DHS/FBI Issues Joint Analysis Report: GRIZZLY STEPPE – Russian Malicious Cyber Activity (Read Report)

Posted: 1:32 pm PT
[twitter-follow screen_name=’Diplopundit’ ]

 

Related to the declaration of 35 Russian officials persona non grata for malicious cyber activity and harassment (see USG Declares 35 Russian Officials Persona Non Grata, Imposes New Sanctions), DHS and FBI also released a Joint Analysis Report (JAR) which provide details of the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities. Below via us-cert.gov: from the JAR: GRIZZLY STEPPE – Russian Malicious Cyber Activity. Click on image below to read the full Joint Analysis Report from DHS/FBI: JAR_16-20296. Original document is posted here.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.  

jar

#

Advertisements

State/OIG Issues Report on @StateDept IT Incident Response and Reporting Deficiencies

Posted: 2:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.

The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.

Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
[…]
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.

Screen Shot

According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.

Here’s the proposed solution according to the audit:

DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.

The State Department’s response to the OIG requests that the two recommendations be closed  due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:

Screen Shot

WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see  State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).

#

 

No, the FTC is not/not offering money to OPM data breach victims

Posted: 1:07  pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The Federal Trade Commission’s Lisa Weintraub Schifferle, an attorney for FTC’s Division of Consumer and Business Education pens the following warning:

If you’re an OPM data breach victim, you probably know to look out for identity theft. But what about imposter scams? In the latest twist, imposters are pretending to be the FTC offering money to OPM data breach victims.

Here’s how it works: A man calls and says he’s from the FTC and has money for you because you were an OPM data breach victim. All you need to do is give him some information.

Stop. Don’t tell him anything. He’s not from the FTC.

One fake name the caller used was Dave Johnson, with the FTC in Las Vegas, Nevada. There’s not even an FTC office in Las Vegas. The FTC won’t be calling to ask for your personal information. We won’t be giving money to OPM data breach victims either.

That’s just one example of the type of scam you might see. You may get a different call or email. Here are some tips for recognizing and preventing government imposter scams and other phishing scams:

• Don’t give personal information. Don’t provide any personal or financial information unless you’ve initiated the call and it’s to a phone number you know to be correct. Never provide financial information by email.

• Don’t wire money. The government won’t ask you to wire money or put it on a prepaid debit card. Also, the government won’t ask you to pay money to claim a grant, prize or refund.

• Don’t trust caller ID. Scammers can spoof their numbers so it looks like they are calling from a government agency, even when they are not. Federal agencies will not call to tell you they are giving you money.

If you’ve received a call or email that you think is fake, report it to the FTC. If it’s an email that relates to the OPM breach, you also can forward it to US-CERT at phishing-report@us-cert.gov. If you gave your personal information to an imposter, it’s time to change those compromised passwords, account numbers or security questions.

Originally posted here.

#

OPM Hit By Class Action Lawsuit, and Those Phishing Scams You Feared Over #OPMHack Are Real (Corrected)

Posted: 7:16 pm  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The largest federal employee union, the American Federation of Government Employees, filed a class action lawsuit today against the Office of Personnel Management, its director, Katherine Archuleta, its chief information officer, Donna Seymour and Keypoint Government Solutions, an OPM contractor.
.

.

.
A couple of weeks ago, we thought that the “recipe” from the OPM email notification sent to potentially affected employees via email might be copied by online scammers.

.

 

Today, the United States Computer Emergency Readiness Team (US-CERT), part of part of DHS’ National Cybersecurity and Communications Integration Center (NCCIC) issued an alert on phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID.

#

State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

 

Just the bit of bad news you don’t need to start your Monday:

 

Below via WaPo:

The State Department did not seek to publicize that it had been hacked. On Friday, it announced that “maintenance” would be done to the unclassified network during a routine, scheduled outage. But on Sunday, after the Associated Press first reported the breach, officials acknowledged they had found traces of suspicious activity in their system and were updating security in the middle of a scheduled outage. In a sign of how complete the shutdown was, duty officers were using Gmail accounts.

A senior State Department official, who spoke on the condition of anonymity to discuss the breach, also told WaPo that “none of the department’s classified systems were compromised.”

Would State report publicly the classified intrusion if those systems were compromised?

This report follows the confirmation of a hack at the National Oceanic and Atmospheric Administration which reportedly forced cybersecurity teams to seal off data vital to disaster planning, aviation, shipping, etc. this past September, the reported breach of the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees and a breach at the White House.  In June this year, the WSJ also reported the breach of computer systems at the Office of Personnel Management, which stores data on federal employees.

An unnamed official told nextgov.com that State is bolstering the security “of its main unclassified network during a scheduled outage of some Internet-linked systems.” The site, nextgov.com says it is “unclear why officials waited until this weekend to disconnect potentially infected systems at State.”

As of this writing, the State Department’s mobile access (go.state.gov) is down with the following notice: “The Department is currently experiencing an ongoing, planned outage to upgrade our network.  during this event, mobile access (GO) will be unavialable.  We apologize for any inconvenience this may cause you.  For questions or more information, please contact the IT Service Center at 202-647-2000.”

We understand that GO will be down until further notice and may need to be rebuilt. A mobile copy is currently live at http://m.state.gov.

* * *

In totally unrelated news, and nothing/nothing whatsoever to do with this reported hack — State/OIG on November 7, published its Audit of Department of State Information Security Program.  The report is readable if you don’t mind the redacted parts:

Screen Shot 2014-11-15 at 11.11.19 AM

Below is an excerpt:

Information technology security controls are important to protect confidentiality, integrity, and availability of information and information systems. When they are absent or deficient, information becomes vulnerable to compromise.[REDACTED]
[…]
Although we acknowledge the Department’s actions to improve its information security program, we continue to find security control deficiencies in multiple information security program areas that were previously reported in FY 2010, FY 2011, FY 2012, and FY 2013. Over this period, we consistently identified similar control deficiencies in more than 100 different systems. As a result, the OIG issued a Management Alert in November 2013 titled “OIG Findings of Significant and Recurring Weaknesses in the Department of State Information System Security Program” that discussed significant and recurring control weaknesses in the Department’s Information System Security Program [REDACTED B(5)]

The FY 2013 FISMA audit report contained 29 recommendations intended to address identified security deficiencies. During this audit, we reviewed corrective actions taken by the Department to address the deficiencies reported in the FY 2013 FISMA report. Based on the actions taken by the Department, OIG closed 4 of 29 recommendations from the FY 2013 report.
[…]
We identified control deficiencies in all [Redacted] (b) (5)  of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.
[…]
Although we found the Department’s Computer Incident Response Team (CIRT) Standard Operating Procedures aligned with NIST SP 800-61, Revision 2,39 procedures do not clearly state all the bureaus, offices, and organizations that require notification prior to closing an incident. As a result, DS/SI/CS did not report all incidents to the U.S. Computer Emergency Readiness Team (US-CERT) as required. Specifically, 1 out of 22 (5 percent) security incidents we tested was not reported to the US-CERT, even though it was a Category 4 incident and involved potential classified spillage. If the Department does not report data spillage incidents (potential or confirmed) to US-CERT within the established timeframes, US-CERT may not be able to help contain the incident and notify appropriate officials within the allotted timeframe.

According to State/OIG, Category 4 incidents are incidents involving improper usage of Department systems or networks (that is, a person that violates acceptable computing use policies).

According to OMB Memorandum M-14-04, a significant deficiency is defined as a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. via

 * * *

Related item:

Audit of Department of State Information Security Program; Published On: November 07, 2014; Report Date: November 2014; Report Number: AUD-IT-15-17; View Report: aud-it-15-17.pdf