from the well-that's...-something dept
We started receiving reports of this last week, but I wanted to track down some details. You may have seen a few other reports, noting that the tech team at the House of Representatives recently started blocking YahooMail because of a big phishing attempt targeted at Congress. On April 30th, the House’s “Technology Service Desk” sent around an email stating:
In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network using third party, web-based mail applications such as YahooMail, Gmail, etc. The attacks are focused on putting ?ransomware? on users? computers. When a user clicks on the link in the attack e-mail, the malware encrypts all files on that computer, including shared files, making them unusable until a ?ransom? is paid. The recent attacks have focused on using .js files attached as zip files to e-mail that appear to come from known senders. The primary focus appears to be through YahooMail at this time.
The House Information Security Office is taking a number of steps to address this specific attack. As part of that effort, we will be blocking access to YahooMail on the House Network until further notice. We are making every effort to put other mitigating protections in place so that we can restore full access as soon as possible.
Please do your part to help us address this recent attack and protect the House Network going forward by following proper cyber practices at all times. Phishing e-mails can look very legitimate and appear to come from known senders. Be very careful about clicking on attachments or links in e-mails, particularly when you are using non-House e-mail systems.
Obviously, it’s worth being careful and concerned about this kind of thing. Those encrypted ransomware attacks have become quite popular lately, and you can imagine why some would think it would be fun to target Congress specifically. Still, blocking all of YahooMail seems… like overkill? Yes, obviously, warn everyone to be careful, and highlight the details and what to watch out for. Perhaps institute some other kinds of protections. But a blanket ban on YahooMail just seems odd.
But… that’s not all. Because a few days after that happened, the same tech staff also started blocking all of appspot.com. That’s where a ton of apps actually live for things like Google’s App Engine. Once again, this seemed like total overkill, so I reached out to people at the House to find out what was going on, and was given the following statement:
We began blocking appspot.com on May 3 in response to indicators that appspot.com as potentially still hosting a remote access Trojan named BLT that has been there since June 2015.
Now, this is kind of interesting for a variety of reasons. The Trojan.BLT has been “associated with a major APT [Advanced Persistent Threat] campaign.” Furthermore, there has been some speculation connecting it to the Office of Personnel Management (OPM) hack that was exposed last year, based on a timely warning from the FBI about “cyber actors” using a series of exploits — including BLT — to gain access to personally identifiable information from the government. As the FBI noted:
Trojan.BLT- a RAT that is executed from its export CreateInstance, the mutex HFRM_ is created and a process instance of cmd.exe is launched to execute the command ?ipconfig/all? to collect the victim system?s MAC address. Trojan.BLT will test network connectivity by establishing a connection with a legitimate website. This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy?s hosted on appspot domains.
Trojan.BLT will validate the connection by checking the HTTP header ?Service:IIS?. Trojan.BLT will then conduct further C2 activity.
So, yes, as I was told, Trojan.BLT was first discovered making use of Google’s appspot domains last June — so it’s a little unclear why there’s suddenly a renewed focus on it, and why it’s cause to shut down access to appspot entirely — especially since it appears that there are tools that can detect this particular trojan.
So, on the one hand, you can understand why the House’s IT staff has pulled out the nuclear option in both these cases, first banning YahooMail and then banning access to basically all of Google’s hosted 3rd party apps. Ransomware or an OPM-level hack on Congress would be a massive black eye for the House’s tech staff. So it must feel a lot safer to just block entirely. Of course, it’s also not that likely to be effective. Ted Henderson, the creator of a social network solely for Congressional staffers called Cloakroom, and who first alerted me and many other reporters to this, was pretty clearly frustrated by this move, which obviously cut off the vast majority of his userbase from actually being able to use the app. But, he’s already found a workaround (which I know because I once did an AMA on the platform and still receive notifications from the app). All users received a notification on their phones to turn off their WiFi and use their cellular connections if they wished to use Cloakroom while on Capitol Hill.
And, of course, this shows the futility of just blocking all access to an entire ecosystem like Appspot. It’s not going to stop people. It’s just going to frustrate people and send them looking for other paths to get that info, which may actually be more dangerous. Instead, it seems worth asking why the House IT staff isn’t focused on providing better protection against the actual threat, rather than just trying to bury access to massive platforms, just because lurking somewhere on those platforms there may be something harmful.
Remember, too, that the people in the House are the same ones legislating technology issues today, and they’re getting a very warped idea of how technology works thanks to the House’s tech desk. A small potential problem that could be avoided with some basic precautions? Shut down the whole damn thing. This seems like exactly the wrong lesson that our elected officials and their staffers should be learning right now about technology. Protecting their computers and devices is obviously important, but it seems like the House is resorting to overkill, and hopefully this does not lead out of touch Representatives to assume that similar overkill solutions — such as entire site blocking — are sensible for American citizens.