Risk //


05:25 PM
Connect Directly

NOAA Blames China In Hack, Breaks Disclosure Rules

The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.

The National Oceanic and Atmospheric Administration (NOAA) has confirmed that an attack on a NOAA web server in September affected four websites and caused the office to temporarily cease delivering satellite data used globally for aviation, shipping, disaster preparedness, and other purposes. The Washington Post reported a Congressman's second-hand account that the attackers were based in China. The details are sparse -- on the nature of the attack, the impact of the compromise, and evidence to support the accusations -- but it seems clear that NOAA failed to adequately report the incident to authorities.

The outage was publicly revealed Oct. 22, when the National Weather Service’s National Center for Environmental Prediction announced that it had "not received a full feed of satellite data for input into the numerical models since 22/0000Z," and that weather models would be impacted. At that time, NOAA did not state that there had been any compromise of its systems, only that their systems were undergoing "unscheduled maintenance."

Todd Zinser, Inspector General of the US Commerce Department (to which NOAA reports), told the Post that NOAA did not notify his office of the breach until Nov. 4, despite regulations mandating it be informed within two days of discovery of an incident. Zinser said that his office is investigating the issue.

Zinser's office reported in July that NOAA's satellite information and weather service systems were exposed to multiple high-risk vulnerabilities. The report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner.

In a statement Wednesday, NOAA's spokesman Scott Smullen acknowledged the hacks and said all systems were operating again, but declined to answer further questions.

Therefore, no information has been made public about how the servers were compromised, whether or not satellites themselves were compromised, whether or not the attack resulted in a data breach, whether an infection spread to other systems within NOAA or related federal organizations, or any other details about the impact.

[Researchers have poked holes in satellite terminal equipment before. Read more about potential attack scenarios on vulnerable satellite systems on air, land, and sea.]

“With so many important services connected to the Internet," says Chris Boyd, malware intelligence analyst at Malwarebytes Labs," it is essential steps are taken to lock them down from attacks on what could turn out to be critical infrastructure services. As recent attacks on the White House and the US Weather System have shown, .gov services continue to be primary targets in so-called online warfare -- everything from sensitive data harvesting to political statements on defaced webpages are possible, with the possibility of bad actors taking control of real world systems and services at the highest level of compromise.”

Rep. Frank R. Wolf (R-VA) told the Washington Post that NOAA told him that China was behind the attacks. No evidence has been released to support that theory. From the Post:

“NOAA told me it was a hack and it was China,” said Wolf, who also scolded the agency for not disclosing the attack “and deliberately misleading the American public in its replies.”

They had an obligation to tell the truth,” Wolf said. “They covered it up.”

Anthony Di Bello, director of security practice at Guidance Software, commented, "Besides further proof that the financial motivations are such that attackers will continue to find and exploit any opening they can, this incident points to the brazen nature of state-sponsored hackers. Officials in Washington have publicly named Chinese individuals as most wanted cyber criminals. Yet, they still persist, safe in the fact that there is no global legal framework that can be leveraged to bring these folks to justice. That and the fact that they are actively protected by the motherland."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/17/2014 | 7:31:57 AM
Re: Hmm...
Agreed. Its amazing that a faction of the government would be so irresponsible as to let simple security measures such as those go unnoticed. I think we need to take a good look at ourselves and ask how come this was the case. I would think this is most likely not the only scenario where this exists within there infrastructure and the Air Force or who ever explicitly governs Polar-Orbiting Operational Enviromental Satellites needs to take steps to get ahead of this.
User Rank: Ninja
11/16/2014 | 10:59:44 AM
Seems like there was a little CYA going on that backfired. The most damning part: "the report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner."

The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
Is Application Security Dead?
Tyler Shields, VP of Marketing, Strategy & Partnerships, Signal Sciences,  3/22/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.