In 2018, a California man, working as a vendor for a DoD contractor that supplies jet fuel to the DoD in Southeast Asia, was able to get around the stringent security system and gain access to the DoD’s website. Once inside, he was able to use that access and carry out his phishing scam.
To start with, he conspired with the dealer of a car dealership in New Jersey. Together, they created a shell company that the owner of the dealership used to divert money into that was scammed from other DoD venders.
The California man also had co-conspirators in Turkey and Germany who sent out phishing emails to DoD vendors that looked like they came from the GSA. They even had a registered URL that was close enough to the real one that if not careful, it could be easily missed as the real thing (dia-mil.com verses dla.mil).
In the phishing emails was a link to a log-in page. Once the scammers had credentials from vendors accessing this page, they could then access accounts and route money to their shell company.
But their downfall was a suspicious bank employee who called federal authorities when the California man tried to move $23.5 million out of the shell company.
The culprit was convicted in April 2022 on six charges of fraud, one on identity theft and making false statements to federal officers. If convicted on all charges, the fraud charges carry a range of prison time from five to 30 years; the identify theft charge a minimum of two years; and a potential fine over $3 million for the false statements charge. The California man previously pled guilty to the phishing scam itself and is awaiting sentencing in June on that charge.
This attack, and others like it, can be easily thwarted if employees were taught to never log into links found in emails. Instead, proceed to the site referenced by opening a new browser tab and logging in directly to the site if necessary instead of gaining accessing through the link in the email as that could be cloaked and not the real login.
This scam is just another example of why the DoD is working hard to improve cybersecurity across its Defense Industrial Base (DIB). The overall program they are using to improve cybersecurity across the DIB is the Cybersecurity Maturity Model Certification (CMMC). The CMMC is a cybersecurity protocol where the 200,000 plus DoD contractors must meet certain standards to be in compliance with the protocol standards (and to get awarded future contracts).
The original CMMC model created a complex array of cybersecurity protocols for DoD contractors that was objected to by contractors because it would have significantly raised the cost of compliance and would have priced out smaller firms that are essential to the DoD.
In response, the DoD modified the original CMMC to come up with an updated version called CMMC 2.0. In the original version, there were five levels of compliance. In this version, there are three levels and the implementation of the cybersecurity protocols are applied based on the nature of work by the contractors and the level of sensitive material accessed, while at the same time maintaining national security interests.
One major change under CMMC 2.0 is that in the original version, all contractors – prime and subs – had to undergo a third-party assessment by the CMMC. Now only contractors handling sensitive date are required to have their cybersecurity program assessed by a third party of the CMMC. The rest of the contractors not handling sensitive material are permitted to do self-assessments using the protocols supplied by CMMC 2.0.
The new CMMC 2.0 framework should be an adequate compromise between meeting the cybersecurity objectives of the DoD and the practicalities of doing business with the DoD – especially for the smaller subcontractors. The key is implementing changes that make scammers unable to penetrate networks.