VA Systems Hacked From AbroadAt Least 8 Nation-States Said to Be Behind Attacks
Since 2010, hackers from other nations, including China and perhaps Russia, have repeatedly breached Department of Veterans Affairs computers containing unencrypted data on some 20 million veterans, the chairman of a House panel said at a June 4 hearing.
See Also: Threat Intelligence - Hype or Hope?
In at least one incident, hackers encrypted the unencrypted VA data, making it impossible for the government to know exactly what information was exposed. "While VA knew foreign intruders had been in the network, the department was never sure what exactly these foreign actors took because the outgoing data was encrypted by the trespassers," said Rep. Michael Coffman, the Republican chairman of the House Veterans Affairs Oversight and Investigations Subcommittee, in his opening remarks.
Coffman identified China and perhaps Russia as the intruders.
Former VA Chief Information Security Officer Jerry Davis told the panel that eight different nation-state-sponsored organizations had successfully compromised VA networks and data, or were actively attacking VA networks - and these attacks continue. The other six nations were not identified.
"These groups of attackers were taking advantage of weak technical controls within the VA network," said Davis, who left the VA in February to become chief information officer at NASA Ames Research Center in Moffett Field, Calif. "Lack of controls such as encryption on VA databases holding millions of sensitive records, web applications containing common exploitable vulnerabilities and weak authentication to sensitive systems contributed to the successful unchallenged and unfettered access and exploitation of VA systems and information by this specific group of attackers."
Domain Controller Compromised
Michael Bowman, director of information technology and security audit for the VA inspector general, said foreign intruders compromised the VA network's domain controller, which is a server that responds to security authentication requests in Microsoft systems. "Whenever you compromise a domain controller, essentially you own the enterprise," Bowman said. "That's the seriousness of it."
Acting VA CIO Stephen Warren tried to downplay the gravity of the hacks. "When you have the domain controllers, you can go where you like. That's not necessarily the same as owning the network. Owning the network means you can control what anybody does, what anybody can do and where all the traffic goes. That is not the case."
But Rep. Doug Lamborn, R-Colo., interjected: "If you're looking for information, and you could go wherever you want to go, that's a pretty bad situation."
Warren began to respond, "As I believe ...," then paused, saying, "Yes, sir."
The acting CIO initially told the panel he was aware of only one breach from a nation-state-backed hacker that occurred in 2012, but declined to discuss it in a public hearing because the information remains classified. Later, he clarified that he was aware of multiple incidents involving foreign attacks, saying his earlier reference was to a specific report.
At one point, the back-and-forth between Coffman and Warren got contentious. with both men showing exasperation. Coffman said the attackers had information pertaining to the 20 million veterans.
"I can tell you, sir, that is the point where I diverge because it is not clear where they had access, right?" Warren said. "So, you're assuming that the VA is a small place that ..."
"You're right, we don't know," Coffman said. "That's the problem. We don't know. That's right. The fact is they had access to the 20 million veterans. Aren't you concerned about that?"
"Sir," Warren responded, "I am concerned anytime veterans' data is put at risk."
"Don't' you feel that that the veterans of this country - I being one of them, and there are other veterans on this committee - ought to be warned of that fact?" Warren asked.
"I believe you are accomplishing that through this hearing, sir," Warren said.
"Should you have accomplished that?" Coffman asked.
"To what ends, sir?" Warren replied. "To drive veterans away from the healthcare they need, the mental healthcare they need ..."
Coffman interrupted: "To inform them that they need to watch out for the fact that their ... that the system may be compromised, just as any private entity that had been compromised would notify the consumers that they serve. You, in fact, had an obligation to notify the consumers you served ... the men and women who served this nation in uniform."
"Yes, sir, as I did," Warren said. "And, anytime there is the potential, where we believe there was the potential for a breach ..."
"There was a breach," Coffman said.
"... We offer credit monitoring for a year," Warren continued. "There was a hotline to provide those services to individuals. In the past, we received e-mails from Homeland Security ..."
At this point, Coffman cut off Warren.
No one knows what exact information was stolen, including whether medical records were breached. But most of that data was not encrypted, and IG's Bowman said the information likely pilfered could be the type used to commit payment card fraud, such as names, dates of birth and Social Security numbers of veterans.
The Veterans Health Administration is the nation's largest integrated health care system.