The mystery machines arrived last month at governors' offices in West Virginia, Vermont, Wyoming, and Washington state and were turned over to law enforcement, according to media reports. Shipments to six other states were intercepted.
State officials assumed the computers were not sent as a gift, and could contain a Trojan horse, keylogger, botnet program, or some other malware meant to penetrate the security of state or federal networks. As of Thursday, however, the FBI had not disclosed what it had found on the PCs, Kyle Schafer, chief technology officer for West Virginia, told InformationWeek.
West Virginia Gov. Joe Manchin's office received five of the machines, which spurred a state of "heightened security awareness," Schafer said.
"We're making all agencies much more aware of things potentially being delivered that they don't recall ordering, and making sure they don't plug anything into our network that doesn't belong there," Schafer said.
Two HP computers were shipped to Vermont Governor Jim Douglas in August. Both had been paid for with a credit card in the governor's name, but his staff said the card did not belong to him. The Barre-Montpelier Times Argus reports a similar pattern -- of online purchases made with credit cards bearing the names of, but not belonging to, other governors -- has emerged in other states.
The National Governors Association has issued a bulletin warning governors' offices about the mystery shipments. The computers were ordered from Hewlett-Packard and arrived in two separate shipments bearing either the HP or Compaq brand. The first shipment arrived on Aug. 3, according to news reports.
HP in a statement to the Associated Press acknowledged that the orders were fraudulent and said the company is working with law enforcement.
If the systems are found to contain malware, then the apparent scheme would mirror criminal distribution of malware-loaded USB devices around company offices. The idea is to have employees find the devices and plug them into a computer, launching malicious applications that could give crooks access to the corporate network.
Oddly perhaps, states at the end of the alphabet appear to have been targeted: Washington, West Virginia, Wyoming, and Vermont.
InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).