Citing a 2014 National Security Agency briefing that code named the attack on email providers “Dancing Panda” and then “Legion Amethyst,” NBC News revealed Monday that an intrusion of personal emails was discovered in April 2010 and it noted a senior intelligence officer saying it is still happening now.
To China, I say knock yourselves out.
If Secretary of State John Kerry’s personal Gmail inbox looks like mine, they’ll get an eyeful of nothing: newsletters I never read, offers from Amazon, paperless bill reminders, appeals for alumni donations and promotions from frequent flyer/hotel rewards programs I don’t even remember joining.
Sure, there might be an occasional shopping list from my wife and sporadic notes from my college-aged kids to say hi (and ask for money).
But the other 27,000 emails, conveniently located inside my spam folder, are not much more than annoying offers for fake Viagra, computer virus protection, diet pills, bogus investment advice, phony diplomas, bootleg printer cartridges and passes to “thousands of XXX sites.”
I also assume there are malicious phishing emails in that mess.
It’s unclear how many officials were successfully targeted by the ongoing intrusions and how senior those officials were, but according to the intelligence officer, “many” top officials were successfully compromised.
The names and ranks of the officials whose emails were actually grabbed, however, were not disclosed in the NSA briefing nor by the intelligence official.
While details of the hack were not published, a typical phishing email baits a recipient into clicking an infected link in a seemingly innocuous email.
From there, a hacker can acquire the employee’s username, passwords, and other sensitive information—which can lead a hacker into the larger system.
The Chinese also harvested the email address books of targeted officials, according to the top secret NSA document, reconstructing and then “exploiting the(ir) social networks” by sending malware to their friends and colleagues, NBC reported.
How can administration officials be so easily duped by Chinese hackers?
You’d think they’d be more cyber savvy, then again, they’re just elected officials and government employees.
Even if an individual has been trained by his or her agency to identify and avoid phishing scams, one cybersecurity course will not be enough to make that person change his or her behavior in the long run, especially if it’s their personal email and their guard is down, cybersecurity expert Joe Loomis of Cybersponse told Business Insider.
“Statistically, if employees are not retrained to avoid phishing scams within 90 days, they start to click [on the malicious links] again,” Loomis said, citing data provided by the cybersecurity company Phishbite.
Unlike similar efforts against the State Department or the Office of Personnel Management, this attack didn’t target official IT infrastructure, but focused on personally maintained accounts on Gmail or other services.
A Gizmodo op-ed notes that this has got to be bad for Hillary Clinton, whose use of personal email address as Secretary of State is now under FBI investigation.
NBC hasn’t confirmed that Clinton is among the hacked officials, but if she is, she’ll be in a distinctly vulnerable position, said the piece.
Clinton rigged up a home-brewed email system and used it to conduct official business while she was in office, which means the contents of her emails likely contain more officially compromising information.
John Kerry, by the way, said during an interview on the “CBS Evening News” Tuesday night that Chinese hackers are probably reading his emails—and he writes messages assuming they are.
Meanwhile, the NSA, evidently, can’t do anything to stop China from reading compromised email accounts belonging to U.S. officials.