In 2018, a California man, working as a supplier for a DoD contractor that supplies jet fuel to the DoD in Southeast Asia, was able to bypass the stringent security system and gain access to the DoD website. Once inside, he was able to use this access and complete his phishing scam.
For starters, he conspired with the dealership of a New Jersey car dealership. Together, they created a shell company that the dealership owner used to embezzle money and was scammed by other DoD salespeople.
The California man also had co-conspirators in Turkey and Germany sending phishing emails to DoD vendors that appeared to be from the GSA. They even had a recorded URL that was close enough to the real thing that if not careful it could easily be missed like the real thing (dia-mil.com to dla.mil).
In the phishing emails, there was a link to a login page. Once the scammers had the credentials of the vendors accessing this page, they could then access the accounts and funnel the money to their front company.
But their downfall was a suspicious bank clerk who called federal authorities when the California man tried to withdraw $23.5 million from the shell company.
The culprit was found guilty in April 2022 of six counts of fraud, one of identity theft and making false statements to federal agents. If convicted on all counts, the fraud charges carry a prison term ranging from five to 30 years; the identity theft charge of a minimum of two years; and a potential fine of over $3 million for the misrepresentation charge. The California man previously pleaded guilty to the phishing scam itself and is awaiting sentencing in June on that charge.
This attack, and others like it, can be easily thwarted if employees are taught never to connect to links found in emails. Instead, access the referenced site by opening a new browser tab and logging into the site directly if necessary instead of accessing through the link in the email as this may be hidden and not the actual login.
This scam is just another example of why the DoD is working hard to improve cybersecurity in its Defense Industrial Base (DIB). The overarching program they use to improve cybersecurity across the DIB is the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a cybersecurity protocol where the DoD’s more than 200,000 contractors must meet certain standards to be in compliance with the protocol’s standards (and to obtain future contracts).
The original CMMC model created a complex array of cybersecurity protocols for DoD contractors that contractors objected to because it would have dramatically increased the cost of compliance and excluded small businesses that are critical to the DoD.
In response, the DoD modified the original CMMC to provide an updated version called CMMC 2.0. In the original version, there were five levels of compliance. In this version, there are three tiers and the implementation of cybersecurity protocols is enforced based on the nature of contractors’ work and the level of sensitive material being accessed, while safeguarding national security interests.
A major change under CMMC 2.0 is that in the original version, all contractors – primes and sub-contractors – had to undergo third-party evaluation by CMMC. Now, only contractors handling sensitive data are required to have their cybersecurity program assessed by a CMMC third party. Other contractors who do not handle sensitive material are permitted to do self-assessments using the protocols provided by CMMC 2.0.
The new CMMC 2.0 framework should be an adequate compromise between achieving DoD cybersecurity objectives and the practicalities of doing business with DoD – especially for smaller contractors. The key is to implement changes that prevent scammers from entering networks.