Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:25 PM
Connect Directly

NOAA Blames China In Hack, Breaks Disclosure Rules

The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.

The National Oceanic and Atmospheric Administration (NOAA) has confirmed that an attack on a NOAA web server in September affected four websites and caused the office to temporarily cease delivering satellite data used globally for aviation, shipping, disaster preparedness, and other purposes. The Washington Post reported a Congressman's second-hand account that the attackers were based in China. The details are sparse -- on the nature of the attack, the impact of the compromise, and evidence to support the accusations -- but it seems clear that NOAA failed to adequately report the incident to authorities.

The outage was publicly revealed Oct. 22, when the National Weather Service’s National Center for Environmental Prediction announced that it had "not received a full feed of satellite data for input into the numerical models since 22/0000Z," and that weather models would be impacted. At that time, NOAA did not state that there had been any compromise of its systems, only that their systems were undergoing "unscheduled maintenance."

Todd Zinser, Inspector General of the US Commerce Department (to which NOAA reports), told the Post that NOAA did not notify his office of the breach until Nov. 4, despite regulations mandating it be informed within two days of discovery of an incident. Zinser said that his office is investigating the issue.

Zinser's office reported in July that NOAA's satellite information and weather service systems were exposed to multiple high-risk vulnerabilities. The report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner.

In a statement Wednesday, NOAA's spokesman Scott Smullen acknowledged the hacks and said all systems were operating again, but declined to answer further questions.

Therefore, no information has been made public about how the servers were compromised, whether or not satellites themselves were compromised, whether or not the attack resulted in a data breach, whether an infection spread to other systems within NOAA or related federal organizations, or any other details about the impact.

[Researchers have poked holes in satellite terminal equipment before. Read more about potential attack scenarios on vulnerable satellite systems on air, land, and sea.]

“With so many important services connected to the Internet," says Chris Boyd, malware intelligence analyst at Malwarebytes Labs," it is essential steps are taken to lock them down from attacks on what could turn out to be critical infrastructure services. As recent attacks on the White House and the US Weather System have shown, .gov services continue to be primary targets in so-called online warfare -- everything from sensitive data harvesting to political statements on defaced webpages are possible, with the possibility of bad actors taking control of real world systems and services at the highest level of compromise.”

Rep. Frank R. Wolf (R-VA) told the Washington Post that NOAA told him that China was behind the attacks. No evidence has been released to support that theory. From the Post:

“NOAA told me it was a hack and it was China,” said Wolf, who also scolded the agency for not disclosing the attack “and deliberately misleading the American public in its replies.”

They had an obligation to tell the truth,” Wolf said. “They covered it up.”

Anthony Di Bello, director of security practice at Guidance Software, commented, "Besides further proof that the financial motivations are such that attackers will continue to find and exploit any opening they can, this incident points to the brazen nature of state-sponsored hackers. Officials in Washington have publicly named Chinese individuals as most wanted cyber criminals. Yet, they still persist, safe in the fact that there is no global legal framework that can be leveraged to bring these folks to justice. That and the fact that they are actively protected by the motherland."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
11/16/2014 | 10:59:44 AM
Seems like there was a little CYA going on that backfired. The most damning part: "the report noted that the Polar-Orbiting Operational Environmental Satellites system -- shared with the US Air Force -- was not protected by two-factor authentication, remote access restrictions, nor by mobile device management, and that patches were not deployed in a timely manner."

User Rank: Ninja
11/17/2014 | 7:31:57 AM
Re: Hmm...
Agreed. Its amazing that a faction of the government would be so irresponsible as to let simple security measures such as those go unnoticed. I think we need to take a good look at ourselves and ask how come this was the case. I would think this is most likely not the only scenario where this exists within there infrastructure and the Air Force or who ever explicitly governs Polar-Orbiting Operational Enviromental Satellites needs to take steps to get ahead of this.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting