Daniel - stock.adobe.com
Revelations that a leaked dossier of confidential emails relating to post-Brexit trade talks, which called the future of the NHS into doubt, was stolen from ex-cabinet minister Liam Fox’s personal email by Russian state-backed hackers as part of an alleged attempt to interfere in the 2019 General Election, will raise further questions over the state of UK government cyber security.
Fox, who has held – and been fired from – multiple cabinet posts during his career, supposedly fell victim to several successive intrusions by Kremlin-linked actors between 12 July and 21 October 2019, according to Reuters, which cited sources who declined to be named citing an ongoing legal investigation.
The sources told Reuters that Fox had been the target of a spear phishing attack which tricked him into handing over his password and login details.
A government spokesperson told the news agency that the government had “robust” systems in place to safeguard IT systems belonging to senior officials and their staff.
Guy Phillips, NetDocuments international business vice president, said: “Clearly this data breach will be a huge concern for the UK government, and it highlights the very real threat organisations face protecting their sensitive documents.
“Unfortunately, malicious attacks still account for more than a third of data breaches each year, so it is vital that organisations have security measures in place to prevent sensitive documents falling into the wrong hands.
“Data protection and the multi-layered encryption should be at the core of today’s document and email management practices, and inevitably questions will be raised if the Department for Trade and Industry is found wanting,” he said.
“This case is yet another example of the threat posed by phishing attacks, particularly when they are targeted through clever social engineering. Phishing – and credential phishing in particular – is the most common gateway to organisations’ valuable data and a favoured attack vector of nation-state actors,” said Dave Mount, director of Europe at Cofense.
However efficient and robust the government’s cyber security protections are, the facts of the story appear to show that the hackers were easily able to render them useless simply by creating a convincing enough lure to take in their victim. To most cyber security professionals, this will not come as a surprise.
Tessian CEO Tim Sadler said: “Spear phishing is fast becoming a lucrative and attractive method of attack for cyber criminals. It’s not surprising – it’s relatively simple to do, highly effective and has a high ROI, especially when the target is a high-profile individual. What’s more, targets of spear phishing and social engineering scams like this often do not even realise they’ve been tricked or have done anything wrong until it’s too late.”
As so often with cyber security incidents, the ease of access for malicious actors implies a lack of appropriate training within an organisation, particularly when it comes to bosses, directors and other business leaders or highly placed individuals. Earlier in 2020, a survey by Egress Software found that the more senior the person within an organisation, the more blasé they tended to be when it came to security.
Egress reported many people in leadership positions believing they were too important or busy to bother sitting through security training sessions, or thought they already knew everything they needed to know, an example of what psychiatrists refer to as the Dunning-Kruger effect.
Meanwhile, people lower down in the organisation’s hierarchy, particularly IT and security staff, compounded the problem by being reluctant to raise concerns about the behaviour of senior figures, fearing embarrassment, push back, or even reprisals.
Cofense’s Mount said it was an uncomfortable truth that no matter how good one’s technological safeguards, malicious emails will still slip through, so individuals must be taught to be vigilant.
“With the right training and technology, end-user employees can be your strongest defence against phishing attacks. Indeed, Cofense’s proprietary data indicates that the reporting rate of phishing attacks by employees has increased year on year since 2015 – which suggests that when a collaborative security culture is created, users are recognising the threats that are facing them on a daily basis, and actively participating in the defence of their organisation,” he said.
“There is of course more to be done and organisations – whether in the private or public sector – need to continue to educate users to recognise emerging threats and encourage them to report suspicious emails, staying alert to the threats and reducing the risks,” said Mount.
Read more about phishing
- Bitdefender researchers identified new spear phishing campaigns against the oil and gas industry that include emails with no typos and perfect usage of industry terminology.
- Researchers identified a new email security threat: evasive spear phishing attacks, which take months of investigation and social engineering to coordinate.
- Social engineering attacks aren't anything new, but they continue to evolve and be a big problem for many organisations. Here are the various phishing attacks CIOs should expect, from tabnabbing to whale phishing.