Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:25 PM
Connect Directly

NOAA Blames China In Hack, Breaks Disclosure Rules

The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.

The National Oceanic and Atmospheric Administration (NOAA) has confirmed that an attack on a NOAA web server in September affected four websites and caused the office to temporarily cease delivering satellite data used globally for aviation, shipping, disaster preparedness, and other purposes. The Washington Post reported a Congressman's second-hand account that the attackers were based in China. The details are sparse -- on the nature of the attack, the impact of the compromise, and evidence to support the accusations -- but it seems clear that NOAA failed to adequately report the incident to authorities.

The outage was publicly revealed Oct. 22, when the National Weather Service’s National Center for Environmental Prediction announced that it had "not received a full feed of satellite data for input into the numerical models since 22/0000Z," and that weather models would be impacted. At that time, NOAA did not state that there had been any compromise of its systems, only that their systems were undergoing "unscheduled maintenance."

Todd Zinser, Inspector General of the US Commerce Department (to which NOAA reports), told the Post that NOAA did not notify his office of the breach until Nov. 4, despite regulations mandating it be informed within two days of discovery of an incident. Zinser said that his office is investigating the issue.

Zinser's office reported in July that NOAA's satellite information and weather service systems were exposed to multiple high-risk vulnerabilities. The report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner.

In a statement Wednesday, NOAA's spokesman Scott Smullen acknowledged the hacks and said all systems were operating again, but declined to answer further questions.

Therefore, no information has been made public about how the servers were compromised, whether or not satellites themselves were compromised, whether or not the attack resulted in a data breach, whether an infection spread to other systems within NOAA or related federal organizations, or any other details about the impact.

[Researchers have poked holes in satellite terminal equipment before. Read more about potential attack scenarios on vulnerable satellite systems on air, land, and sea.]

“With so many important services connected to the Internet," says Chris Boyd, malware intelligence analyst at Malwarebytes Labs," it is essential steps are taken to lock them down from attacks on what could turn out to be critical infrastructure services. As recent attacks on the White House and the US Weather System have shown, .gov services continue to be primary targets in so-called online warfare -- everything from sensitive data harvesting to political statements on defaced webpages are possible, with the possibility of bad actors taking control of real world systems and services at the highest level of compromise.”

Rep. Frank R. Wolf (R-VA) told the Washington Post that NOAA told him that China was behind the attacks. No evidence has been released to support that theory. From the Post:

“NOAA told me it was a hack and it was China,” said Wolf, who also scolded the agency for not disclosing the attack “and deliberately misleading the American public in its replies.”

They had an obligation to tell the truth,” Wolf said. “They covered it up.”

Anthony Di Bello, director of security practice at Guidance Software, commented, "Besides further proof that the financial motivations are such that attackers will continue to find and exploit any opening they can, this incident points to the brazen nature of state-sponsored hackers. Officials in Washington have publicly named Chinese individuals as most wanted cyber criminals. Yet, they still persist, safe in the fact that there is no global legal framework that can be leveraged to bring these folks to justice. That and the fact that they are actively protected by the motherland."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
11/16/2014 | 10:59:44 AM
Seems like there was a little CYA going on that backfired. The most damning part: "the report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner."

User Rank: Ninja
11/17/2014 | 7:31:57 AM
Re: Hmm...
Agreed. Its amazing that a faction of the government would be so irresponsible as to let simple security measures such as those go unnoticed. I think we need to take a good look at ourselves and ask how come this was the case. I would think this is most likely not the only scenario where this exists within there infrastructure and the Air Force or who ever explicitly governs Polar-Orbiting Operational Enviromental Satellites needs to take steps to get ahead of this.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.