The Defense Department is battling “a significant and widespread effort” to penetrate DOD information systems with sophisticated, targeted, socially engineered e-mail messages in a technique known as spear phishing, according to internal documents.
The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD users last month in an internal presentation that everyone within DOD is a spear phishing target. Attempts have been made against all ranks in all services in all geographic locations. DOD civilians and military contractors have also been hit by spear phishing attacks, the JTF-GNO presentation states.
The Defense Security Service (DSS), which supports contractor access to DOD networks, said in a bulletin sent to contractors in October that JTF-GNO “has observed tens of thousands of malicious e-mails targeting soldiers, sailors, airmen and Marines; U.S. government civilian workers; and DOD contractors, with the potential compromise of a significant number of computers across the DOD.”
U.S. Forces Korea echoed this warning in a recent information assurance alert. It warns that outsiders target its information systems on a daily basis by phishing and spear phishing attacks, which attempt to gain access to operational and personal information through bogus e-mail messages.
“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states.
The bulletin adds that the sophistication of the techniques spear phishers use is reflected in their ability to obtain and apply legitimate DOD documents and data. The spear phisers also use enticing subject lines related to legitimate operations, exercises or military topics.
The U.S. Forces Korea information assurance alert states that unsolicited e-mail messages lure unsuspecting users to click on links to Web sites or attachments that download malicious software, known as malware, onto the system to steal data, including sensitive but unclassified information.
JTF-GNO illustrated the sophistication of spear phishing attacks DOD faces in a “DOD Spear Phishing Awareness Training” presentation obtained by Federal Computer Week. That presentation shows a faked message that appears to come from the operations division at the Pacific Command (Pacom) with a PowerPoint attachment concerning the Pacom “Valiant Shield” exercise held this summer.
Digg
De.licio.us
Slashdot
Technorati
