Enable breadcrumbs token at /includes/pageheader.html.twig

Military Website Spoofing Is No Laughing Matter

Earlier this year, the U.S. Air Force Portal was spoofed, causing a ripple of concern through the service branch. Nearly identical to the real site, the fake one aimed to fool people into entering their log-ins and passwords so the information could be captured by illicit sources. Such scams are on the rise across the Internet, and the U.S. Defense Department is not immune to the threat. But in a government department known for passing orders from the top down, the only way to secure the networks is through awareness at the lowest level.
By Rita Boland, SIGNAL Magazine


Earlier this year, cybercriminals spoofed the U.S. Air Force’s Web portal. Such attacks are on the rise across the Internet, and the various military branches are engaged in battling these phishing attempts.

Enhanced vigilance is required as defense Web pages face greater threats.

Earlier this year, the U.S. Air Force Portal was spoofed, causing a ripple of concern through the service branch. Nearly identical to the real site, the fake one aimed to fool people into entering their log-ins and passwords so the information could be captured by illicit sources. Such scams are on the rise across the Internet, and the U.S. Defense Department is not immune to the threat. But in a government department known for passing orders from the top down, the only way to secure the networks is through awareness at the lowest level.

An official with the 24th Air Force says that attentive viewers would have been able to spot small differences between the real and spoofed portal, and that valid Air Force sites end in .mil, never in .com. Though the service’s network is protected at all times by cyberspace operators across the globe, caution by users is the best defense against spoofing and phishing attacks. The official explains that the most effective way to secure systems is to educate users about the existence of such sites and for them to be vigilant on any websites that require the input of personal information.

Because spoofed sites are built on the Internet outside of the Air Force network, monitoring and attributing site activity is a challenge for the military branch. The Air Force representative says there is no way to say with certainty how many people may have entered information into the fake site. To date, service cyber personnel have not detected any intrusion attempts that could have been developed from information gleaned from the phishing attempt, but they continue to monitor for malicious activity of any type.

An Air Force member first spotted the spoofed portal and reported it up the chain of command so the 624th Operations Center, which provides the Air Force with a full-spectrum, integrated cyberspace operations capability, could address the issue. Officials with the service say this heads-up Web interaction is a “great example of how vigilant users can make a big difference in protecting the Air Force network and their fellow airmen in today’s dynamic cyber environment.”

According to Internet security companies such as McAfee, phishing attacks are increasing with tens of thousands of unique cases surfacing each year. The Air Force is only one of many targets in the attacks. These sites can appear at any time, so taking down an identified spoof site now does not guarantee safety moving forward.

Air Force cyber experts have several tips for personnel that will help protect personal information and the network. The first is simple, but important: Airmen can type in or bookmark official websites instead of locating sites via search engines. This will ensure that only proper sites are visited. In addition, users should confirm they are visiting a .mil or .gov domain and then pay attention to the information contained on the site in case anything appears unusual. The National Security Agency has published a guide called Best Practices for Keeping Your Home Network Secure, which is available online. It has suggestions in a number of areas, including host-based and operation-security recommendations. Airmen and civilians who identify a suspicious Air Force website should alert their local information assurance office.

The U.S. Army also is battling phishing scams, including a previous spoofing of Army Knowledge Online (AKO). Col. Jeffrey R. Schilling, USA, chief, Current Ops Army Cyber Command/Network Enterprise Technology Command, says that so far these attacks have caused little to no operational impact. Nevertheless, spoofing and phishing emails are items of concern to soldiers because they represent the two major avenues of approach used by threat actors to gain unauthorized access into networks.

A sensitive organization within the Army actively looks for spoofing attempts on the Internet. When a fake site is identified, the organization coordinates with Internet search engines to correct the search results so the spoofed site does not appear as the top result. The Army also works in coordination with U.S. Cyber Command and the Defense Information Systems Agency (DISA) on the defense-in-depth strategy to deny threat actors that avenue of approach. This strategy includes tools to assess the robustness and security readiness of networks.

According to Col. Schilling, DISA employs network defense tools at Internet access points that can block entry to these spoofed sites from Defense Department-hosted workstations, as well as block the downloading of malicious software. The agency takes direction from Cyber Command on these actions. “At the Army Theater Cyber Centers and camp/post/station level, we have [network defense] tools and strategies that we can tune to detect and interdict this activity before it can affect the user,” the colonel says. “Like the Air Force, we will never stop all of this activity at the Internet access point [or] with our Army Network Managed tools and strategies. Our last line of defense is the cyber-savvy users, who, through our aggressive information assurance security training program, will recognize a spoofed site before they interact with the content.”

The collaborative environment created by Cyber Command and its predecessor, the Joint Task Force Global Network Operations Center, has created a routine information-sharing environment among the military services, combatant commands and agencies so cyber personnel are aware of attacks on their fellow services. “On a daily basis, I review cyber intelligence indications and warnings, provided by our operational intelligence division, looking at incidents such as [the Air Force Portal spoofing] that are happening on our Defense Department partners’ networks,” Col. Schilling explains. “We take the data from these incidents and fine-tune our sensors and our defensive tactics on a daily basis to ensure the same incident does not happen to the Army. We also collaborate with U.S. Cyber Command and DISA to use their defensive capabilities at the Internet access points where it makes more sense to stop this kind of activity before it gets to the Army LandWarNet.”

Specific incidents such as the attack on the Air Force do require soldiers to be more vigilant. Col. Schilling says the Army constantly adjusts its sensor grid and tactics to stay ahead of threats. “Our cybersecurity personnel are leading this defensive effort and have to be on point, watching sensors, patching vulnerable systems and checking systems logs,” he explains. “Accurate reporting, good analysis and timely, globally coordinated action through our cybersecurity personnel are the keys to our success.”

The biggest danger that spoofed sites pose to soldiers and the Army is the capture of log-on credentials and passwords. This theft could enable threat actors to impersonate a soldier or civilian employee on Army or defense networks—including sites dedicated to paycheck information—or to steal someone’s identity.

Col. Schilling says that the Army is most concerned about personnel who access Army websites through their home systems. When away from post, these users are not under the protective umbrella that the defense-in-depth strategy provides, Col. Shilling explains, but the good news is that home users can take a few simple steps to protect themselves and make their personal systems a harder target (see box for specific safety recommendations).

The U.S. Marine Corps would not speak directly to spoofing attacks on their networks, but Gen. James Amos, USMC, 35th commandant of the Marine Corps, indicated a desire to increase cybercapability and capacity across the Corps in planning guidance. “We’ve been pursuing this objective in two ways in particular,” explains Lt. Col. Dave DiEugenio, USMC, executive officer, Marine Corps Network Operations and Security Center. “First, we continue to improve the people, processes and tools with which we operate and defend the network. Second, the Marine Corps is incorporating cyber awareness training at all levels through both annual and refresher training, as well as in professional military education courses across the Corps.”

Marines are encouraged to approach cyberspace as they would any operational domain. “The best way to avoid falling prey to a cyberthreat is to be aware of your surroundings in cyberspace,” Col. DiEugenio says. “Just as situational awareness helps keep Marines alive on the battlefield, situational awareness in cyberspace can mitigate the risk of a potential threat.”

The Corps’ annual information assurance training highlights some of the most common risks and teaches students how to avoid them. “Small-unit leaders need to reinforce the tenets of operational security and personal responsibility for online behavior the same way they do for other aspects of performance and conduct,” the colonel states. “While the Marine Corps does a good job of patching network vulnerabilities and ensuring antivirus software is up to date, Marines should be diligent on their personal computers as well.”

Col. DiEugenio believes the best practice is not to discuss potential advantages or disadvantages of particular threats. Instead, the focus should remain on staying sharp individually and collectively to ensure that people, processes and tools mitigate risks. “We actively collaborate with the other services, U.S. Cyber Command and other partners to successfully operate and defend the Marine Corps Enterprise Network,” he says.

Sharing information and tactics is critical in the ever-evolving world of cyber operations. “The cyberthreat is multidimensional and increasingly complex,” Col. DiEugenio explains. “We approach the cybermission in much the same way we would any other warfighting role: missions are assessed; resources are applied; and we aggressively pursue success the way Marines have done for nearly two and a half centuries. The Marines’ Hymn notes we ‘fight in every clime and place,’ and in the 21st century, that includes cyberspace.”

24th Air Force: www.24af.af.mil
Army Cyber Command: www.arcyber.army.mil
Defense Department Cyber Strategy: www.defense.gov/cyber
Best Practices for Keeping Your Home Network Safe: www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf