Hackers infiltrated security contractor using third-party flaw

Hackers infiltrated security contractor using third-party flaw

Hackers used flaws in a third-party software program to gain access to U.S. Investigations Services (USIS), the government’s main security clearance contractor.

According to an internal USIS investigation obtained by NextGov, the cyber intruders got into the company through a glitch in software from tech firm SAP that was likely used to run certain back-office operations, such as human resources.

ADVERTISEMENT
Lawmakers have been pressing for answers about the breach since last year. Suspected Chinese hackers got into the USIS systems in late 2013 but weren’t discovered until June 2014.

They reportedly exposed 27,000 federal employees' information, although Rep. Elijah Cummings (D-Md.) recently said he learned that number was a “floor, not a ceiling.”

USIS hired digital forensics firm Stroz Friedberg to conduct the investigation, which produced a December 2014 report identifying the SAP software vulnerability as the hackers’ door in.

“Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems,” the report said.

The report is unclear about who would have been responsible for patching the flaw. SAP manages the software application but is not necessarily in charge of updating it.

Third-party software is a common route into major companies for cyberattackers. Digital thieves infiltrated Target’s system through an outside heating and air conditioning company. These smaller organizations often have weak cyber defenses, but retain access to larger, better-protected networks.

Companies handling federal government background checks have also become a prime target for hackers. KeyPoint Government Solutions was breached in mid-December, exposing files on over 40,000 federal workers.

Background check firms process troves of data on high-ranking U.S. officials, which is considered valuable to foreign intelligence agencies.