US government agency overreacts to malware (Your tax dollars at work)
Posted by: TimW on 07/09/2013 02:04 PM [ Comments ]
$170,000 of equipment, including mice and keyboards, was physically destroyed when, according to a reportPDF, the Economic Development Administration (EDA) over-reacted to an over-stated malware threat. The EDA, a part of the US Commerce Department, also spent $823,000 on a contractor to investigate the infection, over one million dollars on temporary infrastructure and $688,000 for assistance from a contractor for a long term recovery plan.
Back on Dec. 6th 2011, the US-CERT alerted the Department of Commerce Computer Incident Response Team (DOC CIRT) that there was a potential malware infection on the IT systems in the Herbert C. Hoover Building (HCHB) network. Both the National Oceanic and Atmospheric Administration (NOAA) and the EDA were notified via email. The NOAA notification identified a component which was fixed and returned to service by the 12 January 2012.
But the incident handler had incorrectly looked up the wrong network logging information and told the EDA that 146 components were infected with malware. DOC CIRT corrected that info, stating that only 2 systems were affected, but failed to make notification that the first email was incorrect. Over the next weeks the misunderstanding rolled on with DOC CIRT testing the two components and confirming a problem which the EDA took as a signal that all 146 components were infected with malware.
By 24 January 2012, the EDA's CIO decided to disconnect all their systems from the HCHB network to avoid the non-existent malware spreading. By April they concluded they could not find any persistent malware or targeted malware and the NSA and US-CERT came to the same conclusion.
In the end, only six systems were compromised, two with rootkits and four with "common malware". But, the EDA CIO decided that the potential risk made the destruction of all the IT components necessary, "including desktops, printers, TVs, cameras, computer mice, and keyboards" and only halted destruction in August 2012 because the agency had run out of funds to destroy the other $3 million worth of EDA equipment.
But the incident handler had incorrectly looked up the wrong network logging information and told the EDA that 146 components were infected with malware. DOC CIRT corrected that info, stating that only 2 systems were affected, but failed to make notification that the first email was incorrect. Over the next weeks the misunderstanding rolled on with DOC CIRT testing the two components and confirming a problem which the EDA took as a signal that all 146 components were infected with malware.
By 24 January 2012, the EDA's CIO decided to disconnect all their systems from the HCHB network to avoid the non-existent malware spreading. By April they concluded they could not find any persistent malware or targeted malware and the NSA and US-CERT came to the same conclusion.
In the end, only six systems were compromised, two with rootkits and four with "common malware". But, the EDA CIO decided that the potential risk made the destruction of all the IT components necessary, "including desktops, printers, TVs, cameras, computer mice, and keyboards" and only halted destruction in August 2012 because the agency had run out of funds to destroy the other $3 million worth of EDA equipment.
Comments