State and local government networks remain highly vulnerable to malicious hacking by nation-states, which was revealed by a newly disclosed attack conducted in 2013 that targeted as many as 75 US airports.
An investigation conducted by federal authorities and the N.Y.-based, non-profit Center for Internet Security uncovered a phishing scam that was successful against two victims working in the aviation industry, CIS said in its annual report released June 19.
The investigation began when federal authorities alerted CIS in summer 2013 that four airports potentially were the targets of an advanced persistent threat. A short time later, the authorities told CIS that eight more airports possibly had been compromised.
An advanced persistent threat occurs when an unauthorized person or group gains access to an organization's network and remains hidden inside that network while pilfering sensitive information for an extended period of time.
CIS, which helps public and private-sector organizations enhance their security readiness, eventually determined through its monitoring efforts that as many as 75 airports in the United States had come under attack.
CIS hosts the Multi-State Information Sharing and Analysis Center. MS-ISAC furnishes comprehensive cybersecurity support for state and local governments, including network monitoring, cyberthreat warnings and advisories, vulnerability identification, mitigation, and incident response.
CIS is the primary entity coordinating cyber security efforts among state and local governments. In the process of pursuing that objective, the organization plays a key role as the liaison between the Homeland Security Department and state and local governments.
Once it received the initial tip from federal authorities, CIS requested network logs from the three previous weeks from each airport for analysis against the threat clues.
By leveraging its security monitoring infrastructure, CIS was able to identify malicious traffic from two states.
CIS's investigation revealed emails containing a phishing scam that had been sent to individuals employed in the aviation industry, CIS said.
As the investigation continued, CIS uncovered a public document available online that appeared to be the source used by the attackers to select the phishing victims. That document listed email addresses for the targeted airports.
The next step CIS took was to issue a request to all entities that had a contact listed in the public document to search their email gateways for email messages that contained indicators.
At the same time, CIS distributed a cyber alert to all state and local governments, as well as the Federal Aviation Administration, Homeland Security Department, and National Cybersecurity and Communications Integration Center, informing each of the threat.
CIS also took the crucial step of contacting a key aviation industry organization and arranging to have the group distribute the cyber alert to all of its members.
The center furnished support and assistance to those entities that were attacked to ensure that all of the compromised systems were remediated.
CIS recorded 48 significant computer security incidents during 2013, which was more than double the number recorded in 2012, the group's annual report said. The majority of those incidents involved advanced persistent threats, ransomware, and webserver vulnerabilities.
NIST's cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.