It’s unusual to see the Department of Defense (DoD) hit by a phishing scam to the tune of millions of dollars, let alone one perpetrated by a resident of the United States. A California man has been arrested for this very thing, however, after leveraging his position with a DoD contractor to get around the organization’s stringent security.
Insider vendor compromise enables phishing scam of DoD
Sercan Oyuntur of Northridge, CA worked for one of the contractors that supplies jet fuel to the DoD for its operations in Southeast Asia. He conspired with Hurriyet Arslan, of Florence, NJ, a car dealership owner who created a fictitious shell company (complete with bank account and cell phone number) ultimately used to divert money from DoD vendors. In total the crew ended up stealing over $23.5 million before being caught.
Oyuntur also had co-conspirators in Turkey and Germany waiting to deliver the phishing emails to a range of DoD vendors. From June to September 2018, the crew ran the phishing scam by sending emails to these vendors purporting to be from the GSA and presenting them with a lookalike login page. Once the hackers had captured the login credentials, they were able to access these accounts and have payments routed to the shell entity that Arslan had set up in New Jersey.
The phishing scam was soon identified by authorities, however. In October 2018, Arslan attempted to collect on about $23.5 million in payments made by the DoD to the fictitious business. At the instruction of Oyuntur, Arslan attempted to transfer the proceeds to the bank account of his used car dealership Deal Automotive Sales. Oyuntur had one of the hackers in Turkey draft up fake papers indicating that the auto dealership had been awarded a DoD contract, to be used by Arslan to convince the bank that the money was legitimate and have it release the full funds. Someone at the bank apparently sniffed out the scheme, however, and federal authorities were brought in.
Oyuntur was quickly convicted of the phishing scam in an eight-day trial in late April, hit with six charges of fraud, identity theft and making false statements to federal officers. His sentence has yet to be issued, but each of the charges carries maximum penalties ranging from 5 to 30 years in prison and the identity theft charge has a statutory minimum of two years of incarceration. He could also potentially be fined for over $3 million if maximum penalties are levied. Arslan had already pled guilty to his role in the phishing scam in January 2020, and is awaiting sentencing that is scheduled for June of this year.
Need for new federal security policies demonstrated by successful phishing scam
In addition to knowing the inner workings of the DoD vendor payment system, the group was able to pull off the phishing scam by registering a URL that was very similar to the legitimate one used for official System for Award Management communications: “dia-mil.com,” close enough to the legitimate “dla.mil” address to pass at a glance if the recipient was not particularly aware of cyber security hygiene.
The Biden administration has been making that level of awareness one of its priorities, across the landscape of federal government agencies and their thousands of contractors and vendors. One of the administration’s first executive orders, issued in May 2021, focused on better information sharing with the private sector and setting stronger security standards for both federal agencies and their software supply chains. This has been followed by a series of orders that focus on bolstering the defenses of critical infrastructure companies, naturally spurred on by incidents such as the Colonial Pipeline and SolarWinds attacks.
The DoD phishing scam makes clear there is still room for improvement, however. These attacks could have been prevented with one simple technique that is easily communicated to employees: never log into anything via a link or prompt you receive in your email, instead start up a new web browser tab or session and proceed directly to the site that the email references if it is something you need to check on. As Sean McNee, CTO of DomainTools, notes: “These kinds of phishing attacks from a dedicated actor show how important it is for an organization to monitor communications with its supply chain as part of a healthy security practice … Many organizations have turned to their own version of “Multi-Factor Authorization” for doing large wire transfers where a confirmation needs to happen both via email as well as through another established channel such as a phone call.”
Though this particular phishing scam took place several years ago and was defused before the criminals could abscond with the money, the news of the sentencing comes amidst an internal effort by the DoD to improve the cybersecurity of its sprawling industrial base. The agency has some 200,000 private industry partners that have varying levels of access to it; all of these are now being asked to meet Cybersecurity Maturity Model Certification (CMMC) standards at minimum, and some with more sensitive partnerships may be asked to meet higher standards. All DoD partners must also now report major breaches within 72 hours.