An unnamed manufacturing firm vital to the U.S. economy recently suffered a prolonged hack, the Department of Homeland Security has disclosed.
The event was complicated by the fact that the company had undergone corporate acquisitions, which introduced more network connections, and consequently a wider attack surface. The firm had more than 100 entry and exit points to the Internet.
The case contains a lesson for civilian and military agencies, both of which are in the early stages of new initiatives to consolidate network entryways.
The breach was reported in a newly released quarterly newsletter from the DHS Industrial Control Systems Cyber Emergency Response Team, which stated the "large critical manufacturing organization was compromised by multiple sophisticated threat actors over a period of several months."
The victimized organization is "a conglomeration of multiple companies" purchased in recent years, DHS officials said. The deals required merging multiple networks, which impeded visibility into systems, and “allowed lateral movement from intruders to go largely undetected.”
The manufacturing firm brought in DHS to assist with recovery efforts.
A Homeland Security incident response team probed the business' networks and found many machines had been breached. It is unclear whether the systems controlled industrial operations or were back-end business systems. The hackers ultimately obtained "privileged access" throughout the network, officials said.
Going forward, “rearchitecting the network is the best approach to ensure that the company has a consistent security posture across its wide enterprise," officials advised.
Agencies Trying to Head Off Similar Vulnerabilities
Federal agencies are attempting to preempt the need for similar overhauls.
Departments are required to limit connections during the development of new IT systems, including Web-based systems. A longstanding governmentwide effort known as "trusted Internet connections," or TIC, aims to cut the number of external access points to agency networks.
But the cloud has opened up federal systems to untold new Internet connections.
Now, a certification program for Web-based services called the Federal Risk and Authorization Management Program is incorporating the TIC approach from the get-go. FedRAMP and DHS are developing guidelines for agencies that will ensure cloud connections comply with TIC before applications go live, DHS officials announced in September.
Separately, the Pentagon this week announced the Defense Information Systems Agency, Army and Air Force switched on a San Antonio joint regional security stack to move toward "a consolidated, collaborative, and secure Joint Information Environment (JIE) across the Department of Defense."
The San Antonio base is the first of 25 unclassified data sites that will host firewall protections, intrusion detection systems and other network security functions. Installation is complete at 10 stack sites inside the United States.
David Stickley, who leads JIE implementation, said in a statement the San Antonio upgrade "allows DISA, Army and Air Force to monitor compliance and apply consistent security policy to information traveling over DOD networks.” Other military services are expected to set up similar infrastructures.