When it comes to cybersecurity, it's clear that governments and even MPs are now targets as much as business interests.
Last month, news broke of how classified documents on the US-UK trade talks - which were leaked before the last UK election - were thought to have been obtained illegally by politically-motivated threat actors. The documents were allegedly stolen from the Conservative MP, Liam Fox by Russian hackers and according to many industry commentators, it carries the hallmarks of a state-backed operation.
The sources, quoted by Reuters, further revealed that Liam Fox MP’s personal email account had been compromised via the use of spear phishing, which tricked the victim in question into handing over his password and login details. It has been said that to-date, it remains unclear whether the actors behind the theft of the documents are the same party who then leaked them online. What is certain is that spear phishing, a form of social engineering, remains an incredibly popular and efficient way of infiltrating systems and consequently, exfiltration data.
The role of spear phishing
In spear phishing, a course of expected actions from the victim is designed in order to reach an end goal – including elements of personal information being used in order to make emails seem more credible. Often cybercriminals will try to research their victim and try to find out personal facts about them in order to construct a narrative or story book, increasing the chances the victim will then follow along.
An example of this could include the creation of bogus emails seeking the individual’s credentials to access or edit a shared collaborative document. Increasingly, cybercriminals are getting more and more sophisticated in their attacks with some resorting to trawling through data that has been leaked into the public domain or made available for sale via the dark web, in order to create such tailored phishing email content.
Worryingly, even public social media profiles can disclose a lot of information on a target which they might not be entirely aware of – especially those that use such platforms for professional purposes. Executives posting corporate news and marketing content can inadvertently prepare an attacker with content they can use to exploit the individual and their organization.
Phishers targeting government officials?
Not long after the Reuters story broke, City AM revealed that the China Research Group of Conservative MPs had been in touch with them in order to disclose that they believed they had actively been targeted with both phishing and spear phishing emails from Chinese-based targets, although no proof had been made available that the attacks were made by a state actor.
These examples of events, in which phishing and spear phishing tactics have been used against government targets, only emphasizes something we’ve learned to accept as an uncomfortable truth – no matter how good your email security defense mechanisms, such as Secure Email Gateways (SEGs), malicious emails will still reach an organization’s inboxes.
It is therefore critical that high ranking government officials and civil servants alike remain vigilant, particularly when working with sensitive information and data. Perhaps one of the biggest dangers of SEG technology is the false sense of security – users think that all of their mail has been security vetted and as a result, can let their guard down when going through their emails. This sadly just isn’t true, and as we have seen, thousands of malicious emails pass through SEG systems unnoticed on a daily basis and it only potentially takes one click to have serious consequences.
A human and tech defense
Far from bringing a spell of doom into the picture, what organizations should focus on is the right implementation of cyber security training and technology or in other words, human and machine teaming in order to mitigate the threats posed by malicious actors. In the right implementation of these processes, end-users can be an organization’s strongest defense against phishing attacks. Indeed, Cofense’s proprietary data indicates that the reporting rate of phishing attacks has increased year-on-year since 2015, suggesting that when a collaborative security culture is created, users recognize the threats that are facing them on a daily basis, and actively participate in the defense of their organization.
Whether in the public sector, or a private organization, there is more to be done in order to continue to educate users to recognize emerging threats and encourage them to report suspicious emails, staying alert to the threats and reducing the risks.
Government officials and civil servants have a strong duty to play their part in order to ensure that public trust in government processes remains strong. As the National Cyber Security Centre itself says: “Your people layer should put much more emphasis on reporting suspected phish as soon as possible, so your experts can investigate it … If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers.”
The threat landscape never has been more sophisticated, and it’ll take more than machines to protect our organizations from those actors - we need humans working in tandem to stand up against the attackers.
- Dave Mount, Director, Europe at Cofense.
- Access the internet securely with the best VPN.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Dave Mount, Director, Europe at Cofense. He has over 20 years experience in the IT industry, he held influential positions in both large corporate organisations, and software vendors. He is specialised in working with organisations to help them increase IT efficiencies, reduce operational risk and enable Information Security and Service Management processes such as ITIL through effective use of technology. He holds a Management Certificate in IT Service Management (ITIL v2) and ITIL v3 Expert ceritification.