Cyberspies Help Themselves to DHS Contractor's Data
Cyberspies -- probably acting on behalf of another country's government -- have breached a DHS contractor's network, likely gleaning information from individuals' background checks that could be very useful to phishers. "It gives them an attack vector with a good chance of succeeding because they have sensitive information that gives them credibility," noted CyberArk's Andrey Dulkin.
08/08/14 7:29 AM PT
USIS, the contractor that did the background checks on Washington Navy Yard shooter Aaron Alexis and NSA leaker Edward Snowden, on Thursday reported that its computer systems have been breached.
"Our internal IT security team recently identified an apparent external cyberattack on USIS' corporate network," said US Investigation Services, which performs security clearances for the U.S. Department of Homeland Security, in a statement.
"We are working closely with federal law enforcement authorities and have retained an independent computer forensics investigations firm to determine the precise nature and extent of any unlawful entry into our network," it added. "Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack."
The scope of the breach was not disclosed, and USIS declined our request to provide further details about the incident.
Homeland Security and the U.S. Office of Personnel Management, which also requires background checks on federal employees, have suspended activity with USIS pending the results of an FBI investigation of the incident.
OPM Info Safe
"We are aware of an intrusion to USIS's network and have been working closely with US-CERT and the FBI to determine the impact to OPM and our agency partners," OPM Communications Director Jackie Koszczuk said.
"Out of an abundance of caution, we are temporarily ceasing field investigative work with USIS," she added. "This pause will give USIS time to work with US-CERT and OPM to take the necessary steps to protect its systems."
So far, there doesn't appear to be any loss of personally identifiable information for OPM-managed investigations, Koszczuk noted. "OPM does not share and host information with USIS in the same way that other federal agencies do."
DHS did not respond to our request to comment for this story; the FBI acknowledged that it was involved in the investigation of the incident.
Although it's difficult to prove the origin of attacks like the one on USIS, the company's assertion that a foreign country may be behind the intrusion appears credible, according to security experts.
State Attack Likely
"A state attacker would have the most to gain by this kind of attack," said Scott Borg, CEO and chief economist of the U.S. Cyber Consequences Unit.
"Knowing about people who are applying for and being given security clearances would be very useful to a foreign power," he told TechNewsWorld.
"If they can get the actual records of the investigations, they might be able to find information that would give them a way to pressure these people," Borg added.
Credentials harvested from the USIS systems also could be exploited.
The Chinese government, for example, could "use logins and passwords to piece together who may or may not be a target for them -- not only for active cyberespionage activities, but if that person goes inside the Peoples' Republic of China, they could be detained for espionage," Bill Hagestad II, author of several books on Chinese cyberwarfare, told TechNewsWorld.
While the USIS systems are a ripe target for cyberspies, they're less so for criminals.
"Criminal organizations know there's no money in government hacking," Hagestad said.
Cyberspies typically mine social media sites for information on their targets.
"This attack can be seen as an extension of that," Andrey Dulkin, senior director of cyber innovation for CyberArk, told TechNewsWorld.
"An aggregated database like this one is a very lucrative target," he said.
The sensitive information about the subjects on the USIS computers would be very valuable in crafting phishing attacks. "It enables [phishers] to target specific employees or impersonate employees," Dulkin noted. "It gives them an attack vector with a good chance of succeeding because they have sensitive information that gives them credibility."