Attackers, even those with deep pockets and deep benches of talent, usually will take the path of least resistance to get to a target. When that target is a government official, the easiest path probably isn’t the target’s government accounts, but rather his personal ones, which likely aren’t as well-protected or carefully controlled.
This has proven true many times over in recent years, with high-profile compromises of personal email accounts belonging to government officials and political candidates and campaigns. Although lawmakers are obvious targets for state-sponsored attackers, the government does not provide any protection for those officials’ personal devices or accounts. Sen. Ron Wyden is planning to introduce legislation to address that protection gap and allow the Senate Sergeant at Arms to offer cybersecurity help to senators who request it for their personal accounts and devices. Wyden on Wednesday sent a letter to the Senate majority and minority leaders, as well as the chairman and ranking member of the Committee on Rules and Administration asking them to support the legislation.
“The 2016 election made it clear that foreign governments, including Russia, are leveraging cyberspace to target the fundamental pillars of American democracy. Even more concerning, administration officials confirm that Russia is continuing its campaign of hacking and influence operations. But our adversaries do not limit their cyber attacks to elections infrastructure or even to official government accounts and devices; they are also targeting US. officials’ personal accounts and devices. Indeed, Admiral Michael Rogers confirmed earlier this year that personal devices and accounts of senior US. government officials ‘remain prime targets for exploitation’,” the letter says.
“In light of this ever-growing threat, I invite you to support legislation that I am introducing to permit the SAA to provide cybersecurity assistance to Senators and staff, on an opt-in basis, for their personal devices and accounts.”
“My office has since discovered that Fancy Bear targeted personal email accounts, not official government accounts."
Foreign government-backed attackers have had plenty of success targeting lawmakers and candidates in the past. Fancy Bear, a team Wyden references in his letter, is closely associated with Russian intelligence and has been blamed for attacks on the Democratic National Committee in 2016 and senior legislative staffers in the run-up to the 2016 election. The group has also been associated with attacks against governments and candidates in several other countries, and Wyden said in his letter that some senators and staff members have been targeted recently through their personal accounts.
“My office has since discovered that Fancy Bear targeted personal email accounts, not official government accounts. And the Fancy Bear attacks may be the tip of a much larger iceberg. My office has also discovered that at least one major technology company has informed a number of Senators and Senate staff members that their personal email accounts were targeted by foreign government hackers,” the letter says.
Wyden didn’t specify which tech company notified the senators and staff members about the government attacks, but Google has had a system for several years now that will alert users automatically if the company detects what looks like a government-sponsored attack on their Gmail accounts. Protecting the senators’ and staff members’ personal accounts and devices is not an easy task, but there are some simple steps that Senate technology staff could take that would make a big difference against targeted phishing attacks. Setting up two-factor authentication on Gmail accounts is a good start, and signing up for Google’s Advanced Protection Program, which uses a hardware security key for 2FA, is even better.