Third-Party Software Was Entry Point for Background-Check System Hack


Intruders piggybacked on a vulnerability in an enterprise resource planning application.

Hackers broke into third-party software in 2013 to open personal records on federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation provider.

That software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix available for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible for maintaining the application—or USIS would have been responsible for patching the flaw.  

But in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014.

Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was “present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package,” an internal investigation obtained by Nextgov found. 

USIS officials declined to explicitly name the software application, saying they would let the report, compiled by Stroz Friedberg, a digital forensics firm retained by USIS, speak for itself. 

The report, written in December 2014, noted: “Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event logs, VPN logs, and SAP application trace logs.”

A September 2014 letter from Stroz reported, "The initial attack vector was a vulnerability in an application server, housed in a connected, but separate network, managed by a third party not affiliated with USIS.” The reference to “SAP application trace logs” in the report indicates the third party was SAP.

During the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new critical vulnerabilities were identified in SAP’s enterprise resource planning software.

The number of SAP vulnerabilities "would have given attackers many options to target SAP directly,” based on how USIS deployed the ERP tool, said Richard Barger, chief intelligence officer at ThreatConnect, a firm that tracks cyber threats. Barger is a former Army intelligence analyst.

It is unclear which vulnerability the intruders exploited. Defects in programs used by the government and contractors sometimes aren’t fixed for years after software developers announce a weakness.

Referencing the Stroz report, USIS spokeswoman Ellen Davis said, "the third-party contractor was hacked and the hacker was then able to navigate into the USIS network via the third party’s network."

Stroz officials deferred comment to USIS. 

SAP, a major IT contractor with 50,000 customer organizations worldwide, would neither confirm nor deny allegations that assailants reached USIS through one of its systems. SAP spokesman Mat Small said in an email, "Since we don’t comment on the specifics of any customer engagement without their explicit consent, SAP is unable to make a statement on the situation.”

Addressing SAP’s response to security vulnerabilities, he added, "No company is more committed to data privacy and security than SAP, and we respond rapidly, vigorously and thoroughly when potential security risks are identified.”

The targeting of middlemen and downstream suppliers has become common in sophisticated hacking campaigns, according to researchers. 

The top three sectors victimized by cyber espionage last year were professional services firms, which typically support large organizations; manufacturing; and government, according to an annual Verizon data breach investigations study released last month.

Computer snoops have learned it is easier to compromise “the partner and the third party dealing with that intellectual property than the source of the intellectual property itself," Jay Jacobs, a Verizon senior analyst and study co-author, said at the time of the study’s publication.

And PWC's most recent State of Cybercrime Survey found that only 22 percent of U.S. organizations plan incident response strategies with outside suppliers.

"Not all companies recognize that supply chain vendors and business partners . . . can have lower—even nonexistent—cybersecurity policies and practices, a situation that can increase cybercrime risks across any entity that partner or supplier touches,” according to the survey, which came out a year ago.

(Image via wk1003mike/