A six-month security audit of the Department of Veterans Affairs’ network by cybersecurity firm Mandiant found none of the agency’s domain controllers — long thought to have been infiltrated by foreign hackers — show any signs of compromise, FedScoop has learned.
The attack, which didn’t make headlines until 2013, was attributed to state-sponsored hackers from at least eight different countries. Nagging concerns about the possibility that the hackers continued to access VA’s compromised network domain controllers led to an agencywide security effort that lasted more than a year.
VA contracted with Mandiant, the company known for a 2013 report that documented the activities of a massive Chinese government cyber espionage campaign, to conduct a deep dive analysis of its domain controllers and network boundaries. Mandiant delivered its final report Jan. 10, which concluded that there are “no VA domain controllers with evidence of compromise,” according to a copy of a briefing memorandum signed by VA Chief Information Security Officer Stan Lowe and the executive summary of the report, both of which were obtained by FedScoop.
“During the Compromise Assessment, Mandiant did not identify evidence of compromise of the VA domain controllers by targeted threat actors,” the report states. “The Compromise Assessment also did not identify any evidence of data staging or theft (credentials, PII, PHI, and VA sensitive information).”
According to Mandiant, the company conducted 11 security sweeps and on average covered approximately 96 percent of the 574 VA Domain Controllers. Typical coverage for an environment of this size is 80 percent, the company said.
Scans of VA’s network did, however, find evidence of one system that was “sending a beacon to a malicious domain via a [Domain Name System] call associated with an unknown threat actor that had been previously recognized by Mandiant,” according to the memorandum. “The malicious domain requested by the DNS call had already been blocked by VA’s NSOC as part of its Defense in Depth strategy in response to intelligence received previously. The malicious domain request was never able to complete and therefore no information was ever at risk.”
The system belonged to a VA researcher who plugged an infected system into the network against existing VA security policy, the report states. VA and Mandiant security teams identified the offending system and removed it for forensic analysis. “An investigation has been requested to determine why the VA researcher ignored VA policy and attached a Non-VA computer to the VA Network,” according to the report.
“This assessment provided a thorough third-party validation of VA’s Defense in Depth strategy and its confidence and assertions of the security of VA’s Network,” Lowe said in the memorandum.
The Mandiant contract began July 1, 2014, and ended Dec. 31.
As of May 2014, the 10 most prevalent critical security vulnerabilities at VA involved software patches that had not been applied, according to the Government Accountability Office. In some cases, these patches had been available for almost three years before being deployed. And due to multiple occurrences of each of the 10 missing patches, the total number of vulnerable systems ranged from 9,200 to 286,700, GAO said.