Cyber Incident Victim: Phish For The Future
Date:
Jul 2017
Location:
United States of America
Summary
A spearphishing campaign targeted digital civil liberties activists at two internet freedom organizations, involving nearly 70 attempts to steal credentials for business services including Google, Dropbox, and LinkedIn. Attackers compromised at least one inactive account, repurposing it to send further phishing emails internally in an apparent effort to leverage trusted relationships for accessing more valuable targets. The perpetrators demonstrated notable persistence by continuously adapting their tactics after each unsuccessful attempt, refining their targeting strategies over time. While credential theft was confirmed, the campaign's ultimate objective beyond initial account compromise remained undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between July 7 and August 8, 2017, a sustained spearphishing campaign designated "Phish For The Future" targeted employees of two digital civil liberties organizations: Free Press and Fight for the Future. Attackers conducted nearly 70 credential theft attempts against staff members during this period, focusing on business services including Google, Dropbox, and LinkedIn accounts. The campaign employed tailored phishing emails designed to deceive recipients into surrendering login credentials. At least one organizational account was successfully compromised during these attacks. Forensic analysis indicated the compromised account had been inactive for years and contained no recent data, suggesting attackers intended to exploit its trusted status to facilitate secondary compromises of more active or privileged accounts within the networks. The attackers used the breached account to distribute additional phishing emails internally, attempting to widen their access. Security investigators confirmed the campaign's objective centered on credential harvesting but could not establish subsequent intentions following successful account takeovers.
Attackers demonstrated significant operational persistence throughout the campaign, systematically modifying their phishing tactics following each unsuccessful attempt. Their targeting strategies grew increasingly sophisticated over the five-week period, adapting content and social engineering approaches to evade detection. The compromised account's misuse for internal phishing represented a confirmed escalation, though the attackers' inability to pivot beyond this initial breach limited direct operational impacts. Security responders documented the attackers' methodology evolution but identified no secondary actions such as data exfiltration or system infiltration beyond credential harvesting. The incident highlighted credential vulnerability risks within activist organizations while demonstrating that even basic two-factor authentication implementations effectively neutralized subsequent attack stages despite initial compromise success.