recommended reading

Third-Party Software Was Entry Point for Background-Check System Hack


Hackers broke into third-party software in 2013 to open personal records on federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation provider.

That software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix available for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible for maintaining the application—or USIS would have been responsible for patching the flaw.  

But in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014.

Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was “present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package,” an internal investigation obtained by Nextgov found. 

USIS officials declined to explicitly name the software application, saying they would let the report, compiled by Stroz Friedberg, a digital forensics firm retained by USIS, speak for itself. 

The report, written in December 2014, noted: “Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event logs, VPN logs, and SAP application trace logs.”

A September 2014 letter from Stroz reported, "The initial attack vector was a vulnerability in an application server, housed in a connected, but separate network, managed by a third party not affiliated with USIS.” The reference to “SAP application trace logs” in the report indicates the third party was SAP.

During the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new critical vulnerabilities were identified in SAP’s enterprise resource planning software.

The number of SAP vulnerabilities "would have given attackers many options to target SAP directly,” based on how USIS deployed the ERP tool, said Richard Barger, chief intelligence officer at ThreatConnect, a firm that tracks cyber threats. Barger is a former Army intelligence analyst.

It is unclear which vulnerability the intruders exploited. Defects in programs used by the government and contractors sometimes aren’t fixed for years after software developers announce a weakness.

Referencing the Stroz report, USIS spokeswoman Ellen Davis said, "the third-party contractor was hacked and the hacker was then able to navigate into the USIS network via the third party’s network."

Stroz officials deferred comment to USIS. 

SAP, a major IT contractor with 50,000 customer organizations worldwide, would neither confirm nor deny allegations that assailants reached USIS through one of its systems. SAP spokesman Mat Small said in an email, "Since we don’t comment on the specifics of any customer engagement without their explicit consent, SAP is unable to make a statement on the situation.”

Addressing SAP’s response to security vulnerabilities, he added, "No company is more committed to data privacy and security than SAP, and we respond rapidly, vigorously and thoroughly when potential security risks are identified.”

The targeting of middlemen and downstream suppliers has become common in sophisticated hacking campaigns, according to researchers. 

The top three sectors victimized by cyber espionage last year were professional services firms, which typically support large organizations; manufacturing; and government, according to an annual Verizon data breach investigations study released last month.

Computer snoops have learned it is easier to compromise “the partner and the third party dealing with that intellectual property than the source of the intellectual property itself," Jay Jacobs, a Verizon senior analyst and study co-author, said at the time of the study’s publication.

And PWC's most recent State of Cybercrime Survey found that only 22 percent of U.S. organizations plan incident response strategies with outside suppliers.

"Not all companies recognize that supply chain vendors and business partners . . . can have lower—even nonexistent—cybersecurity policies and practices, a situation that can increase cybercrime risks across any entity that partner or supplier touches,” according to the survey, which came out a year ago.

(Image via wk1003mike/

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.