recommended reading

Third-Party Software Was Entry Point for Background-Check System Hack


Hackers broke into third-party software in 2013 to open personal records on federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation provider.

That software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix available for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible for maintaining the application—or USIS would have been responsible for patching the flaw.  

But in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014.

Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was “present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package,” an internal investigation obtained by Nextgov found. 

USIS officials declined to explicitly name the software application, saying they would let the report, compiled by Stroz Friedberg, a digital forensics firm retained by USIS, speak for itself. 

The report, written in December 2014, noted: “Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event logs, VPN logs, and SAP application trace logs.”

A September 2014 letter from Stroz reported, "The initial attack vector was a vulnerability in an application server, housed in a connected, but separate network, managed by a third party not affiliated with USIS.” The reference to “SAP application trace logs” in the report indicates the third party was SAP.

During the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new critical vulnerabilities were identified in SAP’s enterprise resource planning software.

The number of SAP vulnerabilities "would have given attackers many options to target SAP directly,” based on how USIS deployed the ERP tool, said Richard Barger, chief intelligence officer at ThreatConnect, a firm that tracks cyber threats. Barger is a former Army intelligence analyst.

It is unclear which vulnerability the intruders exploited. Defects in programs used by the government and contractors sometimes aren’t fixed for years after software developers announce a weakness.

Referencing the Stroz report, USIS spokeswoman Ellen Davis said, "the third-party contractor was hacked and the hacker was then able to navigate into the USIS network via the third party’s network."

Stroz officials deferred comment to USIS. 

SAP, a major IT contractor with 50,000 customer organizations worldwide, would neither confirm nor deny allegations that assailants reached USIS through one of its systems. SAP spokesman Mat Small said in an email, "Since we don’t comment on the specifics of any customer engagement without their explicit consent, SAP is unable to make a statement on the situation.”

Addressing SAP’s response to security vulnerabilities, he added, "No company is more committed to data privacy and security than SAP, and we respond rapidly, vigorously and thoroughly when potential security risks are identified.”

The targeting of middlemen and downstream suppliers has become common in sophisticated hacking campaigns, according to researchers. 

The top three sectors victimized by cyber espionage last year were professional services firms, which typically support large organizations; manufacturing; and government, according to an annual Verizon data breach investigations study released last month.

Computer snoops have learned it is easier to compromise “the partner and the third party dealing with that intellectual property than the source of the intellectual property itself," Jay Jacobs, a Verizon senior analyst and study co-author, said at the time of the study’s publication.

And PWC's most recent State of Cybercrime Survey found that only 22 percent of U.S. organizations plan incident response strategies with outside suppliers.

"Not all companies recognize that supply chain vendors and business partners . . . can have lower—even nonexistent—cybersecurity policies and practices, a situation that can increase cybercrime risks across any entity that partner or supplier touches,” according to the survey, which came out a year ago.

(Image via wk1003mike/

Threatwatch Alert

Accidentally leaked credentials / Misplaced data / Stolen credentials

Internet-Connected Teddy Bears Don’t Keep Secrets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.