DHS network intrusion was twice ruled a false positive before breach confirmed

Win McNamee/Getty Images

Suspicious activity on the Homeland Security Information Network, which is being used to support World Cup games around the U.S., was first detected around mid-to-late May.

Department of Homeland Security personnel twice dismissed signs of cyber intruders inside the agency’s Homeland Security Information Network as harmless activity, allowing hackers to remain undetected inside for weeks and eventually steal credential files, according to an internal incident readout viewed by Nextgov/FCW.

HSIN was breached about two months ago, Nextgov/FCW first reported in late June. The network houses sensitive, unclassified data that’s shared between federal, state, local, industry and overseas partner organizations.

Department investigators have still not determined the affiliation of the hackers, according to two people with knowledge of an ongoing probe into the incident. DHS may send staff to brief Congress on the hack in a classified setting in the coming weeks, added the people, who spoke on the condition of anonymity to communicate the department’s thinking.

Between May 15 and May 24, the infiltration was detected by analysts inside FEMA, where they observed the hackers had altered files on testing and live servers, used a legitimate web-server program to run malicious code and deleted activity logs that could have exposed their movements, according to the readout. The activity was ruled a false positive.

Between May 25 and June 3, the hackers used similar methods aiming to leave scant trace of their activity, setting off more alerts that were again dismissed as benign. On June 4, they installed hidden backdoors and stole credential data — typically employed to verify users’ identities and grant access to accounts or systems — where personnel then declared a breach was active.

It’s not clear why the intrusion was deemed benign two times over such a wide timeframe, but the incident highlights how a mistaken assessment can give hackers significantly more time to deepen their access into a target’s environment. The hack involved techniques meant to mask activity as normal, which, generally speaking, can make it very difficult for analysts to determine what is legitimate or not, one of the people said.

It’s also unclear what materials, if any, were copied from HSIN systems, though the fact that hackers targeted credential files indicates they sought out access to accounts or systems beyond what they could initially reach.

"The Department of Homeland Security is aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment," a DHS spokesperson wrote in the same statement it provided earlier this month that confirmed the hack. "We immediately took action to isolate the affected systems, mitigate the vulnerability, and launch a comprehensive forensic investigation. There is no indication that classified networks were impacted, and the system remains operational for our partners. As this is an ongoing investigation, we cannot provide further operational details at this time."

Approved users lean on the network to securely access data, exchange requests with partner agencies, coordinate safety and security for planned events, respond to incidents and share information needed to protect their communities, per its website.

HSIN has been used to support ongoing World Cup games and recent America250 events, Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., said in a statement after the breach was reported. 

“The information in HSIN, while not classified, is highly sensitive, and its exposure risks national security,” he said at the time.

As the United States hosts World Cup matches nationwide, the hack could raise questions about whether the intruders gained access to security plans, interagency communications or emergency response plans for one of the world’s most visible sporting events. It’s also possible that World Cup data was not a target.

Nation-state and criminal hackers routinely target U.S. systems to gather intelligence, steal sensitive information and maintain access to government networks. In February, a suspected China-linked breach of an FBI surveillance system likely exposed the phone numbers of people the bureau was monitoring. Last fall, a widespread breach at FEMA let hackers make off with employee data from both the disaster management office and U.S. Customs and Border Protection.

Editor's note: This article has been updated to include a statement from DHS.