Phishing emails that were sent last week as part of an extensive ransomware campaign designed to target government employees and contractors were also found in the inboxes of Army Cyber Command employees, a spokesperson told CyberScoop.
In response, Army Cyber Command issued an alert to warn employees about the malicious emails, providing information on how to spot, report and mitigate these incidents. NBC Washington first learned of the internal warnings on Friday.
“This warning is an internal document and a force protection warning from a subordinate unit within Army Cyber Command. These are common warnings that our subordinates — and indeed most U.S. military and government agencies — send out at the discretion of their staff security managers, often several times per week,” said Army Cyber Command spokesperson Charles Stadtlander.
Each malicious email contained a malware laden attachment and was written to appear like it came from the Office of Personnel Management. The messages warned receivers that their respective banks had notified OPM of suspicious account activity that could be reviewed via a malicious attachment. A group of security researchers from Leesburg, Va.-based firm PhishMe first spotted the Locky ransomware campaign last Tuesday.
Locky is a common, Windows-based ransomware variant that was first discovered in Feb. 2016. The typical ransom price to receive a decryption key for Locky is roughly .5 bitcoin, which is around $360 as of this article’s publication.
“Warnings like this serve as a reminder that cyberspace is a crowded domain where malicious actors exist among Americans conducting their everyday social lives, finances, and business. These actors consistently attempt to impact both US military and civilian systems, and Army Cyber command as well as our fellow military and US government cyber defenders exist to deter attackers,” Stadtlander wrote in a statement.
Security researchers believe that the campaign was not designed to coincide with the U.S. election.
“The first messages in this set were captured by PhishMe at 06:39 Eastern and the last one was received at 12:53 Eastern time. The threat actors’ selection for this timeframe is significant since it encompasses both the earliest risers on the US east coast and the start of the business day for the US west coast as well,” said PhishMe Threat Intelligence Manager Brendan Griffin, “the criminals were likely trying to reach people as they got into the office for work or checked their email for the first time today.”