Defense Security Service email addresses "are being used in a spoofing campaign."
- By Jenna McLaughlinJenna McLaughlin is an intelligence reporter for Foreign Policy, focusing on the culture, dynamics, and events happening in the National Security Agency, the Central Intelligence Agency, and the other 15 members of the intelligence community—plus the way the sensitive information they gather and analyze informs and directs the White House and policy makers on the Hill. Previously, McLaughlin was a national security reporter for the Intercept where she covered everything from the FBI’s secretive subpoena powers to cybersecurity companies in the Middle East. Before that, she covered similar topics including the rise of the Islamic State at Mother Jones Magazine. You can reach her with tips and responses securely through Signal or WhatsApp at 203-537-3949, or through her email, firstname.lastname@example.org.
Unidentified cyber criminals are sending fake emails that are made to appear as if they are coming from the Defense Security Service, a wing of the Pentagon that provides security support for the military, defense agencies, and contractors, Foreign Policy has learned.
“DSS email addresses are being used in a spoofing campaign,” wrote DSS in a blast email, obtained by FP, recommending that private companies “alert their cybersecurity staff” and block incoming messages from DSS addresses.
It’s unclear who the targets of the campaign are, and what the goal of the attack is—though DSS typically works with “cleared industry” to protect classified information. The Under Secretary of Defense for Intelligence leads DSS.
The attack comes one day after President Donald Trump signed a long-awaited cybersecurity executive order, tasking the federal government and the military with shoring up critical infrastructure from digital vulnerabilities.
“No DSS systems have been compromised, and we have no indication that any systems within industry have been compromised as a result of the spoofing,” a spokesman for DSS Public Affairs wrote in an email to FP. “The notification was an opportunity to increase awareness of the possibility of further spoofing attempts.”
Photo credit: SAUL LOEB/Getty Images
Correction, May 12, 2017: This article originally misstated the agency that led the “Hack the Pentagon” program. Defense Digital Services ran the program, not Defense Security Service.