Risk //

Compliance

11/13/2014
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NOAA Blames China In Hack, Breaks Disclosure Rules

The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.

The National Oceanic and Atmospheric Administration (NOAA) has confirmed that an attack on a NOAA web server in September affected four websites and caused the office to temporarily cease delivering satellite data used globally for aviation, shipping, disaster preparedness, and other purposes. The Washington Post reported a Congressman's second-hand account that the attackers were based in China. The details are sparse -- on the nature of the attack, the impact of the compromise, and evidence to support the accusations -- but it seems clear that NOAA failed to adequately report the incident to authorities.

The outage was publicly revealed Oct. 22, when the National Weather Service’s National Center for Environmental Prediction announced that it had "not received a full feed of satellite data for input into the numerical models since 22/0000Z," and that weather models would be impacted. At that time, NOAA did not state that there had been any compromise of its systems, only that their systems were undergoing "unscheduled maintenance."

Todd Zinser, Inspector General of the US Commerce Department (to which NOAA reports), told the Post that NOAA did not notify his office of the breach until Nov. 4, despite regulations mandating it be informed within two days of discovery of an incident. Zinser said that his office is investigating the issue.

Zinser's office reported in July that NOAA's satellite information and weather service systems were exposed to multiple high-risk vulnerabilities. The report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner.

In a statement Wednesday, NOAA's spokesman Scott Smullen acknowledged the hacks and said all systems were operating again, but declined to answer further questions.

Therefore, no information has been made public about how the servers were compromised, whether or not satellites themselves were compromised, whether or not the attack resulted in a data breach, whether an infection spread to other systems within NOAA or related federal organizations, or any other details about the impact.

[Researchers have poked holes in satellite terminal equipment before. Read more about potential attack scenarios on vulnerable satellite systems on air, land, and sea.]

“With so many important services connected to the Internet," says Chris Boyd, malware intelligence analyst at Malwarebytes Labs," it is essential steps are taken to lock them down from attacks on what could turn out to be critical infrastructure services. As recent attacks on the White House and the US Weather System have shown, .gov services continue to be primary targets in so-called online warfare -- everything from sensitive data harvesting to political statements on defaced webpages are possible, with the possibility of bad actors taking control of real world systems and services at the highest level of compromise.”

Rep. Frank R. Wolf (R-VA) told the Washington Post that NOAA told him that China was behind the attacks. No evidence has been released to support that theory. From the Post:

“NOAA told me it was a hack and it was China,” said Wolf, who also scolded the agency for not disclosing the attack “and deliberately misleading the American public in its replies.”

They had an obligation to tell the truth,” Wolf said. “They covered it up.”

Anthony Di Bello, director of security practice at Guidance Software, commented, "Besides further proof that the financial motivations are such that attackers will continue to find and exploit any opening they can, this incident points to the brazen nature of state-sponsored hackers. Officials in Washington have publicly named Chinese individuals as most wanted cyber criminals. Yet, they still persist, safe in the fact that there is no global legal framework that can be leveraged to bring these folks to justice. That and the fact that they are actively protected by the motherland."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/17/2014 | 7:31:57 AM
Re: Hmm...
Agreed. Its amazing that a faction of the government would be so irresponsible as to let simple security measures such as those go unnoticed. I think we need to take a good look at ourselves and ask how come this was the case. I would think this is most likely not the only scenario where this exists within there infrastructure and the Air Force or who ever explicitly governs Polar-Orbiting Operational Enviromental Satellites needs to take steps to get ahead of this.
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/16/2014 | 10:59:44 AM
Hmm...
Seems like there was a little CYA going on that backfired. The most damning part: "the report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner."

 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5068
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5069
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.