Thousands of federal bureaucrats who accessed the Ashley Madison website for extra-marital affairs opened the door for hackers, including those associated with foreign intelligence agencies, to gain access to sensitive government networks and U.S. secrets, according to cybersecurity experts.
If even one federal official used a government computer or email to open a fake message from Ashley Madison that contained malware – a technique called “spear phishing” – all of the information stored at that government agency could be compromised.
“The biggest thing it opens up is spear phishing,” American Enterprise Institute fellow Shane Tews told the Daily Caller News Foundation. “It makes it very hard for any sort of detection system. You’ve basically given them permission to come into your computer.”
“When you want to get into a system and you basically want to wreak havoc, all you need is one person dumb enough to open the email,” Tews continued. “One of the reasons why it’s so difficult to do cybersecurity is because it’s almost always a human error.”
A hack last week on Ashley Madison, which uses the tagline “Life is short. Have an affair,” resulted in two data dumps that exposed personal information, including credit cards and email addresses, of an estimated 37 million people.
An estimated 15,000 federal or military officials used their government email addresses for their Ashley Madison accounts, according to the Federal Times. Several hundred paid using their government-owned computers, The Associated Press reported.
Hackers can use the information from the breach to determine who else in government to attack with malware, and how.
“I would expect to see more spear phishing attacks,” said Heritage Foundation research associate for homeland security and cybersecurity Riley Walters.
Once malware is in a government network, a hacker can access, delete or degrade files – a process where a hacker will slowly alter information to avoid raising alarm, according to Tews.
“It’s probably not economic damage they want to do,” Tews said. “It’s probably espionage.”
“They’re going to try to use the information any way they can,” Walters said. “The information is just another tool for how people can take advantage of other people.”
Government agencies, including the U.S. Office of Personnel Management and the U.S. Postal Service, both of which were breached in the last year, often don’t train their employees to detect spear phishing, despite warnings from their inspectors general, TheDCNF previously reported.
“It’s the same thing you saw in the OPM and Post Office breaches,” Tews said.
Federal officials’ decision to access Ashley Madison with government technology increases the risk that an employee would click on malware, according to Institute for Critical Infrastructure Technology senior fellow James Scott.
“Obviously they’re careless, obviously they have ethical issues,” Scott said. He noted that such reckless behavior increased the likelihood that an employee would click on links with red flags, such as messages from clearly phony suitors.
Even if an employee uses their government email from a personal device outside of the office, they still could spread malware to their agency through cloud technology, Tews said.
Likewise, if an employee uses their personal email on a government device, a hacker still could infect the agency’s systems, because malware can sit on the hardware and wait to infect networks later.
“It doesn’t stop on their laptop,” Tews said. “It’s going to spread through the whole system.
Additionally, government servers often “do not have very sophisticated cybersecurity systems set up,” Tews said.
Even if malware only successfully penetrates a rank-and-file bureaucrat’s computer, the entire government agency could be at risk.
A hacker could eventually “peck” their way into deeper and closer guarded systems, Tews said. “If somebody’s really persistent, they’re going to use every angle they can to get into the system.”
And that’s only if the rank-and-file employee has limited access to their agency’s digital network. The Postal Service, for example, gave its employees – and consequently, hackers – much more access to its systems than necessary.