- The US Air Force targeted its own personnel in Europe with spear-phishing attacks in November.
- The exercise was a test of the network’s users’ awareness of potential threats.
- Spear-phishing, which targets specific users, has already been used in the real world with profound effects.
In November, the Air Force targeted its personnel at bases in Europe with spear-phishing attacks to test their awareness of online threats.
The tests were coordinated with Air Force leaders in Europe and employed tactics known to be used by adversaries targeting the US and its partners, the Air Force said in a release.
Spear-phishing differs from normal phishing attempts in that it targets specific accounts and attempts to mimic trusted sources.
Spear-phishing is a “persistent threat” to network integrity, Col. Anthony Thomas, head of Air Force Cyber Operations, said in the release.
“Even one user falling for a spear-phishing attempt creates an opening for our adversaries,” Thomas said. “Part of mission resiliency is ensuring our airmen have the proficiency to recognise and thwart adversary actions.”
The technique has already been put into real-world use.
Just before Christmas in 2015, Russian hackers allegedly used spear-phishing emails and Microsoft Word documents embedded with malicious code to hit Ukraine with a cyberattack that caused power outages – the first publicly known attack to have such an effect.
This month, the US Department of Justice charged two Chinese nationals with involvement in a decade-long, government-backed effort to hack and steal information from US tech firms and government agencies.
Their group relied on spear-phishing, using an email address that looked legitimate to send messages with documents laden with malicious code.
For their test in November, Air Force cyber-operations officials sent emails from non-Department of Defence addresses to users on the Air Force network, including content in them that looked legitimate.
The emails told recipients to do several different things, according to the release.
One appeared to be sent by an Airman and Family Readiness Center, asking the addressee to update a spreadsheet by clicking a hyperlink. Another email said it was from a legal office and asked the recipient to add information to a hyperlinked document for a jury panel in a court-martial.
“If users followed the hyperlink, then downloaded and enabled macros in the documents, embedded code would be activated,” the release said. “This allowed the threat emulation team access to their computer.”
Results from the test – which was meant to improve the defences of the network as a whole and did not gather information on individuals – showed most recipients were not fooled.
“We chose to conduct this threat emulation (test) to gain a deeper understanding of our collective cyber discipline and readiness,” said Maj. Ken Malloy, Air Force Cyber Operations’ primary planning coordinator for the test.
The lessons “will inform data-driven decisions for improving policy, streamlining processes and enhancing threat-based user training to achieve mission assurance and promote the delivery of decisive air power,” Malloy said.
While fending off spear-phishing attacks requires users to be cognisant of untrustworthy links and other suspicious content, other assessments have found US military networks themselves do not have adequate defences.
A Defence Department Inspector General report released this month found that the Army, the Navy, and the Missile Defence Agency “did not protect networks and systems that process, store, and transmit (missile defence) technical information from unauthorised access and use.”
That could allow attackers to go around US missile-defence capabilities, the report said.
In one case, officials had failed to patch flaws in their system after getting alerts about vulnerabilities – one of which was first found in 1990 and remained unresolved in April this year.
Business Insider Emails & Alerts
Site highlights each day to your inbox.