The Department of Homeland Security has ordered federal agencies to take immediate steps to protect themselves from “hijacking and tampering” cybersecurity incidents in the wake of an ongoing tampering campaign.
DHS said in a statement this week it is aware of a “number of agencies affected” by the campaign. DHS did not indicate who is responsible for the attacks, but the private security firm FireEye said its analysis suggests the attacks are originating from Iran.
Cyberattacks on US institutions are not uncommon, but the incidents referred to in Tuesday’s directive might not be detected by typical cyberprotections. The tampering campaign also comes amid concerns about the safety of US institutions during the partial government shutdown, which has resulted in the furloughs of about 13% of the DHS workforce, while many others aren’t being paid.
Attackers have redirected and intercepted web and mail traffic by tampering with Domain Name System records, according to the Cybersecurity and Infrastructure Security Agency, the agency that issued the directive. DNS is the system that matches website names to the location of the site online, and manipulating the system could allow attackers to decrypt information and expose user data, CISA said.
“We continue to see evidence suggesting that operators are operating out of Iran, and going after targets that would be of interest to a government” which suggests they are acting “in support of the Iranian government,” said Benjamin Read, FireEye senior manager of cyber espionage analysis.
FireEye believes the attacks have impacted at least 12 countries.
The DHS directive comes as key parts of the government’s cybersecurity and infrastructure protections have been impacted by the partial government shutdown, but DHS says it is maintaining capabilities to support national security efforts.
The emergency directive, which was issued by CISA, lays out a series of actions that agencies must take over the next week, including reviewing records, changing passwords and adding multifactor authentication.
You “don’t see them (directives) too often, but when they do come out, you know they are serious about it,” said Chris Cummiskey, a former DHS deputy under secretary who now consults on cybersecurity and management. He added that the scheme is “really malicious and it’s hard to detect unless you know what you are looking for.”
CISA acknowledged that the partial shutdown may cause challenges in implementing the directive, but said in a statement it believes the required actions are “necessary, urgent and implementable as most agencies are adequately staffed to take the necessary actions.”
However, Cummiskey said the directive shows that the threat is increased at a time when “internal capabilities are spread thin” due the lapse in federal funding.
“It’s not a very good equation,” he said.