Email Accounts Hacked at U.S. Treasury is a Wakeup Call

Posted by Trevagh Stankard on Tue, Feb 23rd, 2021

You cannot have a deliberation about cybersecurity without discussing email security.  Due to its ubiquitous nature within the enterprise, email security is part of the foundation that protects the assets within an enterprise.   Roughly 90 percent of targeted cyberattacks start with email.  Despite all of the attention that has been directed at cyber hygiene, users continue to click on links with little regard to the consequences of their actions.  Even more concerning, is the number of user accounts that are hacked and compromised each year.  Email accounts are tied in some way to everything online, hence they are a valuable target for hackers.  An email address usually equates to one’s username and it is the main method to reset passwords.  Once an intruder has taken control of your email account, a lot of bad things can happen as a result.

It’s not just Casual Email Users that are Compromised

Compromised email accounts have become too much of a regularity today and the numbers are staggering.  It is estimated that 2.5 billion accounts were hacked in 2019 alone.  That computes to 6.85 million accounts being compromised every day – 158 every second.  And yet, even with those mind blowing numbers, it is easy to disregard these as frivolous personal accounts that have been compromised.  Unfortunately, that is far from the case.  Hackers are in pursuit of high value accounts that are linked to high value assets.  The seizure of an email account is the first step into compromising an organization at large.  There is no better recent example of this than the recent compromise of dozens of email accounts at the U.S. Treasury Department last December.  One must wonder, what chance they have of securing email accounts if the United States government can’t even do it. 

Details of the Attack

The seizure of privileged user accounts was not the result of your average credential stuffing attack, but the result of a highly sophisticated software chain attack.  According to a statement released by Senate Finance Committee ranking member, Ron Wyden:

“Hackers broke into systems in the Departmental Offices division of Treasury, home to the department’s highest-ranking officials.”

The breach was a part of the highly publicized SolarWinds Attack in which foreign hackers, most likely sponsored by the Russian government in some way, exploited a weakness in the SolarWinds Orion monitoring and management software.  This allowed the hackers to simply sign in without having to guess usernames and passwords.  As a result, the attackers were able to impersonate users and operate freely within the compromised organizations.  Unfortunately, no one knows for sure what information was stolen or the full slate of actions carried out by the involved hackers.  Microsoft has confirmed that they have fixed the flaw exploited by the attack.  Unfortunately, the attackers had the ability to infiltrate as many as 18,000 government and private networks, potentially seizing user ID’s, passwords, financial records, source code and other sensitive or high value data. 

Why Email Accounts are so Valuable

Email accounts are one of the weak links that cybercriminals frequently target.  In the same way that hackers leveraged the SolarWinds exploit to potentially infiltrate thousands of networks, the leveraging power of a single compromised email can result in compounding consequences.  That’s because a single email address is linked to other user accounts, giving attackers access to other informational treasure troves.  It is the same concept in which a pandemic can quickly spread through physical contact with a single infected host.  

The Case for Zero-Trust Security

While politicians, regulators, cybersecurity professionals and software developers try to figure out what could have been done to prevent this attack, it is clear that there is no easy answer.  Supply chain attacks are tough to defend against since you are relying on the software vendor to secure their source code and platforms.  In this case, the usual recommendations would not have done anything to prevent this attack. 

• Organizations are told to only install signed software versions, but the involved software in this case was signed.
• Updating to the latest software version would not have helped in this case because it was the latest software version that was compromised.
• The attack was conducted in a highly concealed and stealthy fashion and would have been indictable by everyday monitoring efforts.

The ease at which highly privileged user accounts within the United States government were compromised, should be a wakeup call to all enterprises.  In our highly connected and digital world of today, a zero-trust security model must be implemented.  This means questioning the security of any software or hardware utilized within an enterprise.  Skepticism, cynicism, and disbelief are traits that can protect an organization.

Protect your organization with SpamTitan Email Protection. Protect against Zero-day attacks with a multi-award winning, advanced security solution. Start SpamTitan free trial today.