Cyber Intelligence and Hameçonnage

Hameçonnage in French; phishing in English

David J. Smith

Professor of Practice for Cybersecurity Policy, Utica College

Intelligence is a global jigsaw puzzle, but bigger than any rainy-day pastime that one can buy in a box. There are more than 24,000 pieces—the biggest puzzle available on Amazon—and there is no picture on the box cover. Read, read, read, we tell our CYB-610 students. Google. Explore new horizons. An intelligence analyst will never have a complete picture, but the broader his or her vision, the likelier it will be that he or she will be able to assemble the right pieces at the required time.

What is cyber intelligence? Broadly speaking, it is information gleaned from cyberspace or information about cyberspace. But CYBINT must be integrated with other intelligence disciplines—open-source intelligence, signals intelligence, imagery intelligence, measurement and signature intelligence, human intelligence and geospatial intelligence. Moreover, there are emerging “INTs” such as FININT—financial intelligence—that can all contribute some pieces to the puzzle.

Cyber Intelligence in the Real World

That is why, in CYB-610, we spend some time on intelligence in its broadest sense and we emphasize the intelligence cycle. Our eight-week curriculum features some interesting hands-on projects and readings and lectures that spotlight every aspect of the intelligence cycle. And, because intelligence is about the real world, we focus a lot on real-world case-studies. Indeed, some are “ripped from the headlines,” to borrow a phrase from the Law and Order television show.

The 2016 presidential campaign and Russian hacking into the Democratic National Committee (DNC) and other US political organizations was the hot topic this spring. If one examines the two pertinent US Government documents alongside the work of Dmitri Alperovich at Crowdstrike, it is difficult not to conclude that the perpetrators were APT-28, also known as Fancy Bear and Pawn Storm, and APT-29, also known as Cozy Bear. The former is associated with the GRU, Russian military intelligence, and the latter with the FSB, successor to the infamous KGB. We recommended that students read Assessing Russian Activities and Intentions in Recent US Elections, published by the office of the Director of National Intelligence. It is a great primer on how intelligence works and a good introduction to Russian active measures, that is, information warfare.

Information Warfare via Phishing

This is where hameçonnage comes in. While Hillary Clinton and Donald Trump sparred over what may or may not have been purloined from Democratic Party computers, Emmanuel Macron, who would eventually be elected president of France, complained of interference in his party’s computer networks. Meanwhile, French intelligence and cybersecurity agencies warned political parties of Russian meddling, as had been seen in America. So went the campaign until Macron won the first-round balloting on May 23.

Then, about 36 hours after the polls closed, Trend Micro corroborated Macron’s hacking claims in its report Two Years of Pawn Storm. En Marche, Macron’s party, had been hacked by one of the same Russian APT groups that snuck into the DNC. How did they do it? Hameçonnage in French; phishing in English. Campaign officials received cleverly worded hameçonnage emails directing them to a fake website, onedrive-en-marche.fr. From that site, Pawn Storm harvested credentials as unwitting party employees re-entered their passwords.

Whether US or French intelligence or one of the cybersecurity companies involved, intelligence requires the broadest possible vision. Now our students know about hameçonnage but, more important, one of the things that CYB-610 emphasizes is the importance of nurturing the broadest possible vision.

About the Author

David Smith

David Smith
Professor of Practice
Program: MS Cybersecurity, MPS Cyber Policy and Risk Analysis

Ambassador David J. Smith is Professor of Practice for Cyber Policy at Utica College. He is also Director of the Georgian Security Analysis Center in Tbilisi, Georgia and Principal at Cyberlight Global Associates, LLC.

In these roles, he builds on a 30 year career in international relations, including the US Air Force, Intelligence Community, Defense and State Departments, both houses of Congress and extensive think tank experience. Read More about David Smith