A string of hacktivist attacks against government agencies this year may stem from private sector data breaches, giving hacking groups such as Anonymous the resources they need to virtually overrun government systems to steal sensitive data.
A leaked FBI document surfaced last week just a day before a hacker linked to Anonymous was sentenced for his role in a high-profile breach. The memo, obtained by Reuters, details security incidents that began a year ago at multiple government agencies. These attacks targeted various vulnerabilities, including flaws in Adobe Systems' ColdFusion software, and enabled hacktivists to establish back-door access to maintain a persistent presence on systems for extended lengths of time, according to the report.
The infections were seen on systems at the U.S. Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies, the memo said.
Adobe has suffered a serious data security breach, acknowledging in October that hackers gained access to millions of encrypted passwords and customer's personal information. Even more concerning to security experts was the extent of the company's source code leak, because it could give sophisticated attackers the ability to conduct more nefarious campaigns using Adobe products.
Investigators are still determining who carried out the Adobe attack. An Adobe spokesperson said the vast majority of attacks seen in the wild are targeting known software vulnerabilities in its products that have not been updated with the latest patches.
The leaked FBI memo shines a light on the impact of the Anonymous hacktivist collective. The group was responsible for attacks against Sony, crippling its PlayStation network for weeks, and a campaign against security firm HBGary Federal in which thousands of sensitive emails were leaked to the public.
Jeremy Hammond, a hacker associated with the Anonymous group, was sentenced last week to 10 years in prison for his role in the attacks targeting Stratfor, a private security intelligence firm that acknowledged that its systems were breached, leaking customer account information, including email addresses and credit cards. The Chicago-based hacker used the stolen credit card data to charge $700,000 worth of fraudulent donations to nonprofit groups.
Solution providers in both the public and private sector told CRN that many of the breaches at government agencies stem from missteps and poor security practices. Password leaks and rampant software vulnerabilities crescendos across industries and geographies, impacting everyone, including the providers charged with providing security support to business, they said.
One major password breach potentially gives hacktivists and other attackers the keys to the kingdom at any business or government agency, said Arthur Hedge, CEO of Castle Ventures, a network security monitoring and log analysis firm. They can gain access to systems as a valid user, failing to trigger alarm bells, he said. Hedge's team provides customers with reports about suspicious activity in system logs that signal potential malicious activity on the corporate network.
Although businesses are increasingly concerned about the threat landscape, regulations are still what drive most security initiatives at organizations.
"No one wants to get on the front page of the newspaper or lose their job because they're not compliant with the law," Hedge told CRN. "Our advisory role is to ensure the client understands that just because you are compliant doesn't mean you are secure."
PUBLISHED NOV. 20, 2013