When a Cyber Attack Is a Political Weapon

We’re not surprised when hackers attack companies to scoop up credit card numbers or to cause IT disruption. If they’re state sponsored, they may target organizations to pull out intellectual...
Michael Buckbee
3 min read
Last updated May 19, 2022

We’re not surprised when hackers attack companies to scoop up credit card numbers or to cause IT disruption. If they’re state sponsored, they may target organizations to pull out intellectual property – military secrets or other sensitive information — as part of a cyber-espionage program.

But hackers associated with a party (or state) hacking into another political party’s IT system to pull out embarrassing material?

Want to learn ransomware basics and earn a CPE credit? Try our free course.

“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

We’re in uncharted territory.

Before you start shouting at your laptop, I’m well aware of the long pre-digital history of political dirty tricks. And in particular, one botched operation in which the analog hackers from one party were prevented from physically exfiltrating data from the HQ of the opposition party.

However, the use of digital attack techniques by political operatives is a new, and yes, frightening reality. I might add that earlier this year, we foresaw this possibility in our Six IT Predictions for 2016 post.

Our prediction — premonition? — went even further when we suggested that such a data breach “would bring the issue of cybersecurity prominently into the campaign as a major issue that is closely related to geopolitical threats such as the spread of terrorism.”

We were eerily accurate.

Over the summer, the Democratic National Committee (DNC) was hacked by groups likely connected with Russian intelligence. The techniques used – spear phishing, remote access trojans, implants, C2 servers — are familiar tools of the trade for hackers extracting credit numbers or other monetizable data.

In this case, the hackers instead went after emails, which were then published on the Web for maximum public exposure and to inflict maximum damage.

Of course, we’ve seen a similar type of doxing in the Sony incident. In that case, a state actor targeted a private company with the hope of causing massive economic harm.

But in the DNC incident, one political entity went after another for political reasons.

And as we prognosticated, cyber security then became part of our national political agenda when our two presidential candidates were asked to discuss their thoughts on this topic during last week’s debate.

Though a particular candidate’s response left a least one blogger scratching his head.

Email: The Mother Lode of Embarrassing

Just as we were getting over the DNC attack, along comes another politically motivated revenge attack. This time, a domestic conservative online publication obtained emails hacked from Hillary Clinton’s campaign computers. In particular, they published an audio email attachment of Clinton addressing a fundraising gathering.

These two recent attacks highlight something that security pros in the corporate sector have known – emails are a one stop-shop for sensitive personal information.

And that makes lots of sense.

For the financially motivated hackers, the treasure is in the personally identifiable information (PII) in documents and presentations scattered throughout a file system.

But for those seeking to put a spotlight on sensitive inside information, the quickest and easiest route is email servers and personal email accounts. In effect, the hackers have a digital window into unguarded conversations, which in the analog era would have required a physical intervention and messy wire clips.

Remember the data source of the most news-worthy (and occasionally hilarious) content in the Sony breach?

They were the emails between executives, and executives and stars in which erratic behaviors, incredible salaries, and juicy gossip were discussed.

As a side note: it was thought that one of the motivations of the Watergate burglars was to replace a defective wire tap that had been previously placed on one of the phones in the DNC’s office. There’s nothing new in obtaining political muck to throw at your opponents by listening in on conversations.

Frank Wills: Early Proponent of Monitoring as a Defense

It’s natural to think that the Sony and DNC doxings don’t apply to your company.

But can you and your executives’ email stand a public airing?

Likely not. Even excluding the potential of embarrassment, there’s intellectual property or internal information that you’d probably not have your competitors see.

As some politicians like to say, don’t waste a crisis.

It should be apparent by now that US organizations have serious gaps in learning when they’ve been breached, discovering what’s been exposed, and then sharing information about the cyber incident.

We’ve argued in this blog that a national data security law with a breach notification requirement would go a long way toward improving baseline standards. And we hope preventing or limiting the next OPM, Target, or political HQ breach.

With these attacks against politicians will our lawmakers finally be nudged by, well, self-interest to put such a law into place?

We’re not sure. But it has been noted that when a certain jurist’s privacy was violated back in the video store-age, a new privacy law went into effect pretty darn quickly.

While we’re waiting for such a law, you can take a cue from Frank Wills, the security guard who spotted the Watergate burglar-hackers.

No doubt the Watergate complex could have installed better perimeter defenses — improved locks, windows, etc. — but they at least had a fallback defense with their on-the-ground security team.

Wills employed an analog form of what we would now call user behavior analytics or UBA. Simply put: UBA says understand what’s normal in your environment, and when something out of the ordinary is detected, investigate, and then raise an alarm if need be.

And that’s exactly what sharp-eyed Wills did: he noticed duct tape placed on one of the door locks. Suspecting a burglary, he notified the DC police who upon arrival discovered five men inside the offices of the DNC.

And the rest as they say is history.

Whether you’re an IT person who works for a political party or not, you’ll want to take security expert Troy Hunt’s course on insider threats. It’s free!

 

 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-world-in-data-breaches
The World in Data Breaches
The number of lost or stolen data records varies around the world. Using data from the Breach Level Index, we visualized where these records are concentrated based on the locations of the organizations that reported them. Take a look!
adylkuzz:-how-wannacry-ransomware-attack-alerted-the-world-to-even-worse-threats
Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Threats
Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too...
the-eu-ai-act:-what-it-is-and-why-it’s-important
The EU AI Act: What it is and Why it’s Important
An overview of the world’s first comprehensive AI regulation, its compliance requirements, and how to prevent penalties of up to €35 million ($38 million).
capital-one's-cloud-breach-&-why-data-centric-security-matters
Capital One's Cloud Breach & Why Data-Centric Security Matters
Capital One’s breach of more than 100 million customer records is making headlines around the world. The sheer number of stolen records, including social security numbers, credit card applications, and...