It Took Feds 13 Days to Unravel a TSP Cyber Hoax Perpetrated by... Feds

Lisa S./Shutterstock.com

Documents acquired by Nextgov show how retirement fund officials scrambled to dissect a misguided Army cybersecurity exercise.

Thrift Savings Plan officials went into damage control mode in February when a stranger appropriated the TSP trademark and propped up a fake federal retirement fund website for a phishing scheme. Internal emails reveal that officials governmentwide struggled for two weeks to positively identify the perpetrator.

It turned out the bogus email campaign was innocuous -- part of an Army cybersecurity training exercise. But nobody bothered to tell TSP. Now the agency is buying brand management software and changing password requirements to make sure friends or foes don't do this again. 

Officials at TSP, which suffered a real breach in 2011 that compromised the identities of 123,000 retirement savers, have some experience in threat containment. The agency’s chief information security officer and others saw the messages spreading online around Feb. 19 and quickly traced the hoax back to an Army server and confronted Defense Department officials with their findings.

"Everything is intentionally fake. Street is MyStreet, organization is MyOrg,” TSP CISO John Ramsey said in an email, while trying to pinpoint the culprit with his colleagues. “I will give their CISO the politically 'what for' for not coordinating with us first.”

Nextgov obtained his messages and other internal correspondences through an open records request. 

The sham emails were sent by accountservices@tspgov.us and contained the subject head, "Thrift Saving Plan Alert: Passcode Reset;” and urged recipients to verify changes made to their accounts by visiting "www.tspgov.us." The message quickly went viral among participants of the retirement plan, which serves 4.6 million federal employees and retirees.

The purpose of the bungled phishing drill, first reported in March by a number of news outlets was to test whether troops would divulge their credentials. 

The Pentagon, for its part, took 13 days, from Feb. 11 to Feb. 24, trying to confirm the Army was to blame.

During that period, Ramsey emailed top technology officials at his agency to recommend that they "notify through the CIO Council and the CISO Advisory Council for agencies NOT to use TSP within their exercises." 

At the time, TSP was in the process of acquiring "brand monitoring software,” the emails stated. If the tool had been in place, it would have swept the Internet regularly, looking for “Thrift Savings Plan” and associated phrases.

TSP spokeswoman Kim Weaver now says, “The fake TSP website set up by the Department of the Army may have come to our attention sooner. This knowledge might have allowed us to take remedial action.”

That said, the organization that set up the site and the Army unit that sent out the phishing emails were two separate entities, so it is unclear whether identifying the operator of the website, alone, would have given TSP enough time to prevent the email from going viral, she said.

TSP officials say throughout the agency’s existence they have taken steps to curb brand abuse and will continue to do so.

"For example, when necessary, our Office of General Counsel has sent cease and desist letters to entities misrepresenting TSP or its likeness and ensured appropriate follow-up action was taken,” Weaver said. 

Broken Chain of Command

During the ordeal, Ramsey told coworkers in an email, "Because of DA's and DoD's lack of situational awareness, they didn't confirm until Monday, the 24th" of February that they were behind the confusion.

Defense officials have since acknowledged they erred on multiple levels. And the military is developing "guidance regarding the conduct of phishing exercises that will clarify existing DoD policy and amplify future reporting requirements," Pentagon spokesman Damien Pickart said in a statement.

The forthcoming guidance will articulate to every communications office what is and is not permitted related to cybersecurity exercises, so that incidents are reported to the proper authorities, who can quickly determine whether activities have gone astray, a Defense official told Nextgov.

The official added that TSP officials were correct in saying that the entire department did not have situational awareness. A specific Army unit far down the chain from the Defense Office of the Chief Information Officer conducted the exercise without informing headquarters, the official said.

It took a while to verify that the unit was responsible, because of the nature of a military bureaucracy comprising thousands of different physical locations, the official added. 

Pentagon officials declined to comment on the thinking behind choosing TSP as the lure for the phishing scheme. The department also declined to identify the individual that decided to go ahead with the plan or say if or how that individual was disciplined. 

It is unclear whether Defense officials knew hundreds of thousands of TSP plan members already had been subjected to potential identity theft in 2011. 

On Feb. 24, an Army cyber operations official, who was not involved in the drill, told TSP in an email that "there was an authorized exercise,” which did include using tspgov.us, and it was conducted "using addresses in the jiatfs.southcom.mil domain." The Army official added that the practice session "was cleared and executed under the authority documented between" Joint Interagency Task Force South and Cyber Command. The training ended on Feb. 20.

That same day, TSP officials posted on their official site a warning to employees about look-a-like Web addresses:  "Remember: TSP.GOV is the only legitimate web address for reaching the TSP online. Email links with spelling errors or slight variations in the TSP.GOV address (e.g., TSPGOV.US or T$P.GOV) may send you to fraudulent websites. These websites may steal your login credentials when you enter them."

Here's how the phishing scheme and TSP's response unfolded:

Feb. 11: TSP phishing email is disseminated by an unknown sender

Feb. 14: Plan participants start notifying the agency’s call center as well as Abuse@tsp.gov 

Feb.19: Initial TSP review indicates the website location is Huntsville, Ala., location of the Army’s Redstone Arsenal

Feb. 20: Further review indicates the IP address of the website belongs to Ft. Huachuca, U.S. Army Information Systems Command. That day TSP contacts Army G6, the parent organization of any entity that would have registered the links. 

Feb. 24: An Army cyber operations official emails TSP, saying: "Here is what I was able to find out. Yes, there was an authorized exercise which was conducted on 10/11 Feb which did include using tspgov.us. The exercise was conducted using addresses in the jiatfs.southcom.mil domain. The exercise was cleared and executed under the authority documented between [Joint Interagency Task Force South and Cyber Command]. Event was concluded on 20 Feb." The same day, the official TSP.gov website posts an alert to citizens, stating: 

"Phishing, E-mail Scams, and Bogus Websites — (February 24, 2014) Remember: TSP.GOV is the only legitimate web address for reaching the TSP online. Email links with spelling errors or slight variations in theTSP.GOV address (e.g., TSPGOV.US or T$P.GOV) may send you to fraudulent websites. These websites may steal your login credentials when you enter them.”

(Image via Lisa S./Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.