The Bureau missed opportunities to mitigate a critical vulnerability, resulting in the exploitation of remote-access servers, the agency’s inspector general reported.
In January 2020, hackers took advantage of a publicly available exploit to gain access to Census Bureau remote-access servers and create user accounts, according to an Aug. 16 watchdog report.
The hackers were in the Census system for more than two weeks before being detected, in part because an automated cybersecurity tool was not configured to deliver alerts to incident responders, Census’ inspector general said. Once inside Census servers, the attackers were blocked from communicating back to their own system due to the bureau's firewalls. However, the bureau’s server logs may have delivered inaccurate information to security operations personnel that may have delayed a timely response, the report said.
There were additional delays in communicating with the Cybersecurity and Infrastructure Security Agency, which is the lead agency for federal civilian government networks.
The report indicated that regular vulnerability scans of the remote-access servers were not being conducted as recommended under guidance from the Department of Homeland Security's Continuous Diagnostics and Mitigation program.
No census data was accessed in the exploit, the report stated. The servers were used by bureau employees to access agency production, development and lab networks.
The report found that Census tech personnel missed the chance to reconfigure the servers ahead of the hack. The vendor (which is unnamed in the report) released a mitigation plan three weeks before the attack took place. The timing and some of the details in the report suggest that the vulnerability in question involved the Citrix Application Delivery Controller.
The servers in question were just a year away from their end-of-support date when they were attacked, and OIG auditors found that all of these servers (the number of servers is redacted in the report) were still online in February 2021.
In reply comments, sent under the signature of Ron Jarmin, acting director of the Census, the agency noted that a patch was not available for the vulnerability right away and that "in mid-January concern escalated when it was discovered that the vulnerability was being actively exploited." At that point, CISA launched an incident response effort, and bureau staff "reacted expeditiously" to CISA's guidance.
Census also noted that "a dependency on Citrix engineers (who were already at capacity supporting customers across the federal government who had realized greater impacts from the January 2020 attack" slowed the bureau's ability to migrate to newer hardware.
The agency acknowledged in reply comments some weaknesses in its formal incident response and after-action review, but noted that it made "numerous improvements … as a result of informal lessons learned following the January 2020 incident."
This article was first posted to FCW, a sibling site to GCN.