This week, a phishing attack landed in the inboxes of several US government agencies, spoofing the US government’s cyber security watchdog and response agency. Complete with attachments, the e-mail’s payload was a nasty little virus that has already been tracked back to Mother Russia. To make matters a little embarrassing, perhaps, it’s not enough that the agency which was spoofed in the attack has reported a disruption of its own systems, but it’s also the government body responsible for identifying and mitigating just this type of thing.
No, that headline above is not typo-ridden, though at first blush it might seem to be. On January 11, news erupted of a rather malicious little spoof e-mail that circulated through the mail servers of several national, state and local government agencies and even private sector employees. The scam in question was an e-mail pretending to be the product of US-CERT, the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security.
Sent with fake source addresses that included email@example.com and the subject line “Phishing incident report call number: PH000000XXXXXXX” and an attachment named “US-CERT Operation Center Report XXXXXXX.zip”, a nasty little file which was anything but a report. In fact, after some quick investigation, the attachment – which executes a file named “US-CERT Operation CENTER Reports.eml.exe” – was discovered to be a variant of the infamous Zeus virus known as ‘Ice-IX’, a keylogger that steals banking and other personal information. As if that isn’t enough, the worm also bypasses firewalls and other protection schemes.
Oh, the Irony!
US-CERT responding by doing what it’s supposed to do: it posted a bulletin and notified agencies. And while not admitting that anyone at US-CERT actually opened the little bugger, an operator at the agency has stated “difficulty receiving emails due to the phishing campaign,” according to SC Magazine. A little embarrassing, considering that this is just the type of thing US-CERT has been mandated to protect against, it’s a forgivable fumble considering that the scam artists continue to get wilier and more creative in their attacks.
In an ‘it never hurts to state the obvious’ moment, US-CERT included the following advisories in its security bulletin:
US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.
- Do not open the attachments in email messages from unknown sources.
- Install anti-virus software and keep virus signatures files up to date.
- Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
- Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.
From Russia with Malice
The story gets a little more interesting from here, when Nextgov.com reported on Wednesday that “Researchers outside of US-CERT traced the malicious software to a botnet – a remotely-controlled network of infected computers – that is taking commands from computers located in Russia.” It’s not clear why researchers outside of US-CERT traced the location – it would seem natural that US-CERT was capable of doing that sort of thing. Isn’t it logical to assume that’s what the “response” part of their name is for?
Regarding the attack and its location, there’s clearly no love here, only malice. So why was an e-mail from Russia so specifically targeted at and around US-CERT and US government agencies? It’s extremely unlikely that this was state sponsored – the method used and speed at which it was detected suggest something far too ham-handed to be anything that nefarious. So taking that into consideration, the incident still poses something of an oddity. If a group, say organized crime – which is alive and well in Mother Russia – was responsible for the attack, what could they possibly hope to gain by phishing government agencies in the US? And if it was some cyberdude named Boris, who figured he’d take time from his daily routine of scamming innocents to pry into US-CERT’s activities, he certainly isn’t the brightest cyberdude in cyberspace.
It’s very mysterious, this one, and it will be interesting to see what, if anything, comes from the follow-up investigations.