Cyberattack threatened agency’s ‘command and control’

By Kevin Bogardus | 08/29/2016 01:12 PM EDT

On Nov. 1, 2011, investigators began looking into an unwanted visitor to U.S. EPA’s interconnected system of computers, servers and other devices at its Washington headquarters. The trespasser had gained access with a personal computer to the network at least six times. “The impact of this incident represents a compromise of the command and control of EPA systems and the EPA network,” the agency’s inspector general said. Such incidents and their dead-end investigations are prevalent in many of the 14 IG reports on EPA cybersecurity incidents obtained by Greenwire. Records touch on hackers’ attempts to access EPA computers, leading to potential shenanigans with property and personnel, including the exposure of employees’ personal information.

U.S. EPA headquarters in Washington, D.C.

U.S. EPA headquarters in Washington, D.C. Photo courtesy of Wikipedia.

U.S. EPA had an unwanted visitor almost five years ago.

On Nov. 1, 2011, investigators began looking into someone gaining access to the local area network — the physical, interconnected system of computers, servers and other devices — in EPA’s Washington, D.C., headquarters on Pennsylvania Avenue. The trespasser had gained access with a personal computer to the agency’s network at least six times, specifically the east and north buildings of the complex.

How serious was the breach?

Advertisement

"The impact of this incident represents a compromise of the command and control of EPA systems and the EPA network," the agency’s inspector general said in an investigative report.

The interloper on the computer network escaped the IG’s grasp. Allegations of unauthorized access to EPA’s computer network were substantiated, but investigators were unable to "positively identify" the suspect — or suspects. Consequently, no one was referred for prosecution for the hack.

Incidents like that breach along with their dead-end investigations are prevalent in many of the 14 IG reports on EPA cybersecurity-related incidents that Greenwire obtained under the Freedom of Information Act. Records of years-old probes touch on hackers’ attempts to access EPA computers, leading to potential shenanigans with EPA’s property and personnel, including the exposure of employees’ personal information.

Greenwire shared the IG reports with Christopher Budd, global threat communications manager for Trend Micro Inc., a global cybersecurity company. Of the more than dozen reports, the IG probe into the unauthorized access of EPA headquarters’ network raised Budd’s eyebrows.

"Someone grabbed a cable and plugged it into something, so it is a conscious effort," Budd said. "Someone who is trying to get on the physical local area network is being more intentional and potentially more targeted."

Cyberattacks have become an undeniable problem for private and public institutions.

Last year’s mammoth hack of the Office of Personnel Management’s files led to the compromise of private data for millions of federal employees, including those working at EPA. Computer breaches have the potential to upend governments, companies and political parties, evidenced by the turmoil from the recent leak of Democratic National Committee emails.

Chris Lukas, the special agent in charge of the EPA IG’s electronic crimes division, told Greenwire that his agency is not alone in facing the threat.

"It’s not unique to EPA. It’s all federal agencies. They [hackers] are looking to develop inroads into the system," Lukas said. "They are looking to exploit any weakness in the federal government that can get them moving around."

The special agent has been with the EPA inspector general’s office for almost five years and has investigated electronic crimes since 2001 for several agency watchdogs in Washington, D.C. He said every cyberattacker looks to take control of a computer system with no one the wiser to the invader’s presence on the network.

"The goal of every attack is establish command and control of a network. You want to be able to come and go as you please and monitor activity undetected," Lukas said.

The hackers described in the reports obtained by Greenwire didn’t damage or disrupt EPA networks to much effect. Nevertheless, it seems few were caught by investigators.

Lukas said IG staff have brought in offenders, and there are still open investigations that could result in more people facing justice.

"We have had investigations where we have arrested perpetrators. We have identified people, but I can’t talk about investigations that are pending," Lukas said. "People choose to use computers because they think they can remain anonymous."

‘Police blotter’

The reports show EPA has had to face persistent attackers in the cyber realm who don’t give up after one, two or even 10,000 attempts to access the agency’s networks.

One report revealed that on Aug. 12, 2009, "unidentified attackers had made 10776 attempts to exploit" EPA computer systems. The intrusion was detected from several internet protocol addresses. The attack’s impact couldn’t be determined because of the destruction of digital evidence, according to investigators.

Ultimately, the investigation was closed after it failed to identify those responsible for the repeated connection attempts.

PDF document thumbnail image
An intruder gained access to EPA headquarters’ local area network, representing “a compromise of the command and control of EPA systems and the EPA network,” according to an inspector general investigation opened in November 2011. Click here to view this document. | Source: U.S. EPA Inspector General.

Budd said the IG reports on EPA’s cyberattacks read "like a police blotter in a newspaper," saying they demonstrate that the agency has to contend with often mundane acts of electronic crime like every other major institution.

"This is a view into what’s it like to run a system and run into security issues," Budd said, noting the records are "a good view on what people are doing on a day-to-day basis."

Attackers would try to worm their way into EPA’s computers from across the country.

In March 2011, investigators looked into suspicious network logins into EPA’s financial systems on several servers based in Las Vegas. The incident could have potentially affected all of the agency’s finances, as well as the security surrounding environmental response and research facilities, according to the probe’s report.

The source of the unauthorized user activity did not turn up, although "an unidentified encrypted file" was uncovered during the investigation.

Other investigations showed that EPA was worried about their employees losing their private data to hacks.

One report detailed that EPA received word in April 2012 that "numerous" agency systems were being targeted and compromised by "unknown individuals." Further, "the computers were communicating to known malicious websites."

EPA soon after offered credit monitoring services to anyone who had "PII" — personally identifiable information — stored on one of the compromised servers. After one year of monitoring, no employee had been subjected to "suspicious activity," leading the IG to close the investigation.

Andrew Howell, a partner at lobby firm Monument Policy Group, told Greenwire that data kept by agencies will always be under threat.

"Government agencies are always going to be an attractive target given the amount and type of data they store," said Howell, a former vice president of homeland security policy at the U.S. Chamber of Commerce.

Beyond being a source of its employees’ personal information, EPA also has potentially valuable government data, considering its environmental policy proposals and regulations. The agency’s highest offices, too, can be targeted in cyberattacks.

In February 2012, EPA found an "intrusion" into computers at the Office of the Administrator, as well as the Office of Air and Radiation, which affected "the security and stability" of EPA’s local area network and its senior level administration operations.

The FBI would offer to provide information related to the incident to the agency but declined to join the investigation. In the end, there was no damage to EPA’s network, but investigators again failed to find the intruders.

The agency’s rules — as well as the internal deliberations behind those rules — could be prime targets for hackers, considering how regulations could swing the fortunes of chemical, fossil fuel and other industries.

"A lot of the stuff they [EPA] do has commercial impact, and they might like their proposals to stay confidential because of that impact," Stewart Baker, a partner at Steptoe & Johnson LLP, told Greenwire. "I don’t think that is a major area of espionage for pay but if I was EPA, I would like my confidential proceedings to remain confidential."

Baker, who served as assistant secretary for policy at the Department of Homeland Security during the George W. Bush administration, also cited the DNC hack. He said a cybercriminal’s purpose may be to embarrass a mark, not just steal his or her information.

"The Russians have shown if you don’t like someone or something, like a government agency, you can steal their entire email file and put it on the internet," Baker said.

‘Focused Operations’

The IG’s reports into EPA’s cybersecurity incidents often provide few details.

One document said that in January 2012, EPA was notified that an agency system on its Research Triangle Park campus in North Carolina was "compromised" by "Focused Operations."

Yet the reader doesn’t learn much more after that.

"Due to the sensitive nature of the investigation, the details are not being reported in our electronic case management system," said the report. "See the hard copy case file for the closing report of investigation."

At least four reports obtained by Greenwire have that disclaimer.

Many of the IG reports are also pockmarked by redactions under FOIA exemptions, mostly for law enforcement purposes. In addition, after culling from a list of IG investigations closed in 2013, it took nearly two years to obtain the reports under the public records process — hence why they are dated several years ago.

Budd said "getting information on compromises is challenging even in the best of times."

"There is wisdom in not storing reports on cybersecurity incidents electronically," said Budd, noting "redacting details does make sense because if you disclose all the nitty-gritty technical details, a potential attacker could mine that for future attacks."

The term "Focused Operations" is scattered throughout the reports, as well. Lukas said that is referring to an organization — perhaps state-sponsored or "hacktivist" groups such as Anonymous, or possibly even professional hackers — making deliberate attempts to hack or disrupt a network.

The IG special agent said one example of a Focused Operation could be the use of a botnet: a network of computers that have malware on them and are controlled without their owners’ knowledge.

"An organization that is big enough to create a network of zombie computers, a botnet, that can ping you several times — that is really a lot of computer power you have there," Lukas said. "They don’t have to be state-sponsored but think of the organizations that are big enough to do that."

Foreign governments have looked to gain access to U.S. secrets online in the past. Baker said in recent years that the Chinese government has cast a wide net under its hacking efforts against the West, going after every federal agency.

"At least the Chinese [government] has hacked so many government agencies and private institutions, they were running out of targets. So even if EPA was pretty far down on their priority list, they probably have gotten to it," Baker said. "In the last decade, it has been pretty aggressive."

The FBI is often listed in the reports as a joint agency. Lukas said the inspector general will notify the law enforcement bureau of cyber incidents so the two agencies don’t double up their efforts.

"They [FBI] may join in on our investigations, which we welcome because they have more resources than us," Lukas said. "Electronic crimes are borderless. … When it comes to hacking, you can be a doorway away or a world away."

Like other federal agencies, EPA has been subject to hacking.

Graph of cybersecurity incidents per fiscal year
| Photo by Kristi E. Swartz.

For fiscal 2015, EPA reported 118 cybersecurity incidents to the U.S. Computer Emergency Readiness Team, or US-CERT — more than the 105 from the prior year. The agency reported more incidents in fiscal 2012 and 2013, but what remains true today is cyberthreats are genuine for EPA.

An EPA official told Greenwire that incidents reported to US-CERT were serious enough to grab the agency’s attention, noting "a cyberincident is an event that becomes interesting that you need to investigate and figure out what is going on."

The official said the agency doesn’t approach the issue lightly and has upped its cybersecurity budget. The official said EPA will spend an estimated $20 million on cybersecurity in fiscal 2016.

"Across the federal government and private industry, there are more threats, so we are trying to mitigate the impact of those threats," said the official.

Cyberthreats have grown for the federal government overall. According to the Government Accountability Office last year, there were 5,502 cybersecurity incidents affecting agencies’ systems in fiscal 2006, which increased by 1,121 percent to 67,168 in fiscal 2014.

Cybersecurity, however, remains a challenge for EPA. After all, the inspector general has listed it as an issue requiring attention from the agency since fiscal 2001. In a report issued in June, the IG said EPA should focus on better managing contractors who provide key support in operating systems (Greenwire, June 16).

The EPA official said the IG also acknowledged that the agency has been making progress on cybersecurity. Last year, the agency completed a "cyber sprint" to bolster its defenses (Greenwire, July 16, 2015).

‘Hacktivists’

Not all hacks are serious. Actually, some can even be funny.

One report describes an investigation begun in July 2012 regarding "a breach of security," resulting in changes to a regional office’s server.

Specifically, changes were made to a server’s desktop background, so instead of displaying a Microsoft logo, it depicted a "cartoon" image — details of which were redacted.

Investigators for the IG conducted several interviews, with many EPA employees suspecting the culprit was among a team of contractors who had access to the server. Several downplayed the incident, with one saying it was "no big deal" and another describing it as "a joke which had been blown out of proportion."

In the end, EPA suffered no dollar losses, and no criminal activity was uncovered by the desktop image meddling. The IG decided against pursuing the case.

Budd with Trend Micro said investigators were right to check out the incident, even if it was a prank gone bad.

"From a security perspective, checking out a changed background image, that’s a smart thing to do. That’s a small thing that could be a big thing," Budd said.

Lukas with the IG’s office said EPA does have to worry about "hacktivists." Nonetheless, there are harmless actors out there online that have relatively innocent motivations.

"There are even kids who just want to show what they did to their friends," Lukas said.

Click here to read the EPA IG’s reports on cyberattacks.

Reporter Blake Sobczak contributed.