The Pentagon was phished. Hackers, who have been linked to Russia, sent emails to Department of Defense employees disguised as messages from the nonprofit National Endowment for Democracy that contain malicious software, the Daily Beast reported Saturday.
The Daily Beast obtained emails from the Pentagon that articulate the technical details of the attack and reported "at least five" employees were victims. The phishing scam was disguised as emails from National Endowment for Democracy, a nonprofit and congressionally funded group in Washington, through an infected server. The email included a link that when clicked would download malware. The infecting software also contained a sophisticated encryption setup that disguises when and where the communication occurs as the virus is downloading.
“To use a military analogy, the level of sophistication of this attack is like comparing a World War I propeller-driven fighter plane to a stealth bomber coming in under the radar, completely destroying its target, and leaving before the enemy even realizes they have been attacked,” Michael Adams, a computer security expert who worked in U.S. Special Operations Command, told the Daily Beast.
The Pentagon detected the infiltration July 8, according to an email sent to White House and State Department employees Friday. The message does not disclose if information was stolen or list the victims.
The National Endowment for Democracy did not respond to a request for comment from the Daily Beast. A U.S. Defense Department representative confirmed the authenticity of the email but declined to issue further comment on the specific campaign.
"There are thousands of attempts to hack [Department of Defense] every day," the official told The Daily Beast. "We have processes and procedures in place to mitigate those attempts."
Several high-profile cyberattacks have hit the U.S. government in the last year, including an attack on the State Department email network in November and the Office of Personnel Management. The Obama administration announced in June all government agencies must encrypt their websites by Dec. 31, 2016. Only 28 percent of federal domains are encrypted with the HTTPS communication protocol, according to government data.