Recently, the Defense Information Systems Agency (DISA) indirectly announced that it had been hacked. We learned of this through letters that were sent to 200,000 potential victims in which it was stated that their personal information may have been stolen. No, it was not recently stolen. It was stolen sometime between May and July of 2019. In fact, DISA only sent this letter because it is required to do so by law.
According to their website, “DISA provides direct telecommunications and IT support to the president, vice president, their staff, and the U.S. Secret Service.” They are responsible for “providing direct support to the chairman of the Joint Chiefs of Staff, the senior ranking member of the Armed Forces; the Joint Chiefs of Staff comprised of the senior ranking officers from each military service; and the Joint Staff”. This is all to say that they are the agency in charge of securing some of the most sensitive communication in the U.S. Any breach of this agency could lead to problems which could affect national security.
Since DISA is giving no details concerning the breach, the best we can do is look at some key developments that occurred at DISA before and after the cyber attack.
I will begin this timeline investigation in late 2018, or approximately 5 to 6 months before the breach took place. At this time, DISA was assigned to consolidate the cybersecurity infrastructure of the 4th estate. This term refers to all the departments under the Department of Defense that are not connected to the military or combat. According to Drew Jaehnig, the man in charge of this consolidation, “the objective is to move the fourth estate’s common use IT systems, personnel, functions, and program elements associated with the support of those systems and technologies into a single service provider architecture,” At the time, this consolidation was planned to take until 2022. That timeline has since been extended to 2024.
If I were a hostile nation-state, I would find this information particularly interesting. Such a merging of 14 agencies is bound to be a source of problems. During the confusion often associated with such transitions, some of these agencies may be exposed to attacks, as their cyber defenses are altered to mesh with the new standards. These changes can’t be done instantaneously, and there will probably be periods during which some of these agencies are completely exposed. There is also the problem with integrating the employees of these agencies under one cybersecurity code of conduct. Thousands of new endpoints will have to be secured.
If I were a hostile nation-state operative, I would try to establish a beachhead in one of the smaller agencies by exploiting a weak endpoint. This could be done through a well-formed spearphishing attack on a key employee. Such an attack could be honed by the next development on the DISA timeline.
In March of 2019, milDrive was launched. This is kind of the military version of Dropbox or Google Drive. It can be used by anyone in the military. Classified documents are not to be stored here but it is not clear what DISA would do to stop this. Files can be stored for personal use or remain open to the public. It wouldn’t take much for a bad actor to compromise an endpoint and use it to gain access to this cloud storage. Even if the attacker did not find sensitive information, they may get information which would make subsequent spearphishing attacks more effective.
There’s no evidence that anything of the sort occurred, but, on April 28, 2019, DISA awarded a contract to By Light Professional IT Services LLC and Menlo Security to develop a Cloud Based Internet Isolation (CBII) prototype. This would enable remote (cloud) browsing which would stop any browser-based attack. If this browser protection was in place during the time DISA was hacked, it would strongly suggest that their network was breached through a spearphishing attack as described above.
In any event, an attack took place and the personal information of at least 200,000 employees was stolen. DISA downplayed the importance of this data but most cybersecurity experts realize that amassing such data can be the first step in a well-orchestrated spearphishing attack. In other words, the main attack may now be underway or be in the offing.
It is not clear how long the attackers were on the network before they were discovered. The breach was said to have taken place between May and July of 2019, but when was that discovered? According to Ilia Kolochenko of ImmuniWeb, “The present disclosure timeline seems to be impermissibly protracted given that the breach reportedly happened almost a year ago. This may be an indicator of attack sophistication, and what has been reported so far may just be the tip of the iceberg.”
Further vulnerabilities may have emerged with DISA’s hiring of 1,000 new employees in October 2019. Such employees may lack the training to determine whether an email that appears to be from someone in authority is really what it pretends to be. They are, in effect, weak endpoints waiting to be exploited. Similar weaknesses could have been exploited in November 2019 when Vice Adm. Nancy Norton, director of DISA, announced that, “fourteen DoD agencies and field activities networks and the associated IT staff moved under the operational control of DISA.” In what seems to be a case of wishful thinking, she went on to add that, “The network consolidation in transfer personnel will take place from FY20 to 24 and will improve the effectiveness of our cyber landscape across the enterprise.”
These are the agencies that came under the control of DISA.
- Defense Advanced Research Projects Agency
- Defense Contract Audit Agency
- Defense Contract Management Agency
- Defense Finance and Accounting Service
- Defense Health Agency
- Defense Human Resources Agency
- Defense Logistics Agency
- Defense Media Activity
- Defense Microelectronics Activity
- Defense Prisoner of War/Missing in Action Accounting Agency
- Defense Technical Information Center
- Defense Threat Reduction Agency; and the Missile Defense Agency
These agencies and the contractors that work for them have been and remain prime targets. In fact, in early 2019, before the breach of DISA, Citrix, a contractor working for most, if not all, of these agencies was hacked and over 6 terabytes of information was stolen, supposedly by Iranian hackers. Did this breach eventually lead to the attack on DISA? It’s a possibility that can’t be discounted.
Then, in December 2019, a major vulnerability was found in the Citrix Application Delivery Controller. An NSA advisory reported that “adversaries could exploit this vulnerability to gain remote code execution on affected appliances without credentials, potentially enabling access to other internal resources and sensitive data.” Almost all, if not all, DOD agencies use the Citrix NetScaler Gateway. That is to say, almost all DOD endpoints were vulnerable, and that’s not good.
So where does this leave us? It looks very much like another attack on DISA or the DOD is inevitable. What’s more is that such attacks could be devastating. The fallout from the DISA breach once again highlights the importance of high-quality endpoint protection and the undermining of the belief held by many that the cloud is invulnerable. We probably haven’t heard the end of this story.