According to a watchdog report, U.S. Census Bureau computer servers were exploited in January 2020 during a cybersecurity attack, but hackers’ attempts to keep access to the system were unsuccessful.
The Census Bureau missed opportunities to limit its vulnerability to the attack and didn’t discover and report the attack promptly, claims the the Office of Inspector General. The agency reportedly failed to keep sufficient system logs, which in turn hindered the investigation, and was using an operating system no longer supported by the vendor, the watchdog report said.
The bureau’s firewalls stopped the attacker’s attempts to maintain access to the system through a backdoor. Unauthorized changes, such as the creation of user accounts, were still made.
Acting Census Bureau Director Ron Jarmin said neither the systems used for the 2020 census or the U.S.’s once-a-decade headcount were affected by the attack. “Furthermore, no systems or data maintained and managed by the Census Bureau on behalf of the public were compromised, manipulated or lost,” Jarmin said.
Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, says census records systems are always an interesting target.
He explains, “From a PII perspective, they are an Aladdin’s cave of data, typically with precise demographic information and essentially a potential authoritative source on identity. The disclosure offers up some common failings but with a glimmer of hope that defenses were considered. Preventing back doors or a persistent threat usually requires the defense to assume compromise during the process of designing their systems. However, the lack of access logs, monitoring and out-of-date systems perhaps show where budgets have been trimmed and unfortunately created a false economy for the tax dollars spent. This is usually an indication of a technical first approach to defense but lacks a broader, more strategic view and perhaps a lack of adoption of one of the many federally approved frameworks. This is frustrating given the potential data at risk and perhaps an element of fortune that the intruder didn’t get any further. The question will remain, with such limited monitoring and logging – will they have been able to detect a further compromise that put census data at risk?”
The critical takeaway from this incident, however, is that the additional logging and visibility may have supported more timely identification and reporting, which could have both limited persistent access and subsequent impact, says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company. “The takeaway should not be that some exploitable vulnerability was discovered and abused – given time, resources and motivation, an adversary will always uncover some exploitable condition, but by developing an organization’s detection, response, and recovery capabilities, there is an opportunity to mitigate the risks of such discovery and abuse before material damage is realized,” he says.
Jake Williams, CTO, BreachQuest, agrees, noting that this indicator of compromise scanning is an effective force multiplier for security teams. “Senior analysts discover the appropriate indicators and write detections, and junior analysts can use the scanner to automatically and reliably identify compromised systems,” Williams explains. “The Bureau was able to operationalize the provided IOCs because they retained network logs from the boundary firewall. Many organizations we work with today do not retain firewall logs, and some aren’t even configured to log at all. Organizations should examine the scenario in the IG report and determine if they could detect a similar incident given their network logging posture.”