Global Weekly Executive Summary, 13 April 2018

State of Hawaii Targeted in Iranian Data Theft

The U.S. Department of Justice’s recent indictment of nine Iranians accused of conducting cyberattacks contained a list of targeted organizations that included the State of Hawaii. This announcement coincided with “unusual activity” noted in dozens of State of Hawaii email accounts.

On March 23rd, the U.S. Department of Justice (DOJ) announced indictments charging nine Iranian nationals working for the Mabna Institute with malicious cyber-enabled activity and the theft of intellectual property and academic and proprietary data on the behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), an intelligence-gathering government entity.

The DOJ indictment announcement states that 31 terabytes of documents and data was taken from American and foreign universities, American and foreign companies, and U.S. government agencies in a campaign that spanned from 2013 to December of 2017.

The news release lists targets of the Mabna Institute, including the state of Hawaii, the state of Indiana, the U.S. Department of Labor, the Federal Energy Regulatory Commission, and the United Nations. Thousands of professors at hundreds of universities across 21 countries as well as 47 private sector companies were also targeted.

According to the DOJ press release, “The Mabna Institute… targeted more than 100,000 accounts of professors around the world.  They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.”

Hawaii Phishing Attempts and the ETS Response

The State of Hawaii Office of Enterprise Technology Services (ETS) released a statement on March 23rd, the same day the DOJ indictment announcement, describing “unusual activity involving thirty-seven email accounts.”

A Hawaii News Now article describes a timeline of events, saying the first phishing emails targeting the state of Hawaii arrived on Saturday, March 21 when an employee at the state Department of Agriculture clicked on a malicious link. On Monday, March 23, an employee at the state Department of Human Services also clicked on the link.

The statement from State Chief Information Officer (CIO) Todd Nacapuy and Chief Information Security Officer (CISO) Vincent Hoang says that the situation was resolved quickly, the emails did not contain confidential information, and “the State’s computer systems where confidential information is stored was not breached.” The Hawaii News Now article quotes Hoang as saying “the two attacks did not penetrate the state’s internal system so no resident information was compromised.”

ETS believes that the two phishing attempts are connected and the emails come from the same source. After the first user clicked on a malicious link, “a warning from the state’s IT office was sent out to workers reminding them not to open links without investigating first,” State CISO Vincent Hoang was quoted as saying.

User Education is the Best Defense

“We can throw a lot of technology at it but at the end of the day, the best defense is relying on our users by educating them.” Hoang described one element of this user education and training when he mentioned conducting “mock cyber attacks sending out fake links to see how many state workers click on them”.  

Hoang says they have had positive results with these training exercises, but when faced with a genuine phishing email, at least two state of Hawaii employees still clicked on those malicious links.

The most vulnerable point in any information security scenario continues to be the human user, and this weakness can only be solved by effective and continual user education that works when tested by real-world situations.

Connection to UH Data Breach?

Although there has been no mention of the Mabna Institute cyberattacks being connected to the University of Hawaii data breach that took place in September 2017, we know that the systems of hundreds of unnamed universities and the accounts of over 100,000 professors both in the U.S. and abroad were targeted by the Mabna Institute. The date of the UH data breach falls within the active dates of this campaign.

Sources:

The United States Department of Justice, Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps. 23 March 2018.

State of Hawaii, Office of Enterprise Technology Services, Response to the Department of Justice’s Indictment Charging Nine Iranian Nationals Regarding Cyber Intrusion. 23 March 2018.

Hawaii News Now, State on high alert after hackers target 2 agencies in ‘phishing’ attack. 27 March 2018.US-CERT, Alert (TA18-086A), Brute Force Attacks Conducted by Cyber Actors. 27 March 2018.

UHWO CSCC article, University of Hawaii Data Breach. 26 JAN 2018.