Documents acquired by Nextgov show how retirement fund officials scrambled to dissect a misguided Army cybersecurity exercise.
Thrift Savings Plan officials went into damage control mode in February when a stranger appropriated the TSP trademark and propped up a fake federal retirement fund website for a phishing scheme. Internal emails reveal that officials governmentwide struggled for two weeks to positively identify the perpetrator.
It turned out the bogus email campaign was innocuous -- part of an Army cybersecurity training exercise. But nobody bothered to tell TSP. Now the agency is buying brand management software and changing password requirements to make sure friends or foes don't do this again.
Officials at TSP, which suffered a real breach in 2011 that compromised the identities of 123,000 retirement savers, have some experience in threat containment. The agency’s chief information security officer and others saw the messages spreading online around Feb. 19 and quickly traced the hoax back to an Army server and confronted Defense Department officials with their findings.
"Everything is intentionally fake. Street is MyStreet, organization is MyOrg,” TSP CISO John Ramsey said in an email, while trying to pinpoint the culprit with his colleagues. “I will give their CISO the politically 'what for' for not coordinating with us first.”
Nextgov obtained his messages and other internal correspondences through an open records request.
The sham emails were sent by firstname.lastname@example.org and contained the subject head, "Thrift Saving Plan Alert: Passcode Reset;” and urged recipients to verify changes made to their accounts by visiting "www.tspgov.us." The message quickly went viral among participants of the retirement plan, which serves 4.6 million federal employees and retirees.
The purpose of the bungled phishing drill, first reported in March by a number of news outlets was to test whether troops would divulge their credentials.
The Pentagon, for its part, took 13 days, from Feb. 11 to Feb. 24, trying to confirm the Army was to blame.
During that period, Ramsey emailed top technology officials at his agency to recommend that they "notify through the CIO Council and the CISO Advisory Council for agencies NOT to use TSP within their exercises."
At the time, TSP was in the process of acquiring "brand monitoring software,” the emails stated. If the tool had been in place, it would have swept the Internet regularly, looking for “Thrift Savings Plan” and associated phrases.
TSP spokeswoman Kim Weaver now says, “The fake TSP website set up by the Department of the Army may have come to our attention sooner. This knowledge might have allowed us to take remedial action.”
That said, the organization that set up the site and the Army unit that sent out the phishing emails were two separate entities, so it is unclear whether identifying the operator of the website, alone, would have given TSP enough time to prevent the email from going viral, she said.
TSP officials say throughout the agency’s existence they have taken steps to curb brand abuse and will continue to do so.
"For example, when necessary, our Office of General Counsel has sent cease and desist letters to entities misrepresenting TSP or its likeness and ensured appropriate follow-up action was taken,” Weaver said.
Broken Chain of Command
During the ordeal, Ramsey told coworkers in an email, "Because of DA's and DoD's lack of situational awareness, they didn't confirm until Monday, the 24th" of February that they were behind the confusion.
Defense officials have since acknowledged they erred on multiple levels. And the military is developing "guidance regarding the conduct of phishing exercises that will clarify existing DoD policy and amplify future reporting requirements," Pentagon spokesman Damien Pickart said in a statement.
The forthcoming guidance will articulate to every communications office what is and is not permitted related to cybersecurity exercises, so that incidents are reported to the proper authorities, who can quickly determine whether activities have gone astray, a Defense official told Nextgov.
The official added that TSP officials were correct in saying that the entire department did not have situational awareness. A specific Army unit far down the chain from the Defense Office of the Chief Information Officer conducted the exercise without informing headquarters, the official said.
It took a while to verify that the unit was responsible, because of the nature of a military bureaucracy comprising thousands of different physical locations, the official added.
Pentagon officials declined to comment on the thinking behind choosing TSP as the lure for the phishing scheme. The department also declined to identify the individual that decided to go ahead with the plan or say if or how that individual was disciplined.
It is unclear whether Defense officials knew hundreds of thousands of TSP plan members already had been subjected to potential identity theft in 2011.
On Feb. 24, an Army cyber operations official, who was not involved in the drill, told TSP in an email that "there was an authorized exercise,” which did include using tspgov.us, and it was conducted "using addresses in the jiatfs.southcom.mil domain." The Army official added that the practice session "was cleared and executed under the authority documented between" Joint Interagency Task Force South and Cyber Command. The training ended on Feb. 20.
That same day, TSP officials posted on their official site a warning to employees about look-a-like Web addresses: "Remember: TSP.GOV is the only legitimate web address for reaching the TSP online. Email links with spelling errors or slight variations in the TSP.GOV address (e.g., TSPGOV.US or T$P.GOV) may send you to fraudulent websites. These websites may steal your login credentials when you enter them."
Here's how the phishing scheme and TSP's response unfolded:
Feb. 11: TSP phishing email is disseminated by an unknown sender
Feb. 14: Plan participants start notifying the agency’s call center as well as Abuse@tsp.gov
Feb.19: Initial TSP review indicates the website location is Huntsville, Ala., location of the Army’s Redstone Arsenal
Feb. 20: Further review indicates the IP address of the website belongs to Ft. Huachuca, U.S. Army Information Systems Command. That day TSP contacts Army G6, the parent organization of any entity that would have registered the links.
Feb. 24: An Army cyber operations official emails TSP, saying: "Here is what I was able to find out. Yes, there was an authorized exercise which was conducted on 10/11 Feb which did include using tspgov.us. The exercise was conducted using addresses in the jiatfs.southcom.mil domain. The exercise was cleared and executed under the authority documented between [Joint Interagency Task Force South and Cyber Command]. Event was concluded on 20 Feb." The same day, the official TSP.gov website posts an alert to citizens, stating:
"Phishing, E-mail Scams, and Bogus Websites — (February 24, 2014) Remember: TSP.GOV is the only legitimate web address for reaching the TSP online. Email links with spelling errors or slight variations in theTSP.GOV address (e.g., TSPGOV.US or T$P.GOV) may send you to fraudulent websites. These websites may steal your login credentials when you enter them.”