A team of government-contracted “red team” hackers managed to gain unauthorized and undetected control of critical Census Bureau systems in a simulated attack test revealing major cybersecurity weaknesses within the Federal agency, according to a new report by the Commerce Department Office of Inspector General (IG).
The red team – a group of cybersecurity experts tasked with simulating a real-world hacking attempt on an organization’s system – was able to breach the agency’s systems through a domain administrator account and gain access to employees’ personally identifiable information.
The IG report indicates that the red team exercise was conducted between August 2021 and March 2022.
In its response to the IG report, the Census Bureau said it plans on releasing a detailed action plan to address the security vulnerabilities exposed in the attack. The agency has 60 days to submit the plan in accordance with department guidelines.
“Once the Bureau provided the red team with an internal foothold under an assumed breach scenario, we determined that the Bureau did not have an effective cybersecurity posture in place to protect against a simulated real-world attack,” the report says.
The Census Bureau failed to restrict access to or disable an outdated account management control tool which gave the security firm access to the agency’s systems and allowed the red team to run commands as a user with excessive privileges.
The red team had been so successful in its simulated attack that it even managed to send fake emails via insecure programs and carry out additional malicious actions resulting in 11 security weaknesses.
However, the IG redacted some details from its report to protect sensitive information about the Census Bureau’s information technology vulnerabilities.
The objective of the evaluation was to determine the effectiveness of the Bureau’s cybersecurity posture against a simulated real-world attack.
In January 2020, hackers successfully exploited a security weakness in the Bureau’s virtual desktop infrastructure ahead of the 2020 U.S. Census. In light of that incident, the IG’s Office of Audit and Evaluation launched the cyber red team to conduct this simulated attack against the Census Bureau and determine the effectiveness of the Bureau’s cybersecurity posture against a simulated real-world attack.
The Census Bureau failed to remedy its cyber vulnerabilities and still needs effective cybersecurity measures to prevent attacks capable of reducing its defensive options in the wake of a successful breach, the report says.
“Once a domain administrator account is under their control, advanced threat actors can pivot across a network, evade security defenses, maintain a foothold on the network, access sensitive files, and run malicious commands,” the report says. “By bypassing multiple security countermeasures and evading detection by the bureau’s staff, the red team demonstrated a critical threat to the bureau’s information security.”
The IG recommends that the Census Bureau implement advanced authentication security controls and assess known vulnerabilities to ensure systems are protected. In addition, the IG called on the Bureau to remove legacy code from critical systems, develop a process to routinely test and inspect applications for vulnerabilities, and establish alerts for common detection methods.