Last Thursday, the U.S. Department of Justice charged 7 Russian government hackers with a range of daring hacks executed around the world. One of the most surprising revelations, however, was just how relatively common some of their methods were.
The dangers of public WiFi
As hackers employed by the GRU – Russian military intelligence – the 7 hackers’ targets came as no surprise. They included:
The lab responsible for analyzing the nerve agent used in the Skripal poisoning case;
The lab responsible for analyzing reports of chemical weapon use in Syria;
Numerous anti-doping agencies and organizations responsible for revealing the Russian state-run doping ring;
U.S. nuclear power companies that worked with Ukraine.
The hackers in question are likely to be safe in Russia and will probably only be apprehended if they travel to Europe or the U.S. What they did leave behind, however, was a trail of evidence of their exploits – and you’d be surprised how relevant some of that evidence is to your everyday life!
Despite being backed by the Russian government, these hackers’ tools of choice aren’t much different than what the average hacker-thief would use to steal your credit card info. Some of the devices they used can be ordered online by anyone for just $100.
Let’s examine their methods. The Russian state hacking apparatus has a great deal of experience with hacking from afar, but the two weakest links in most of your online connections are you and your WiFi, in that order. It’s no surprise that they relied primarily on two common but highly successful attacks so they could hit their targets:
MITM (Man-In-The-Middle) attacks: Many of the hackers’ targets were specific institutions or people. These can be tough to target from thousands of miles away, but if you’re sitting in an unmarked car right outside a hotel or laboratory, it suddenly becomes very easy! And that’s exactly what the hackers did. By using a Pineapple WiFi device, they could pose as legitimate networks and trick devices into connecting to them and using their internet (click here to learn about other common hacking methods). Then, they can scan any information sent by users over unsecured connections. All it takes is one unsecured user with the right credentials for the hackers to gain access to the internal system and take or sabotage any data they want.
Spearfishing: Okay, so spearfishing doesn’t necessarily require close proximity, but it’s still one of the methods that the Russian hackers used to crack their targets. Fishing emails cast a wide net by trying to fool thousands of recipients into handing over sensitive information (by posing as websites like PayPal, for example). Spearfishing is more targeted and focused – these emails get sent to specific users and impersonate websites that the attacker knows the target uses. You might expect fishing emails that pretend they’re from a leading bank in your country, but you won’t expect one posing as your job’s internal scheduling system. However, that’s exactly the type of email a Russian hacker might send to a lab employee. All it takes is one employee entering their login credentials or downloading some malware and they’re in.
This image published by the US DOJ illustrates the equipment the hackers used to attack public wifi networks.More equipment left behind by the hackers in images published by the US DOJ.
Myths this case debunks
There are many reasons why people dismiss the need for personal online security, and this case blows some of them right out of the water.
“Hacking is rare because it’s so hard to do.” The tools used by these hackers were far from the most advanced tools in their arsenal – and they were successful against large international institutions. As I mentioned, you can purchase one of the devices they used online for $100 or $200. Anyone can. They are usually used by security experts to perform penetration testing, but they’re obviously easily abused by hackers as well. In this case, you can defend yourself from ordinary hackers and state-sponsored military hackers using the same methods.
“I’m not important enough to be targeted.” First of all, there are plenty of common thieves-turned-hackers out there who’d like to disagree with you. Picking pockets is so last decade. Why do that when you can hit thousands of potential targets all at once? If you have a bank account, you’re fair game. But we’re not talking about common thieves here – we’re talking about state-sponsored military intelligence. Chances are they have no reason to target someone like you, right? Well, perhaps. However, it can be difficult to predict who might want to target you specifically and why. From corporate espionage and excessive government surveillance to hackers working for foreign interests, there can be plenty of reasons to be targeted that you may not be aware of. By staying unsecured, you put yourself, your employer, and people around you at risk.
How to stay secure
Spearfishing can be tough to defend yourself again. It requires a good eye for fake email addresses or websites and a healthy dose of skepticism. Whenever you get an email to a page where you need to enter your password, consider these questions:
Why do they need my password and why do they need it now?
Do the website and sender’s email address look legitimate?
Have I ever received a message like this before? Was it legit?
If I have time, can I contact the real institution in question and confirm the validity of this email or request?
Protecting yourself from MITM attacks is much easier with a VPN. These are basically the attack that VPNs were designed to prevent! By encrypting your traffic, they block attackers from seeing your data and from redirecting you to fake websites. All you need to do is turn on your NordVPN app.
Daniel is a digital privacy enthusiast and an internet security expert. As the blog editor at NordVPN, Daniel is generous with spreading news, stories, and tips through the power of a well-written word.
We use cookies to enable the proper functioning and security of our website, and help us to offer you the best possible user experience. If you agree, we’ll use cookies and data to:
Understand your needs
Improve our services
Deliver personalised content
Save your preferences
Analyse visitor interactions
Your consent is voluntary – you can always change you cookie settings here.
Personalisation settings & cookies
We use cookies to enable the proper functioning and security of our website, and help us to offer you the best possible user experience.
Essential
Required to navigate our website
Always on
Required to navigate our website
Cookie name
Description
Expiration
__cfduid
Used by the content delivery network, Cloudflare, to identify trusted web traffic.
29 days
rc::c
This cookie is used to identify the difference between humans and bots.
Session
PHPSESSID
Preserves user session state across page requests.
Session
csrf
Ensures visitor browsing-security by preventing cross-site request forgery.
30 days
Oauth2_authentication_csrf
Ensures visitor browsing-security by preventing cross-site request forgery during the OAuth 2.0 authentication and consent flow.
30 days
oauth2_consent_csrf
Ensures visitor browsing-security by preventing cross-site request forgery during the OAuth 2.0 authentication and consent flow.
30 days
Functionality
Store choices (e.g. language) between visits
Store choices (e.g. language) between visits
Cookie name
Description
Expiration
locale
The cookie determines the preferred language and country-setting of the visitor.
1 year
cookieconsent_status
Determines whether the visitor has accepted the cookie consent box.
1 year
fontsCssCache
Determines whether the visitor has cached fonts so the font would not be cached again upon re-entry.
7 days
CurrentSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
FirstSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
ReturningSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
_domainTest{timestamp}
Determines websites domain value for cross-domain support.
Session
popups_referrer
Used for popup management.
7 days
popups_session_duration
Used for popup management.
7 days
popups_session_pageviews
Used for popup management.
7 days
popups_chains
Used for popup management.
7 days
popups_chains_finished
Used for popup management.
7 days
bc.visitorToken
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
bc.visitor_token
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
3E6DB64A
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
u
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
session
Contains a session identifier that is used to remember the user’s agent and allows the system to re-authenticate users without credentials.
30 days
Analytics
Collect site usage information for future development
Collect site usage information for future development
Cookie name
Description
Expiration
_ga
Registers an ID that is used to generate statistical data on how the visitor uses the website.
2 years
_gid
Registers an ID that is used to generate statistical data on how the visitor uses the website.
1 year
_gat
Used by Google Analytics to throttle request rate.
1 year
collect
Used to send data to Google Analytics about the visitor's device and on-site behavior.
Session
personalization_id
The cookie allows the visitor to share content from the website onto their Twitter profile.
2 years
_gat_gtag_UA_42858496_11
Used to throttle request rate.
1 minute
client_dimension
Prevent fire client_dimension event more than 1 time per session.
Session
Advertising
Deliver ads and track performance (third-party cookies)
Deliver ads and track performance (third-party cookies)
Cookie name
Description
Expiration
_gcl_au
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
3 months
Personalisation settings & cookies
We use cookies to enable the proper functioning and security of our website, and help us to offer you the best possible user experience.
Essential
Required to navigate our website
Always on
Required to navigate our website
Cookie name
Description
Expiration
__cfduid
Used by the content delivery network, Cloudflare, to identify trusted web traffic.
29 days
rc::c
This cookie is used to identify the difference between humans and bots.
Session
PHPSESSID
Preserves user session state across page requests.
Session
csrf
Ensures visitor browsing-security by preventing cross-site request forgery.
30 days
Oauth2_authentication_csrf
Ensures visitor browsing-security by preventing cross-site request forgery during the OAuth 2.0 authentication and consent flow.
30 days
oauth2_consent_csrf
Ensures visitor browsing-security by preventing cross-site request forgery during the OAuth 2.0 authentication and consent flow.
30 days
Functionality
Store choices (e.g. language) between visits
Store choices (e.g. language) between visits
Cookie name
Description
Expiration
locale
The cookie determines the preferred language and country-setting of the visitor.
1 year
cookieconsent_status
Determines whether the visitor has accepted the cookie consent box.
1 year
fontsCssCache
Determines whether the visitor has cached fonts so the font would not be cached again upon re-entry.
7 days
CurrentSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
FirstSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
ReturningSession
Retrieving the traffic sources data (source, medium, campaign, term, content, date) of the different sessions.
182 days
_domainTest{timestamp}
Determines websites domain value for cross-domain support.
Session
popups_referrer
Used for popup management.
7 days
popups_session_duration
Used for popup management.
7 days
popups_session_pageviews
Used for popup management.
7 days
popups_chains
Used for popup management.
7 days
popups_chains_finished
Used for popup management.
7 days
bc.visitorToken
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
bc.visitor_token
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
3E6DB64A
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
u
Used by chat widget from Nanorep.Determines unique visitor ID used on the new reporting page to group queries performed by the same visitor.
1 year
session
Contains a session identifier that is used to remember the user’s agent and allows the system to re-authenticate users without credentials.
30 days
Analytics
Collect site usage information for future development
Collect site usage information for future development
Cookie name
Description
Expiration
_ga
Registers an ID that is used to generate statistical data on how the visitor uses the website.
2 years
_gid
Registers an ID that is used to generate statistical data on how the visitor uses the website.
1 year
_gat
Used by Google Analytics to throttle request rate.
1 year
collect
Used to send data to Google Analytics about the visitor's device and on-site behavior.
Session
personalization_id
The cookie allows the visitor to share content from the website onto their Twitter profile.
2 years
_gat_gtag_UA_42858496_11
Used to throttle request rate.
1 minute
client_dimension
Prevent fire client_dimension event more than 1 time per session.
Session
Advertising
Deliver ads and track performance (third-party cookies)
Deliver ads and track performance (third-party cookies)
Cookie name
Description
Expiration
_gcl_au
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
3 months
We use cookies to enable the proper functioning and security of our website, and help us to offer you the best possible user experience. By clicking Accept, you consent to the use of these cookies for advertising and analytics. You can change your cookie settings at any time. For more information, please read our Cookie Policy.