Unknown intruders last year managed to infect 33 computers belonging to a bureau of the US Department of Commerce with data-stealing Trojans and other malware.
But the compromises were quickly detected and no information is believed to have been stolen, according to testimony presented to a US congress hearing.
The homeland security subcommittee hearing is part of an inquiry into the extent to which hackers have compromised US government netowrks and critical infrastructure.
Among those testifying are David Jarrell, manager of the critical infrastructure protection programme at the Department of Commerce, and Don Reid, senior coordinator for security infrastructure from the US Department of State. Both agencies were infiltrated in 2006 by hackers using servers that appeared to be based in China. Also testifying are representatives from the US Department of Homeland Security, the Idaho National Laboratory and security vendor VeriSign.
According to Jarrell, the cyberintrusion affecting the Commerce Department's Bureau of Industry and Security systems was first noticed last July, when a Bureau of Industry and Security deputy under secretary reported being locked out of his computer. An investigation showed that the system had been compromised and someone had installed malicious code on it that was causing it to make unauthorised attempts to access another computer on the bureau's network.
Investigations also showed that the infected system had attempted to access two external IP address after business hours when the computer was no longer being used. Two other systems were found to be similarly infected and were disconnected from the internet and quarantined.
Over the next 10 days or so, investigators at Bureau of Industry and Security noticed about 10 other computers making similar attempts to connect with suspicious IP addresses. By 18 August, 32 the bureau systems and one non-bureau system had tried to communicate with at least 11 suspicious IP addresses as determined by an analysis of the department's firewall logs.
In each case, the suspicious activity was quickly spotted and stopped using "custom" intrusion-detection system (IDS) signatures developed by security vendor McAfee and in some cases by the US-Computer Emergency Readiness Team, Jarrell said in his testimony. In one case, an infected system was detected and disconnected from the network while it was in the process of preparing files for transfer to an external system.
At the time its systems were compromised, the Bureau had in place all of the security requirements mandated by the Federal Information Security Management Act (FISMA), Jarrell noted. However, even with those measures in place, the incidents could not have been prevented because the intruders took advantage of unpatched flaws to gain access, he said.
"The security incident could have occurred regardless of FISMA because the...attack uses internet access to exploit unpatched zero-day attack vulnerabilities, irrespective of the commercial computer security and network monitoring tools and standard prescribed [penetration testing]," he said. "This is a key point related to the bureaus response – specifically the decision to segregate internet access," he said.
To date, an analysis of the forensic data has shown no evidence that information was actually stolen, despite the compromises, Jarrell said. At the same time, it remains unclear just when the first breach occurred or for how long intruders might have had access to the Bureau’s systems.
Following the breaches, several steps have been taken to shore up security, Jarrell noted, including tougher access controls, the use of custom IDS signatures to detect infected systems and a new network behaviour-based intrusion prevention system that monitors data streams to block or drop traffic based on how it behaves on the network.
"There is a high probability that existing backdoors, if any, to the network will be detected," Jarrell said. But, "it is impossible to say with certainty that 100% of the infestation is eradicated from the network."