Iranian government-linked hackers got into Merit Systems Protection Board’s network
Iranian government-affiliated hackers infiltrated the systems of the U.S. Merit Systems Protection Board earlier this year, according to people familiar with the incident.
The people, like others interviewed for this story, spoke on the condition of anonymity due to the matter’s sensitivity.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Wednesday detailing how the hackers compromised an unnamed federal government network. CISA and the FBI determined that the attackers were Iranian government-sponsored and installed cryptocurrency-mining software, as well as tools to burrow within the agency’s systems.
It’s not clear what information, if any, the hackers might have obtained while inside the agency’s network. Iranian hackers compromised the agency as early as February, according to CISA’s alert, based on an incident response CISA carried out from mid-June to mid-July.
- The board, a quasi-judicial agency which adjudicates grievances from federal government employees in areas such as whistleblower retaliation, did not respond to requests for comment.
The hacking group responsible is known as Nemesis Kitten, also according to people familiar with the incident.
Security researchers say Nemesis Kitten conducts destructive, disruptive and snooping operations on behalf of the Iranian government. But they also carry out ransomware and other attacks on the side for financial gain.
“Iran and their peers depend on contractors to carry out cyberespionage and attack,” said John Hultquist, vice president of intelligence at Google’s Mandiant security division. “Many of these contractors moonlight as criminals, and it can be difficult to distinguish this activity from work done at the behest of the state. We suspect that at least in some cases the state ignores the crime. We believe this group moonlights, though we can’t validate the cryptomining incident.”
That the hackers deployed crypto-mining software in a federal agency was odd, since such operations usually benefit most by going after targets with a lot of computing power, said Bryan Ware, CEO of LookingGlass Cyber.
“It’s peculiar that the crypto miner was present,” said Ware, a former top CISA official. “It’s possible Iran used it to obfuscate other activities like espionage or mislead the incident response team — essentially spies disguising themselves as criminals.”
The Treasury Department issued sanctions against five indicted Iranian men in September over a ransomware spree that Treasury couldn’t definitively attribute to Nemesis Kitten. But the department said “some of their malicious cyber activity can be partially attributable” to that group and others connected to Iran.
According to CISA, the hackers exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. Log4Shell is a vulnerability in log4j, a popular open-source logging library. CISA warned late last year that the vulnerability had the potential to affect hundreds of millions of devices.
CISA responded in December by ordering federal agencies to search for log4j in their systems and patch vulnerable devices. The agencies had until Dec. 28 to complete the two-part vulnerability mitigation.
Although CISA declined to comment on The Washington Post’s reporting that the Iranian hackers hit the Merit Systems Protection Board, a top CISA official said the alert demonstrated the ongoing Log4Shell threat and the need to take action to counter it.
- “Today’s advisory highlights the importance of continued focus on mitigating known exploited vulnerabilities such as Log4Shell and the need for all organizations to implement effective detections to proactively identify malicious activity before damaging impacts occur,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in an emailed statement. “While organizations across government and the private sector acted with urgency to mitigate assets running vulnerable versions of Log4j, we know that malicious cyber actors moved quickly to exploit vulnerable assets and continue to do so.”
Nemesis Kitten has been linked to using the Log4Shell vulnerability in the past.
The Office of Management and Budget’s most recent annual review of federal agency information security rated the Merit Systems Protection Board as “at risk,” the medium step between “high risk” and “managing risk.”
The widespread presence of log4j makes it hard for any organization to definitively patch the Log4Shell vulnerability, a U.S. official said.
“There is no large entity on the planet that is done patching log4j because it’s so ubiquitous,” the official said. “This is just an issue of scale — finding every single instance of log4j. We said this was going to have a long tail and I think we’re just seeing adversaries continue to use it — looking for that one system that has log4j on it.”
In a report this summer, CISA’s Cyber Safety Review Board warned that “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer.”
That’s a view common among cybersecurity experts.
“We are almost a year to the day from the discovery of Log4Shell and I’m not surprised we are seeing reports like today’s CISA and FBI advisory,” Dan Lorenc, CEO of supply chain cybersecurity firm Chainguard, said via email. “Log4Shell is endemic and it’s going to be around forever. It will remain in every attacker’s toolbox and continue to be used to gain access or for lateral movement for the foreseeable future.”
Joseph Menn contributed to this report.
Officials should look into designating space and bioeconomy as critical infrastructure, CISA says
The agency said in a report that there’s “an opportunity to designate a space sector and bioeconomy sector as critical infrastructure sectors that would get more cybersecurity resources and regulations, Nextgov’s Mariam Baksh reports. President Biden said in a letter that he accepted the report’s recommendations and that White House officials would work with CISA to carry out its tasks.
“Multiple sectors offer a fragmented or partial view of a larger scope associated with common functions, and therefore it may be advantageous to consider merging or consolidating those sectors,” CISA wrote. It called out the emergency services sector because it “contains services largely provided or overseen by government entities,” Baksh reports.
The report was required under an annual defense bill that became law in January 2021.
Despite lack of imminent threats, World Cup could see cyberespionage and hacktivism
Countries like China, Iran and North Korea aren’t likely to conduct disruptive cyberattacks targeting the 2022 FIFA World Cup in Qatar, which starts next week, cybersecurity firm Recorded Future said in a report. The firm said it “has not identified any imminent, planned or ongoing state-sponsored cyber operations” targeting the tournament, its sponsors or infrastructure.
“Qatar’s relatively unique geopolitical position on a contentious global stage means it’s unlikely that state-sponsored APT groups from China, Russia, Iran, and North Korea will conduct a disruptive attack against the 2022 FIFA World Cup, despite Russia having the greatest motivations for doing so,” the firm said. “Instead, nationalistic Russian hacktivist groups or ransomware operators could conduct disruptive attacks against the tournament, which can provide the Kremlin with plausible deniability.”
- The Aspen Institute is launching its Global Cyber Group. It will be chaired by Marina Kaljurand, an Estonian member of the European Parliament; Singapore Cyber Security Agency CEO David Koh and Rapid7 President and CEO Corey Thomas.
- Officials from the Cybersecurity and Infrastructure Security Agency, and Energy Department speak at the WaterISAC’s H2OSecCon security conference today.
- Top U.S. cybersecurity officials speak at the Aspen Institute’s annual Aspen Cyber Summit today.
- The Senate Homeland Security Committee holds its hearing on worldwide threats today at 10:15 a.m.
- Google Cloud chief information security officer Phil Venables and Elliptic founder and chief scientist Tom Robinson speak at a Washington Post Live event today at 10:30 a.m.
- Rep. Jim Himes (D-Conn.) discusses spyware at a Center for a New American Security event today at noon.
- Doreen Bogdan-Martin, the newly elected secretary general of the International Telecommunication Union, and National Archives and Records Administration innovation chief Pamela Wright speak at an American University event on Friday at 8:30 a.m.
Thanks for reading. See you tomorrow.