The term cyberattack

Topics/tags: Rants, technology, short

The other day, I was listening to NPR, and a story came on about how Microsoft had recently thwarted some cyberattacks. I appreciate learning about how the kinds of attacks that happened, so I listened with some interest. Were the attackers relying on a flaw in the Microsoft Windows operating system or some server software? Were the attackers using a ’bot net to try a host of passwords on a site? Or was it some other common approach? Or perhaps one I hadn’t heard of before?

Then they got to the details. Here’s what I thought I heard:

The attackers set up Web sites the looked like the other sites and with similar URLs to those sites. Then they sent email to potential targets with links to these sites. Among other things, the targets included conservative think-tanks.

That didn’t sound to me like what I consider a cyberattack. That struck me as what I think of as phishing [1]. But phishing is mostly a social attack, rather than a cyber attack; it relies on people not paying enough attention or taking enough precautions. In many ways, it’s like the phone spammers who call and say This is your credit card company; please enter your number so that we can fix them or even This is Grinnell College; call us at 1-800-GrinCo1 to enter your security deposit.

It’s been bothering me, so tonight I went back and found a transcript of the story.

What they tried to do in this case was create domains and URLs that looked like the groups they were trying to target for cyberattacks. So here’s how it would work. And it could happen to any of us. You’d receive an email that has a URL. It directs you to a website that looks a lot like your own office’s website. And it asks for your passwords. This happens all the time. But in this case, it happens - it happened with these attempted targets - the U.S. Senate and two right-of-center think tanks, the International Republican Institute and the Hudson Institute.

I guess I remembered correctly. And I’m frustrated that Microsoft and news organizations refer to something that is primarily a social attack as a cyberattack. That term seems so much more threatening and technologically sophisticated. It’s like the ways in the Russians used Facebook to manipulate people; it’s an attack using technology, but the primary vector is social, not technological. Both kinds of social attacks are hugely problematic, and I’m glad that Microsoft caught this one, but they’re not what I would call a cyberattack.

Or do I just use terms differently?

[1] Or, if I understand the terminology correctly, spear phishing.

Version 1.0 of 2018-08-25.