Security Experts:

Subscriber Data Stolen from Major Military Publisher in Recent Cyber Attack

Data Breach Exposes Highly Selective Group that can be used in Targeted Phishing Attacks on DoD/Government/Defense Contractors

Gannett Government Media, publisher of several high profile publications catering to the military and government sectors, has been the victim of a recent a cyber attack. The publisher recently experienced unauthorized access to files containing information including first and last name, userID, password, email address, and customer numbers for its subscribers. Additionally, for some military subscribers, ZIP csode, duty status, paygrade, and branch of service was accesed, if provided.

Well known titles published by Gannett Government Media include, Army Times, Navy Times, Air Force Times, Marine Corps Times, Armed Forces Journal, Defense News, Intelligence, Surveillance and Reconnaissance Journal, Training and Simulation Journal, Federal Times, and EDGE Magazine.

Why is this more important than other recent breaches? Given the subscriber base of these publications, the data is potentially very valuable for adversaries, and could be used to craft highly targeted, and well-crafted spear phishing attacks on government and military personnel. It’s likely that the subscriber base includes a high concentration of individuals from the military, government agencies and defense contractors. Such targeted attacks are what contributed to recent high profile breaches at RSA, the IMF, and others. “A year ago a breach at Gannett would have been newsworthy. Today it is de rigeur -- everybody expects it and accepts it,” said Dr. Anup Ghosh, Founder & Chief Executive Officer at Invincea. “Now if your breach doesn't involve million users, e.g., Epsilon, or 100M users, e.g., Sony's recent breaches, then it seems hardly newsworthy and people go back to their business,” Ghosh said.

Ghosh agrees that this breach may be a bit different in terms of fallout and opportunity to attack high value targets. “While the total number of customer data records compromised hasn't been released, in the case of this Gannett Government Media breach, the subscriber base is military, retired military, defense contractor or other US Government personnel. As a result, it is a highly selective group that can be used in targeted phishing campaigns to get on DoD/Government/Defense contractor networks.”

Looking at the potential targets as a result of this breach, cybercriminals have an increased opportunity to target:

• American citizens - personally identifiable information (identities), financial information

• American government agencies - cyber espionage across all agencies, civilian and DoD

• American defense contractors - military advancements and secrets

• American corporations - Intellectual property

What we are witnessing is the wholesale theft of a nation - the theft of American competitiveness on a global scale,” said Ghosh. “If you look at the news over the past 6 months, the pace of breaches seems to be growing exponentially. This is because the adversaries are essentially gaining unfettered access to our networks - we've sort of given up as an industry on prevention - focusing our attention on reactive security - they know this and are looking at this as an ideal opportunity to grab anything and everything they can get their hands on - and it appears they can get their hands on anything and everything.”

According to Ram Mohan, CTO at Afilias, when cybercriminals have enough detailed, information they can construct highly targeted phishing runs aimed at known customers of affected companies. “Many savvy net users have learned to be suspicious of emails beginning with 'Dear Customer’ or other vague salutations, but these targeted "spear phishing" attacks can look a lot more convincing. If you already have a business relationship with a company and you receive a realistic-looking email purportedly from that company, you're a little more likely to believe the phisher's overtures are genuine if they address you by name. Many of these recommendations may appear to be basic, but it is surprising how often they go unheeded, even in large enterprises,” Mohan adds. “Recently, court documents revealed that the publisher Condé Nast handed more than $8 million over the course of several months to a fraudster posing as a regular supplier. An employee was on the receiving end of an extremely targeted spear-phishing attack.”

What do we need to do?

“As a nation, we need to wake up and realize that our defenses are down and our IP and sensitive records are being leaked,” said Invincea’s Ghosh. “We need to emphasize proactive vs. reactive security strategies. We seem to have given up on the notion of prevention. Shrugging our shoulders as an industry when these breaches occur and focused our attention on post-facto identification of a breach. This is a defeatist mentality that does nothing to curb the problem. Simply knowing what was stolen does nothing to get the data back or undue the years - potentially decades worth of damage being done.”

According to Ghosh, the user is the common denominator in the vast majority of recent breaches, driven through spear phishing attempts, poisoned search engine results, compromised websites, etc. "To slow this down, we need to think about deploying solutions that are available today on a massive scale to protect the users when they are coming into contact with untrusted content from the Internet. We need to find a way to keep user mistakes from opening the network to breach - and advances in virtualization technologies make this possible today."

Gannett Government Media said that no financial (e.g. credit or debit card) information was compromised, as financial information is stored on a completely different system. With headquarters in Springfield, Virginia, Gannett Government Media employs over 225 people worldwide.

Subscribe to the SecurityWeek Email Briefing
view counter
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.