According to the report published by the US Office of Inspector General (OIG), on January 11, 2020, the servers operated by the US Census Bureau were attacked using a publicly available exploit.
These servers were to provide the Bureau with remote-access capabilities for its enterprise staff to access the production, development, and lab networks.
The Attack On The Servers Operated By the US Census Bureau
The report says the exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution. Still, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.
The Census Bureau did not take steps to limit its online system's vulnerability before the attack and did not discover what happened in a timely fashion, the Associated Press reported.
According to the analysis, the bureau’s firewalls prohibited the hackers from maintaining access to the system, but they were still able to make changes, like creating user accounts, while they had access, the watchdog report said.
A probe also found the agency did not keep proper system logs, which hindered the investigation into the hack and none of the information related to the 2020 census was changed during the cyberattack.
"Furthermore, no systems or data maintained and managed by the Census Bureau on behalf of the public were compromised, manipulated, or lost,” Acting Census Bureau Director Ron Jarmin.
The vulnerability tracked as CVE-2019-19781 was found by Mikhail Klyuchnikov from Positive Technologies. The proof-of-concept ventures for the vulnerability were revealed a couple of times after scans for prone Citrix web servers were discovered.
The report states that the US Census Bureau’s servers were compromised immediately after the availability of PoC exploits in the wild. The Bureau was able to discover the intrusion until January 28, 2020, more than 2 weeks later.
“The Bureau was not aware that the servers had been compromised until January 28, 2020, more than 2 weeks later. We found that this delay occurred because, at the time of the incident, the Bureau was not using a security information and event management tool (SIEM)14 to proactively alert incident responders of suspicious network traffic”, states the report.
The investigators say “The team was consumed with responding to data requests from outside entities, which interfered withholding a lessons-learned session”.
“Furthermore, after reviewing Bureau incident response policies and procedures, we were unable to locate any requirement or guideline prescribing the timeframe in which to hold a lessons-learned session.”