The National Archives reports that officials found malicious files on three of its workstations. The malicious files drew extra scrutiny after a hack to the Office of Personnel Management’s systems compromised the records of millions of federal workers.
Laura Diachenko, a National Archives and Records Administration spokeswoman, said in an email that officials checked the agency’s systems and applications for files that the Department of Homeland Security considered “indicators of compromise,” or IOCs. The workstations found with IOCs were cleaned, she said. DHS published the list of files deemed IOCs after the OPM hack.
“No NARA systems were compromised,” Diachenko said in her email.
She said the agency requested further guidance from the U.S. Computer Emergency Readiness Team on how to deal with the files. She also said that Mandiant, which conducted an independent assessment on the agency’s systems recently, found no evidence of an advanced persistent threat.
“Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack. This includes alerts from DHS’ Einstein 3A,” she said.
She would not say whether the malware was linked to the same attackers as the OPM breach. Nextgov was the first to report the news.
Tom Gorup, security operations leader of Rook Security, said it’s “certainly possible” that the National Archives and OPM breaches are linked, but an analyst would have to know exactly what IOCs were found on the National Archives servers.
“Without that granular detail, we can only speculate,” he told FedScoop over the phone. He also said that, after an attack, malware could be released on the dark Web and reused by other bad actors.
At the same time, he said it is feasible that malware that infected three workstations did not seep into the rest of the network.
“It’s about how their network infrastructure is laid out,” he said. Organizations “can do a lot of segregation to prevent specific users from accessing more critical assets from different parts of the network.”
Andrea Little Limbago, principal social scientist at cybersecurity company Endgame, while having no direct insight about the possible link between the breaches, said in an email that the National Archives stores information that could be compelling for a hacker.
The National Archives “contains personal information of former high-ranking officials and family members, including presidents. Most of this data is not held at OPM,” she said in an email to FedScoop. “If it turns out that the National Archives was also recently breached, the NARA hack might be a missing puzzle piece for the attackers to compile an even more comprehensive dataset, including that of higher ranking officials.”
She pointed to the 2010 National Archives hack that exposed personally identifiable information of 250,000 Clinton administration staff members and White House guests.
“The OPM breach perpetrators may have hacked NARA as a way to obtain information from an even wider range of government employees and officials,” she speculated.