At first glance, the email must have jumped out as urgent to the senior Education Department staff who received it.
The message came from arne.duncan[at]ymail.com, containing the name of Education Secretary Arne Duncan.
But once someone in the department’s senior staff, perhaps several recipients, opened the email, they clicked a link that contained malware stored on another server.
Soon, the attack, spanning several weeks in April 2011, was followed by two more so-called phishing attempts targeting senior department officials. All of the cyberattacks were successful in stealing government data.
The previously undisclosed attacks came to light in records recently obtained by Federal Times through the Freedom of Information Act.
While such attacks on federal agencies have been a persistent concern over the years, the records provide a rare look into precisely how one such operation targeting a federal agency worked.
Nearly two dozen of the corrupt email messages were sent to unnamed senior officials from the same email address: alexaposny[at]yahoo.com.
At the time, Posny was the department’s assistant secretary for special education, but the email account did not belong to her.
The messages all contained the same subject line: “Libya transition scenarios and option,” according to the records.
“These campaigns by advanced persistent threat actors were successful at infiltrating, establishing a foothold and then exfiltrating data from the department,” a case memo from the technology crimes division of the Education Department’s inspector general concluded.
In response to inquiries from Federal Times, officials declined to provide details about how much data and what sort of information the cyber attackers stole. A separate report by the IG discusses the motivations of the attackers, but it is classified, according to the IG records obtained by Federal Times.
Neither the department nor the IG would discuss the attack or subsequent investigation, but the tactics described are both common and effective, analysts said.
“We sometimes use a term for this called whaling, and you go after the biggest fish,” said cybersecurity expert Fred Cate, a professor at Indiana University, who has advised the Pentagon and the Department of Homeland Security on security.
“It’s not that you’re interested in [senior staff], but they’re going to have passwords that allow them to have access to anything in the department,” Cate said.
“Once you’ve compromised their machines, then you can get salary, payroll, budget, any documents you want,” he said.
“You could put in any kind of malware, but probably what you would install is a key logger so you’re just capturing everything. Every email, every password, every account name, absolutely everything.”
Paul Rosenzweig, former DHS deputy assistant secretary for policy, who runs a consulting firm that advises companies on cybersecurity risks, said the attacks appear to have been a criminal breach, not a national security breach.
“It’s not a place where we have plans for the F-35 fighter, but it is a place that has a repository of information about people that’s of value,” he said of the Education Department.
“It’s the classic spear-phishing attack,” Rosenzweig said. “I’m not at all surprised they used Arne Duncan’s name. I’m a little sad but not terribly surprised that our federal officials haven’t figured out not to click on those links, but they’re human beings. It’s not just in government. This works everywhere.”
The records provided to Federal Times said the IG shared the results of its investigation with the FBI.
But the IG’s office did not present the case to federal prosecutors “due to the nature of the criminal element responsible for these campaigns” and ongoing investigative work by other, unnamed law enforcement agencies.