors plenty of time to set up shop and carry out their attacks without attracting notice.
This isn’t a hard problem to manage for would-be targets. However, it is one that targeted organizations need to be educated about and provided with the tools to combat. Among the recommendations security companies like GreatHorn make, is for organizations to do a thorough audit of their email infrastructure to take account of every user and inbox. Inactive accounts should be suspended or shuttered and the user notified. Accounts that remain active should be prompted to harden passwords and adopt additional access controls including strong second factor (2FA) features, which most cloud providers offer for free.
Finally, organizations need the tools to monitor patterns of use for their active accounts. Understanding normal behavior for an account, including where the recipient typically logs in from and when, patterns of activity between the sender and his or her recipients and so on can help flag when an account might have fallen under the control of a malicious actor.
Most of us won’t have the misfortune of squaring off against sophisticated, nation-backed hacking groups. But understanding the actions and modus operandi of these groups is critical to protecting our own networks, assets and users from attacks both sophisticated and unsophisticated.
Stay safe out there!