Two Tennessee Valley Authority sites were compromised in 2013, when an adversary broke in through a software flaw.
The embarrassing hack of U.S. Central Command's Twitter feed earlier this month by purported terrorist sympathizers lay bare the inherent insecurity of normally locked-down federal agencies using external Web services. But this is far from the first time it's happened.
The Tennessee Valley Authority was left similarly red faced by a previously undisclosed 2013 incident, in which the government-owned power corporation’s public website was entangled in a hack targeting Web-hosting provider GoDaddy.
Two of the corporation's sites managed by GoDaddy were compromised, according to Tennessee Valley officials. The adversary broke in through a software flaw in WordPress, a content management system powering the webpages.
"Attackers had utilized a vulnerability to gain administrative access to the websites and create unauthorized accounts on the websites," special agents said in a March 2013 inspector general report obtained by Nextgov through a public records request.
Here's where the CENTCOM Twitter hack and the Tennessee Valley hack differ. The corporation detected the intrusion ahead of the public, even before cyber sleuths at the Department of Homeland Security or FBI suspected anything.
A Tennessee Valley communications employee noticed the compromise, additional research uncovered the second breach, and then GoDaddy worked to help immediately fix the situation, corporation spokesman Jim Hopson told Nextgov Jan. 23. The hack happened Jan. 11, 2013, and the inspector general opened an investigation two days later.
"The breach was reported the same day it was detected," a DHS official confirmed Friday.
Unlike the Twitter breach, the bad guys didn't seem to have their eyes set on embarrassing Tennessee Valley, per se. The intrusion was aimed at GoDaddy's host server, Hopson said. Around the time of the TVA hack, some payday loan scammers seemed to be compromising other GoDaddy WordPress sites.
“It was a broad assault on an external third-party server, did not target TVA specifically and could not have impacted our electric generation or power transmission system," he said.
But it would not be outside the realm of possibility for a hacker to jimmy open a weak GoDaddy doorway to tamper with an agency's informational resources. Over Thanksgiving, Assad sympathizers self-dubbed the Syrian Electronic Army allegedly did just that by hijacking readers of CNBC, the Chicago Tribune and other media outlets -- and rerouting them to a fraudulent page.
GoDaddy did not respond to a request for comment.
"While we do have monitoring systems in place, it is fair to say that they are less robust externally than they would be internally," Hopson said. "I think that's fair to say of most places because you don’t usually have the same controls outside your own firewall."
The year the corporation was hacked, researchers at WP White Security and EnableSecurity determined 73 percent of the 40,000 most popular websites using WordPress software were vulnerable to attacks.
In the TVA case, a connected computer server was of no help identifying the perpetrator because "logging had not been turned on," the agents reported. Without that evidence, there is "no basis for a criminal investigation," they concluded.On Friday, FBI officials said they typically neither confirm nor deny the existence of an investigation.
Power Grid Hacked?! Not Quite
There is an immediate visceral reaction when one hears a utility has been breached. Even though this system had no link to Tennessee Valley's own networks, the hack could tarnish the agency's reputation and create additional risks to deal with, said Patrick Miller, founder of EnergySec, a nonprofit cyber advocacy group partially funded by the Energy Department.
If employees were using the same password to log onto their work computer and GoDaddy, the attacker might have walked away with some government credentials.
"People sometimes reuse credentials they use in other areas of the business," Miller said. "I always worry about that."
Tennessee Valley officials say there are multistep ID checks in place, as well as other security layers to prevent hackers from using any stolen passwords to access email or other work accounts.
Something else to consider after a public-facing website is hacked: the credibility of the information presented to citizens.
"I understand that everyone thinks compromised public information won’t have any impact because it’s public, not confidential, but the integrity of public information can cause reputation issues," Miller said. "If it’s public information, but it’s the wrong information, that can have a very significant impact especially when you are a highly ranking industry, such as the power sector."
Hackers also theoretically could move financial markets by manipulating rates on public energy sites like OASIS, a tool for sharing information on transmission prices and product availability.
"OASIS is the open access information system that is used so that we can keep the insider trading out. We publish information to all participants at once through our OASIS sites,” which usually are hosted by an outside company, Miller said. “It’s all public information because everybody in the world is supposed to see it at the same time, but if that information was wrong, the traders could take action on some wrong information.”
Tennessee Valley's information security staff stifled the unauthorized activity before damage was done, corporation officials say.
Even so, they have a public perception scrape. "Though no one can take control of the power grid, they are still a company and they still have to clean up a problem that was created due to some third-party flaw in software that they had no control over," Miller said.
The proliferation of agencies using third parties and fourth parties to showcase public information increases the attack surface for intruders, experts and feds agree.
"There is an enormous benefit to communicating through a mechanism such as Twitter, but Twitter is not owned by CENTCOM so there are risks associated with using it," Hopson said of the social media hack earlier this month where alleged ISIS sympathizers took over CENTCOM’s Twitter and YouTube accounts, defacing them with threatening messages.
Most of the time, the advantage of being able to communicate with citizens in the forum they choose outweighs the cyber risks, if proper precautions are taken, he said.
"The most secure system that you can have is to operate in an island and not connect to the Internet, but you handicap yourself as an agency when you do that," Hopson said.