Foreign intelligence agents and other hackers attacked Interior Department networks 19 times in recent years, before walking away from keyboards with unknown amounts of stolen data, according to agency inspectors.
The incidents are unrelated to a previously disclosed assault on Interior networks connected to Office of Personnel Management systems, the agency says. That high-profile campaign seized from the U.S. government 21.5 million confidential records on national security personnel and their family members.
In the 19 previously undisclosed cybersecurity incidents, Chinese attackers and hackers with European network addresses copied data strictly from Interior systems.
The extent of the intrusions into Interior networks was revealed in a little-noticed Nov. 9 memo from Deputy Inspector General Mary Kendall to Interior Secretary Sally Jewell. The memo was publicly released Nov. 17.
Interior handles a significant amount of valuable data, such as oil leases, which are of particular interest to China and Russia, said Jim Lewis, a senior fellow at the Center for Strategic and International Studies, who studies foreign relations in cyberspace.
"All in all, an ideal target," he said.
Interior did not say whether departmental business information was eyed by the hackers.
The inspector’s report, which said hackers have repeatedly exploited “vulnerabilities in publicly accessible systems,” resulting “in the loss of sensitive data and disruption of bureau operations,” cited a number of recent intrusions.
In October 2014, hackers with European-based IP addresses gained control of two of the agency’s public Web servers, which resulted “in the loss of an unknown amount of data,” inspectors said.
In October and December 2014, hackers, using stolen credentials breached the agency’s systems.
“Although the extent of these system breaches was never fully determined,” an attacker equipped with administrative access can copy delete sensitive files, upload malware to steal other user credentials and “maintain a presence inside the affected networks for future exploits,” the IG noted. “In other words, in these two attacks, the intruders could have gained full functional control over DOI systems.”
That sounds similar to how Obama administration officials described the pilfering of OPM records from an Interior Business Center database. However, in an email to Nextgov on Tuesday evening, an agency spokeswoman said the IG report describes a separate incident.
Interior Press Secretary Jessica Kershaw said none of the 19 incidents cited compromised national security sensitive data or information from financial systems.
The report also describes a May 2013 intrusion in which hackers with China-based IP addresses set up a “sustained presence” inside Interior’s network, stole “an unknown amount of data” and “uploaded malware with the intent to compromise other DOI systems.”
Kershaw said the system hit by the Chinese at that time contained nonsensitive Interior data and no other agencies were affected.
She said the agency disclosed all the incidents to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team.
The department is engaging all bureaus and offices in discussions about the findings "and the need to undertake major changes in how we manage publicly facing systems across the entire department," Kershaw added. “There was no evidence indicating any loss, theft or compromise of any other sensitive information.”
In a report this summer, Interior’s inspector general identified 3,000 "critical" and "high-risk" vulnerabilities in the department's public-facing website.