Report finds Census Bureau lacks ‘effective cybersecurity posture’ after red team hack

Government-contracted hackers managed to gain access to Census Bureau systems and send fake emails, according to a new OIG report.

Government-contracted hackers managed to gain access to Census Bureau systems and send fake emails, according to a new OIG report. Oliver Nicolaas Ponder/EyeEm/Getty

A new inspector general report details how government-contracted hackers managed to gain covert access to Census Bureau systems in a simulated attack against the federal agency.

A team of government-contracted hackers successfully gained unauthorized and undetected control of critical Census Bureau systems in a test revealing the federal agency's major cybersecurity weaknesses, according to a new report.

The Commerce Department Office of Inspector General's office of audit and evaluation launched a cyber red team last year to conduct a simulated attack against the Census Bureau, after the agency was the subject of a hack ahead of the 2020 U.S. Census. Hackers previously gained access to Census Bureau systems through the agency's Citrix servers on Jan. 11, 2020, but were unable to access 2020 Decennial Census networks or interact with any statistical tabulations associated with the national count, the bureau said. 

The Census Bureau has seemingly failed to remedy its cyber vulnerabilities since then, with a new IG report detailing the agency’s lack of "an effective cybersecurity posture" to prevent attacks capable of reducing its defensive options in the wake of a successful breach. 

The red team – a group of cyber experts from a security firm tasked with covertly attacking an organization's systems to simulate a real-world hacking attempt – gained access to bureau employees’ personally identifiable information after breaching its systems through a domain administrator account. 

According to the report, the bureau failed to restrict access to or otherwise disable an outdated account management control tool which gave the security firm access to the agency's systems "and allowed the red team to run commands as a user with excessive privileges."

The simulated hack was so successful that the team even managed to send fake emails via insecure programs and carry out a series of additional malicious actions.

"Once a domain administrator account is under their control, advanced threat actors can pivot across a network, evade security defenses, maintain a foothold on the network, access sensitive files and run malicious commands," the report said. "By bypassing multiple security countermeasures and evading detection by the bureau's staff, the red team demonstrated a critical threat to the bureau's information security."

The inspector general recommended the Census Bureau implement advanced authentication security controls and assess known vulnerabilities to ensure their systems were properly protected, among a series of other security measures. The report – redacted in part to cover sensitive information about the bureau's information technology vulnerabilities – further called on the agency to remove legacy code from critical systems, develop a process to routinely test and inspect applications for vulnerabilities and establish alerts for common detection methods. 

The bureau said in a response filed with the report that it plans to release a "forthcoming detailed action plan" to address the vulnerabilities exposed in the IG report. The bureau has 60 days under department guidelines to submit the plan.