A U.S. government surveillance agency stole more than a gigabyte of seemingly sensitive personal data from the U.S. Department of the Interior's cloud systems. The good news: The data is fake and was part of a series of tests to see if the department's cloud infrastructure is secure.
The experiment is detailed in a new report released last week by the Interior Department's Office of Inspector General (OIG).
The purpose of the report was to test the security of the Home Office's cloud infrastructure and its “Data Loss Prevention Solution,” software that protects the Home Office's most sensitive data from malicious hackers. The OIG said in its report that the experiment was conducted from March 2022 to June 2023.
The Department of the Interior manages the country's federal lands, national parks, multibillion-dollar budget, and hosts vast amounts of data in the cloud.
To test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that “appeared to be useful for the Department of the Interior's security tools,” according to the report. That's what it means.
The OIG team then used virtual machines in the department's cloud environment to imitate “advanced threat actors” within the network, and then used “well-known and widely documented techniques” to steal the data. I stole it.
“We left the virtual machines intact and did not install any tools, software, or malware that would have made it easier to extract data from the target systems,” the report said.
The OIG said it conducted more than 100 tests a week while monitoring the department's “computer log and incident tracking system” in real time, and none of the tests were detected or prevented by the department's cybersecurity defenses. Ta.
The OIG's report states that “our tests were not successful because the department failed to implement security measures that could prevent or detect the well-known and widely used techniques used by malicious actors to steal sensitive data.” “I did,” he said. “Over the years that the system has been hosted in the cloud, the department has never conducted the necessary regular testing of system controls to protect sensitive data from unauthorized access.”
That's bad news. Weaknesses in the department’s systems and practices “lead to high secrecy.” [personal information] “Tens of thousands of federal employees are at risk of unauthorized access,” the report said. The OIG also said that while it may be impossible to prevent a “resource-rich adversary” from infiltrating, some improvements could prevent that adversary from exfiltrating sensitive data. I also admitted that.
This experimental “data breach” was conducted in an environment controlled by the OIG and was not carried out by sophisticated government hacking groups in China or Russia. This will give the Home Office an opportunity to improve its systems and defenses in accordance with a series of recommendations set out in the report.
Last year, the Interior Department's OIG built $15,000 worth of custom password-cracking equipment as part of stress testing the passwords of thousands of Interior Department employees.