Phony White House e-card the work of spies?

NSF office among those hit by apparent espionage attempt

The National Science Foundation’s Office of Cyberinfrastructure was among a handful of government agencies that fell victim over the holidays to a phony e-greeting card purporting to be from the White House.

Some documents on infected OCI computers, along with infected computers at the Massachusetts State Police, the Millennium Challenge Corp., the Moroccan Ministry of Industry and the Financial Action Task Force, appear to have been sent to a server in Belarus, analysts said.

An NSF spokesperson confirmed the breach and said that the infected system had been identified and shut down and that it does not appear that confidential information was leaked.

The NSF OCI supports with grants the development of state-of-the-art resources such as supercomputers, high-capacity storage systems, software and programming tools, and networking environments that support high-end research, development and education.

Related stories:

Best defense against hackers: Know your enemy.

Trust us, we're from the government

Initial reports said that grant applications had been uploaded from the machine, but that information was not available on the infected PC, said spokeswoman Lisa-Joy Zgorski. “We do not think that information has been compromised as has been suggested,” she added.

The one document that appears to have been uploaded by the malware was an abstract of funding awards that already was public but that could have been confused with confidential application data, she said.

Victims of this attack appear to have fallen for a piece of social engineering just before Christmas that used a notification of an electronic Christmas card from the White House. Those who clicked on the link to download the card also received a variant of the ZeuS Trojan malware. Although ZeuS traditionally has been used for the theft of financial log-in information and identity credentials, the attack also downloaded executable code designed to search for .xls, .doc and PDF files and export the documents via File Transfer Protocol.

Zgorski said the OCI infection appears to have occurred shortly before Christmas and was discovered Dec. 27, the first workday after the holiday, and immediately taken offline. The investigation of the incident is continuing.

Alex Cox, principal research analyst at NetWitness, said in a blog posting on the attack that the intent of the attack appears to have been espionage and that it appears to have been the work of the same person or people who perpetrated a similar attack February 2010 that targeted U.S. government agencies in an apparent effort to collect data.

Although the ZeuS variant is fairly common, the second-stage download malware used to gather documents was similar in both cases and unique to these attacks, he said. An analysis of code “fingerprints” and “toolmarks” on the malware produced a 96 percent match, he said.

“This. . .makes us think that this is indeed the same operator, who is again after documents pertaining to U.S. government activities,” Cox wrote. “This evidence shows the continuing convergence of cyber-crime and cyber-espionage activities, and how they occasionally mirror or play off one another.”

Still unknown is who that operator is and where the data is ending up.


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Wed, Jan 12, 2011

For years, we have told our people not to send or accept e-cards (regardless who they appear to be from).E-cards have been a source of infection almost since they were created. In one ear and out the other.

Thu, Jan 6, 2011 Jeffrey A. Williams

No spies here, just bad decision making from the office of the secretary at the White House. What's even more interesting in this article is that on NSC OCI's website there was no mention of this effecting them or any mention of it at all.

Thu, Jan 6, 2011 r. mullen bisbee, az

I do neither classified work nor hold classified information on the above address, nor on my ugov address. One wonders what criteria were used by the sender to select addressees. s

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group