Was the Consular Consolidated Database (CCD) the main target of the twin hackers?

October 5, 2015 By domani spero in Bugs, Consular Work, Contractors, Court Cases, Federal Agencies, Functional Bureaus, Security, Staffing the FS, State Department, Technology and Work Tags: Bureau of Consular Affairs, CCD, Muneeb Akhter, Passport Lockbox, PIERS, PLOTS, Sohaib Akhter, State/CA, TDIS, technical difficulties 2 Comments

Posted: 1:27 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

In May 2015, a federal grand jury indicted twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Virginia, on charges of aggravated identity theft, conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, false statements, and obstruction of justice. According to USDOJ, the brothers and coconspirators also devised a scheme to hack into computer systems at the U.S. Department of State to access network traffic and to obtain passport information. (See Twin Brothers and Co-Conspirators on Alleged Scheme to Hack State Dept to Obtain Passport Information).

The bothers pleaded guilty on June 26, 2015. On October 2, the USDOJ announced that Muneeb Akhter was sentenced for accessing a protected computer without authorization, making a false statement and obstructing justice. Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison. Each man was also sentenced to three years of supervised release. Case title: USA v. Akhter et al. Below is an excerpt from the announcement:

[T]he Akhter brothers and co-conspirators engaged in a series of computer intrusions and attempted computer intrusions against the U.S. Department of State to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems. In or around February 2015, Sohaib Akhter used his contract position at the State Department to access sensitive computer systems containing personally identifiable information belonging to dozens of co-workers, acquaintances, a former employer and a federal law enforcement agent investigating his crimes.

Sohaib Akhter later devised a scheme to ensure that he could maintain perpetual access to desired State Department systems. Sohaib Akhter, with the help of Muneeb Akhter and co-conspirators, attempted to secretly install an electronic collection device inside a State Department building. Once installed, the device could have enabled Sohaib Akhter and co-conspirators to remotely access and collect data from State Department computer systems. Sohaib Akhter was forced to abandon the plan during its execution when he broke the device while attempting to install it behind a wall at a State Department facility in Washington, D.C.

Furthermore, beginning in or about November 2013, Muneeb Akhter was performing contract work for a private data aggregation company located in Rockville, Maryland. He hacked into the company’s database of federal contract information so that he and his brother could use the information to tailor successful bids to win contracts and clients for their own technology company. Muneeb Akhter also inserted codes onto the victim company’s servers that caused them to vote for Akhter in an online contest and send more than 10,000 mass emails to students at George Mason University, also for the purpose of garnering contest votes.

In or about October 2014, Muneeb Akhter lied about his hacking activities and employment history on a government background investigation form while successfully obtaining a position with a defense contractor. Furthermore, in or about March 2015, after his arrest and release pending trial, Muneeb Akhter obstructed justice by endeavoring to isolate a key co-conspirator from law enforcement officers investigating the conspirators’ crimes. Among other acts, Muneeb Akhter drove the co-conspirator to the airport and purchased a boarding pass, which the co-conspirator used to travel out of the country to the Republic of Malta. When the co-conspirator returned to the United States, Muneeb Akhter continued to encourage the co-conspirator to avoid law enforcement agents.

One of the brothers was profiled by WaPo in 2014. Both brothers started college at 16 and they were George Mason’s youngest graduates in 2011. In 2012, the brothers received a $200,000 grant from the Defense Advanced Research Project Agency, or DARPA.

The details of this case are even more disturbing. Under Count Eight (Conspiracy to Access a Government Computer without Authorization).

60. The Bureau of Consular Affairs (hereinafter “Bureau”) is a division of the State Department, which administers laws, formulates regulations, and implements policies relating to consular services and immigration. It has physical ofﬁces in Washington, DC.

61. Passport Lockbox (hereinafter “Lockbox”) is a Bureau program that performs payment processing, scarming of applications, and initial data entry for US. passport applications. Lockbox has a computer database containing imaged passport applications associated with real individuals. The imaged passport applications in Lockbox’s database contain, among other things, a photograph of the passport applicant, as well as certain personal information including the applicant’s full name, date and place of birth, current address, telephone numbers, parent information, spouse’s name, and emergency contact information.

62. ActioNet, Inc. (hereinafter “ActioNet”) is a contractor that provided information technology support to the State Department. It has physical ofﬁces in Falls Church, Virginia, located in the Eastern District of Virginia.

63. From in or about October 2014 to in or about February 2015, SOHAIB AKHTER was a contract employee at ActioNet assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the Bureau.

64. Prior to accessing the Lockbox database, and throughout his tenure as a contractor with the State Department, SOHAIB AKHTER was made aware of and indicated he understood: (a) the conﬁdential nature of the Lockbox database and the conﬁdential personal data contained therein; (b) the information contained in the passport records maintained by the State Department pursuant to Lockbox is protected from unauthorized disclosure by the Privacy Act of 1974, 5 U.S.C. § 552a; and (c) passport applications maintained by the State Department in the Lockbox database should be accessed only in connection with an employee’s ofﬁcial government duties and not the employee’s interest or curiosity.

69. MUNEEB AKHTER and SOHAIB AKHTER, UCC-l, and other coconspirators known and unknown to the Grand Jury, engaged in a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems.

70. SOHAIB AKHTER used his contract position at the State Department to search for and access sensitive passport information belonging to coworkers, acquaintances, a former employer, and federal agents investigating him for crimes alleged in this Indictment. After accessing sensitive passport information from State Department computers, SOHAIB AKHTER copied, saved, and shared this information with coconspirators.

71. SOHAIB AKHTER also attempted to use his access to State Department computer systems to create an unauthorized account that would enable him to access State Department computer systems undetected. SOHAIB AKHTER surreptitiously installed malicious programs onto State Department computer systems in order to execute his plan to create the backdoor login account.

72. SOHAIB AKHTER orchestrated a scheme to secretly install a physical device at a State Department building known as SA-17. Once installed, the device would enable SOHAIB AKHTER and coconspirators to collect data from and remotely access State Department computer systems.

73. SOHAIB AKHTER led the conspiracy, organized the intrusion to install the physical device, recruited coconspirators to assist in execution of the intrusion, and managed the execution of the intrusion.

74. MUNEEB AKHTER provided technical assistance to SOHAIB AKHTER for the unauthorized access. MUNEEB AKHTER programmed the physical device, known as a “gumstix,” so that it would collect data from State Department computers and transmit it wirelessly to computers controlled by MUNEEB AKHTER and SOHAIB AKHTER and coconspirators.

75. On the day the scheme was executed, UCC-1 transported materials, including the gumstix, from MUNEEB AKHTER, located at the AKHTER residence, to SOHAIB AKHTER, located at SA-17.
[…]
78. In or about October 2014, SOHAIB AKHTER was hired by ActioNet to perform contract work for the State Department at both ActioNet ofﬁces in Falls Church, Virginia, and Bureau ofﬁces in Washington, DC.

79. Beginning on or about February 12, 2015, and continuing thereafter until on or about February 19, 2015, in Falls Church, Virginia, in the Eastern District of Virginia, and elsewhere, SOHAIB AKHTER, while employed at ActioNet, accessed the Lockbox database without authorization. .

80. Between on or about February 12, 2015, and on or about February 19, 2015, SOHAIB AKHTER conducted approximately 119 searches for U.S. passport records using the Passport Lockbox Lookup report. He accessed personal passport information for approximately 62 different individuals, including: G.R., a DHS special agent investigating the crimes alleged in this Indictment; UCC-1; A.I.; A.M., the CEO of Victim Company 2; and himself. In addition, SOHAIB AKHTER attempted to access passport information for S.T., a DHS special agent investigating the crimes alleged in this Indictment.

82. In or about February 2015, SOHAIB AKHTER viewed and copied from State Department computer systems the personal passport information associated with several individuals, including DHS Special Agent G.R.

83. In or about March 2015, MUNEEB AKHTER told UCC-1 that he and SOHAIB AKHTER stored the personal passport information that SOHIAB AKHTER removed from State Department systems on an external hard drive. MUNEEB AKHTER told UCC-1 that Special Agent G.R.’s information would be valuable to criminals on the “dark net” and that he was considering selling the information.

84. In or about February 2015, SOHAIB AKHTER downloaded several programs to a State Department computer. These programs included malicious software, or malware, which SOHAIB AKHTER hoped would enable him to access State Department computers remotely.

85. In or about February 2015, SOHAIB AKHTER told UCC-1 that if he was able to gain remote access to State Department computer systems, he could: access information on individuals’ passport applications; access and unilaterally approve visa applications without State Department authorization in exchange for payment; and create passports and visas and sell them on the “dark net.”

86. On or about February 15, 2015, SOHAIB AKHTER called UCC-1 and asked him to buy a drill. UCC-1 purchased the drill and then, pursuant to SOHAIB AKHTER’s request, drove to the AKHTER residence to pick up additional items from MUNEEB AKHTER. At the AKHTER residence, in Springﬁeld, Virginia, in the Eastern District of Virginia, MUNEEB AKHTER told UCC-1 that he was programming a SD card, which was later to be inserted into the gumstix. MUNEEB AKHTER gave UCC-1 a bag containing a screwdriver, tape, glue, and the gumstix. Pursuant to SOHAIB AKHTER’s request, UCC—l drove to SA-17, in Washington, DC, and delivered the bag and items to SOHAIB AKHTER outside SA-17. Later that day, MUNEEB AKHTER drove separately to Washington, DC, and delivered the SD card to SOHAIB AKHTER.

87. On or about the evening of February 15, 2015, SOHAIB AKHTER called MUNEEB AKHTER and told him that he attempted to install the gumstix behind a wall inside SA-17 but was ultimately unsuccessful.

88. On or about February 19, 2015, SOHAIB AKHTER sent an email from his State Department email account to the email address akhters3@vcu.edu containing lines of code and headers for State Department servers.

We’re not sure reading this if the intrusion was done on the State Department’s Travel Document Issuance System (TDIS) which includes information from U.S. citizens and nationals applying for passports, other Department of State computer systems, passport acceptance agents, the Social Security Administration, the lockbox provider (CITIBANK), passport specialists, and fraud prevention managers, or, if the intrusion occurred on the Passport Information Electronic Records Systems (PIERS), or wait … the motherload, the Consular Consolidated Database (CCD). The Passport Lockbox program cited in the indictment is vague; it’s not a system of record according to the State Department’s System of Records Notices. But the indictment identifies it as a State Department database. Could this be in reference to the Citibank® Lockbox Services? That is a high-speed processing environment and image-based platform for receivables management, advanced reporting and image inquiry used by the State Department to enable the scanning of applications, extraction of applicant photos received at lockbox locations and storing and batching of images.

Note that #69 of the indictment also alleges “a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information;” does that mean the targeted system was the CCD? The CCD provides access to passport data in Travel Document Issuance System (TDIS), Passport Lookout Tracking System (PLOTS), and Passport Information Electronic Records System (PIERS). As of December 2009, the CCD also contains over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35 thousand visa cases every day.

By the way, one of the brothers was a contract employee assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the CA Bureau from October 2014 to in or about February 2015 (#63). In November 2014, the State Department suffered some “technical difficulties.” See State Dept Re-attached to the Internet, and About Those “Unrelated” Embassy Outages; State Department’s “Technical Difficulties” Continue Worldwide, So What About the CCD?

Was it just a coincidence that a master of the universe hacker was working at the State Department at the time when the agency’s systems were having technical difficulties?

Or were the Akhter twins the “technical difficulties”?

State Dept Re-attached to the Internet, and About Those “Unrelated” Embassy Outages

November 19, 2014 By domani spero in Consular Work, Foreign Service, Huh? News, Security, State Department, Technology and Work, U.S. Missions Tags: American Citizen Services, Consular Consolidated Database, Global Support Strategy, Jeff Rathke, OpenNet, Sensitive But Unclassified, technical difficulties

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

A few hours ago, we posted this: State Dept Spox on outages at embassies: “separate”, “unconnected”, “unrelated” — wowie zowie!

It looks like the State Department was re-attached to the Internet sometime this morning. Although as of this writing, go.state.gov is still down for “temporary maintenance.”

Screen capture of http://go.state.gov, still current as of 11/19/2014

Here’s what we’ve learned about the embassy outages:

The Consular Consolidated Database is apparently unaffected, as are visa and passport services.

EXCEPT that Consular Sections were unable to accept credit card payments because those are connected to the Internet, which was unavailable from the State Department’s OpenNet.

Here’s how OpenNet is described in the FAM:

OpenNet is a physical and logical Internet Protocol (IP)-based global network that links the Department of State’s Local Area Networks (LANs) domestically and abroad. The physical aspect of the network uses DTS circuits for posts abroad, FTS-2001-provided circuits, leased lines, and dial-up public switch networks. This includes interconnected hubs, routers, bridges, switches, and cables. The logical aspect of the network uses Integrated Enterprise Management System (NMS) and TCP/IP software, and other operational network applications. OpenNet is a Sensitive But Unclassified (SBU) network, which supports e-mail and data applications.

We understand that the American Citizen Services (ACS) Units, in particular, were not able to process payments by credit cards. Since the Internet connection issue had been reportedly resolved earlier today, we hope that this has resolved itself, too.

As to visa services, those are connected to the Global Support Strategy (GSS) contract, and 99% of fees would have been collected through the GSS contractor, not at post.

EXCEPT that most GSS contractors do scheduling via their own 3rd party websites, which would not be able to be accessed from OpenNet. If visa scheduling had delays, that would be because posts had to find a non-OpenNet Internet connection to update scheduling slots, as necessary.

A note on the GSS: The GSS contracts provide support services for nonimmigrant and immigrant visa operations at United States consulates and embassies abroad, including but not limited to public inquiry services, appointment services, fee collection services, biometric enrollment services, document delivery services and data collection services.

So when the State Department spox said that these outages were not connected and were unrelated, well —

Congratulations! You sound nice at the podium but what the heck were you talking about?

* * *

Oops! What’s this? Updated at 1552 PST Nov 19:

Notice re: global @StateDept internet issues affecting email inquiries to all posts across Canada: http://t.co/2QZWygMjl4

— U.S. Embassy Ottawa (@usembassyottawa) November 19, 2014

* * *

State Dept Spox on outages at embassies: “separate”, “unconnected”, “unrelated” — wowie zowie!

November 19, 2014 By domani spero in Congress, Diplomatic Attacks, Huh? News, Leadership and Management, Security, State Department, Technology and Work, U.S. Missions, Visas Tags: Cyber Security, FBI, hacking, Jeff Rathke, systems security, technical difficulties, WebPASS

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

We’ve blogged about the outages at overseas posts yesterday (see State Department’s “Technical Difficulties” Continue Worldwide, So What About the CCD?). On November 17, US Embassy Albania’s internet connection was down and US Embassy London could not accept credit card payments and its online forms for visa and passport inquiries were not working. US embassies in Moscow, Madrid, Manila, Beirut, Ankara, Cameroon, Oslo and Astana tweeted that they were “experiencing technical difficulties that may result in delays in visa processing.”

Unofficial sources tell us that State Department employees are now able to send email outside the Dept but still no Internet access. The Department’s mobile access site GO (go.state.gov) and Web PASS (Web Post Administrative Software Suite Explorer) are both still offline.

What’s WebPASS? via WebPASS Privacy Impact Assessment (2009):

WebPASS Explorer (“WebPASS”) is a suite of business applications used by overseas posts to administer a variety of internal activities. Some but not all applications under WebPASS collect and maintain personally identifiable information (PII) about post employees, their family members, and visitors. WebPASS is web-enabled and operates within the confines of OpenNet, the Department’s sensitive but unclassified (SBU) network.

The main application is Web Post Personnel (Web.PS), which is a database of the American employees (AEs), their dependents, and Locally Employed Staff (LES). Whereas the official record for an AE employee is maintained in Washington, DC, the Web.PS database supports local personnel-related tasks. Its LES-related features support personnel actions for LES staff directly hired at the post such as intake, assignments, transfers, grade increases, and terminations.

After an AE or LES staff is established in Web.PS, some of their basic identifiers (e.g., name, employee type, office) may be pulled electronically into other WebPASS applications that support separate functions such as motor pool operations, residency in government-held real property, and distribution of pharmaceutical medications.

The most sensitive unique identifier in WebPASS is the record subject’s SSN, which is stored in Web.PS.

Hey, if Professor Boyd, the American ambassador’s husband in Homeland had access to WebPASS, he could have saved himself some sneaking around just to discover (and tamper) with Carrie’s medication!

In any case, on November 18, the State Department spokesman Jeff Rathke was asked about the recent reported hacking and the outages at our embassies. The official word seems to be that these outages at ten posts (maybe more, but those posts have not tweeted their technical difficulties) are separate, unconnected, unrelated or [insert preferred synonym] to the “technical difficulties” at Main State. Simply put, you folks stop racking your brains with suspicions, these outages are simply, and purely coincidental.

Of course, coincidences happen every day, but the more I watch these official press briefings, the less I trust coincidences.

Excerpt:

QUESTION: Hacking?

MR. RATHKE: Yes, Lara, please.

QUESTION: Everybody’s favorite topic. You had talked yesterday from the podium about how the – it’s only the unclassified email systems at the State Department that was affected by this most recent data breach that prompted the suspension of – sorry, I’ve got suspended on my mind – (laughter) – but that prompted the shutdown over the weekend. But there’s been some suggestions that some of the missions and embassies and consulates have had some problems or could have some problems with processing passports or visas.

MR. RATHKE: No.

QUESTION: No? Not at all?

MR. RATHKE: No, no. These are unconnected. I mean, we have a separate system that deals with those types of consular issues – passports, visas, and so forth. Now there may be other technical issues that have arisen in one place or another. Is there a specific —

QUESTION: Yeah. Embassy Beirut, I think, had to —

MR. RATHKE: Yeah. No, that’s unrelated to the outage that we’ve had here.

QUESTION: Well, what’s going on in Embassy Beirut, then?

MR. RATHKE: Well, I don’t have the specifics, but it’s a separate issue. And I – from what I understand, they were able to continue doing their operations today, so it was not any major impediment.

I can give you an update, though, on the outage. I can report that our external email services from our main unclassified system are now operating normally, and for those who feel they are tethered to their Blackberries, they are once again, because the Blackberry service is working. So our unclassified external email traffic is now normal, so we’ve had some progress since yesterday’s discussion. So much of it is now operational. Much of our systems that had connectivity to the internet are now operational. We have a few more steps that’ll be taken soon to reach full restoration of our connectivity.

QUESTION: But just to clarify, no consular services, no client-based services —

MR. RATHKE: That’s a separate —

QUESTION: — have been affected by this outage?

MR. RATHKE: No, not to my knowledge. That’s – those are separate.

Yeah.

QUESTION: Do you have internet access from the unclassified system now?

MR. RATHKE: No, we are not – we do not have internet access at this stage. That will be restored soon, we expect. Sorry, yes?

QUESTION: Anything else major that you don’t have now?

MR. RATHKE: No. No, I think that’s mainly it. But it – this has not stopped us from doing our work, so —

QUESTION: The classified system never went down, correct?

MR. RATHKE: No, it was never affected at any point. So as mentioned yesterday, that hasn’t changed. It was not affected.

Congress remains more than interested:

The State Department’s Reluctance To Disclose Hacking Unsettles Lawmakers http://t.co/U7aMBQm3Ky via @Aliya_NextGov

— Defense One (@DefenseOne) November 18, 2014

And now the FBI is wading into the breaches:

FBI probes State and USPS computer breaches said to bear signs of spying http://t.co/TKIOwhc9ms

— Diplopundit (@Diplopundit) November 18, 2014

* * *

State Department’s “Technical Difficulties” Continue Worldwide, So What About the CCD?

November 18, 2014 By domani spero in Congress, Leadership and Management, Security, Social Media, State Department, Technology and Work, U.S. Missions Tags: Bureau of Consular Affairs, CCD, Consular Consolidated Database, hacking, State/CA, technical difficulties

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

The “technical difficulties” at the State Department continue today. State Department spokesman Jeff Rathke told Yahoo News that the State Department is still investigating who — or what — launched the attack saying, “I don’t have anything to share at this point on the origins of the intrusion.”

Rathke said the attack only hit unclassified email systems at the State Department — and not business databases that contain information about Americans or, for example, foreign visa applicants. Although the temporary shutdown was previously scheduled, “in this case, the response to this specific incident needed to be more comprehensive than our regular updates.

Congress is apparently interested on what’s going on.

Meanwhile, the Department’s mobile site go.state.gov remains down, and the “technical difficulties” now include, according to tweets from overseas posts, not just inability to use email but also inability to accept credit card payment for visa and passport services, and unusable contact forms for visa and passport inquiries.

US Embassy Albania

Our Internet connection is down and we can’t be reached via email. For urgent U.S. citizen services, call +355(0)4-224-7285. Thank you.

— ACS Tirana (@ACSTirana) November 17, 2014

US Embassy London

#AmCits: If you have an appointment with us today, please bring cash – $ or £ equivalent. We still can't accept cards.

— USAinUK CG's Corner (@USAinUKCGCorner) November 18, 2014

Still no email connection. Check our website for info & if your Q remains unanswered, email us when we are back online. Updates posted here

— USAinUK CG's Corner (@USAinUKCGCorner) November 18, 2014

U.S. Embassy Manila

US embassy gives heads up on possible delays in visa processing: Citing some technical difficulties, the Unite… http://t.co/SzAxPBRtjQ

— hot (@cbcnewsen) November 18, 2014

U.S. Embassy Beirut

Attn: #USEmbassies & #consulates r currently experiencing technical difficulties; may result in delays in #visa processing #Beirut #Lebanon

— U.S. Embassy Beirut (@usembassybeirut) November 18, 2014

US Embassy Turkey

U.S. Embassies and Consulates are currently experiencing technical difficulties that may effect visa processing: http://t.co/SD2XlVcZ0m

— US Embassy Turkey (@USEmbassyTurkey) November 18, 2014

U.S. Embassy Moscow

US embassies and consulates are having technical difficulties. US citizens needing emergency assistance: +74957285577 http://t.co/R9lkSwpX0v

— Посольство США в РФ (@USEmbRu) November 18, 2014

U.S. Embassy Madrid

U.S. embassies and connsulates are currently experiencing technical difficulties. + Info: http://t.co/EF40ftNWDo pic.twitter.com/TWAEnT6he5

— US Embassy Madrid (@USembassyMadrid) November 18, 2014

* * *

Below is the template of the notice used today:

U.S. embassies and consulates are currently experiencing technical difficulties that may result in delays in visa processing and receiving and sending communications. Additionally, applicants who have interviews for student and exchange visitor (F/M/J) visas scheduled for this week should bring proof of payment of the SEVIS fee. U.S. citizens may also experience delays in sending and receiving communications. U.S. citizens requiring emergency assistance should contact the Embassy [INSERT contact info].

We doubt if the State Department would have acknowledged this intrusion had the Associated Press not reported it on Sunday. On a related matter, we understand that Consular Affairs’ Consular Consolidated Database has been having problems “lately.”

Can somebody please ask CA if these ongoing problems are related to the technical difficulties from this past summer, or if this is related to the just known intrusion that brought down the email system and the GO site? We’re not terribly technical but curious — if a cyber intruder starts deleting data from the CCD, would anyone notice what’s missing?

* * *

Share this:

Share this:

Share this:

Share this: