The sketchy details in an FBI warning that hacktivists breached computer systems of multiple government agencies and stole sensitive information have fueled speculation on how the compromises occurred.
In a memo obtained by Reuters, the Federal Bureau of Investigation said the breaches linked to the hacktivist collective Anonymous were part of a campaign that started nearly a year ago. The attacks have affected the U.S. Army, Department of Energy (DOE), Department of Health and Human Services (DHHS) and possibly many more agencies.
Stolen data included the personal information of 104,000 employees, contractors, family members and others associated with the DOE, Reuters reported on Friday. The theft included information on almost 2,000 bank accounts.
Because best practices would dictate never storing such information on web servers, the breaches likely occurred at internal servers first, probably through a spear-phishing campaign that lured government employees to malicious websites, said Anup Ghosh, founder and chief executive of Invincea, which provides technology for defending against cyberattacks.
Once internal servers were compromised, the hackers could have spread the infection by planting malware on web pages fed from an internal server to government workers and contractors, Ghosh, who did not have any first-hand knowledge of the compromises, said Monday. Such a scenario is possible, given that the FBI said the attackers took advantage of flaws in Adobe ColdFusion, which is software used to build websites.
"If you compromise the servers, then you can put malicious code on the server pages, so that when legitimate users visit these internally trusted servers, they end up getting compromised," Ghosh said.
"That would be a variation of a watering-hole attack, where you're using the organization's own legitimate web server to compromise its own employees. At that point you can compromise lots of information."
The scope of the security breach is not yet known, but the FBI believes it could be widespread and some agencies could still be running infected computer systems. Once attackers break into a network, it isn't unusual for their malicious code to remain hidden for sometime.
"The main issue is that attackers spend undetected time – hours, days, months – inside of a target network as they ex-filtrate data," Neal Creighton, chief executive of CounterTack, said. "And to this point, you cannot really defend against their persistency or their tenacity.
"You will get infected, but if you can detect it quickly after a breach, you have the opportunity to stop the attack before the damage is done."
The break-ins were related to the case of Lauri Love, a British resident indicted for allegedly hacking computers of the DOE, U.S. Army, DHHS and the U.S. Sentencing Commission, Reuters reported. In addition, the hacks have connections to Anonymous' "Operation Last Resort."
The campaign was in retaliation for prosecutions against hackers that the group believed were too extreme. One case involved the prosecution of Internet activist Aaron Swartz, who faced up to 35 years in prison for allegedly stealing millions of electronic articles from the JSTOR academic library. Swartz committed suicide in January.