USPS Played Cat And Mouse With Cyber Attacker - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
10:20 AM
Connect Directly

USPS Played Cat And Mouse With Cyber Attacker

Postal Service takes restrained, methodical approach to cyberattack. Was this the right strategy?

H-1B Visa Program: 13 Notable Statistics
H-1B Visa Program: 13 Notable Statistics
(Click image for larger view and slideshow.)

When US Postal Service (USPS) officials received word about a major network intrusion earlier this year, one of its first instructions was to take no immediate action.

In an effort to prevent the intruders from knowing they had been discovered, the postal service's Office of the Inspector General advised the USPS's corporate information security officer Charles McGann not to initiate any mitigation measures. That included such actions as network scanning, reimaging systems, resetting passwords, taking systems offline, or searching for IP addresses.

Instead, for several weeks investigators from the postal service, the US Computer Emergency Response Team (US-CERT), and the FBI Service worked quietly to determine the scope and nature of the intrusion before finally shutting it down almost two months later.

[What should you keep to yourself about a hack? Read NOAA Blames China In Hack, Breaks Disclosure Rules.]

Randy Miskanic, VP of the secure digital solutions group at the postal service, outlined details of the high-stakes cat-and-mouse game to a subcommittee of the House Committee on Oversight and Government Reform this week.

"From the technical perspective, experts within the Postal Service and from supporting agencies provided prudent warnings that short-term remediation efforts would be seriously compromised if the threat actor became aware that the intrusion had been discovered," Miskanic said in written testimony.

"If provided advance warning of network actions intended to expel and block the intruder from the Postal Service network, the adversary could take bolder steps to further infiltrate or sabotage systems," he added. The potential of greater damage or sabotage heavily influenced the postal service's decision to delay notification and public disclosure of the breach.

(Source: USPS)
(Source: USPS)

It's unclear if Miskanic's explanation will help assuage criticism that has been directed at the USPS over its handling of a breach that exposed data on some 800,000 employees and 2.9 million customers. But his testimony provides a glimpse into the struggles that organizations face dealing with an intrusion by a sophisticated adversary.

According to Miskanic, the US Postal Service first learned of a potential intrusion on Sept. 11, after being alerted to it by the Inspector General's office.

Over the next several days, members of the investigative team quietly installed monitoring devices and performed forensic imaging on the four servers that were initially believed to be the only affected systems. They later configured and installed what Miskanic described as the "technical architecture and tools" necessary to understand the full scope of the breach.

That effort revealed another 29 servers and three Postal Service user accounts that had been compromised. Because of the broadening scope of the incident, the Postal Service then decided to seek the help of the US Department of Defense's Cyber Crime Center.

It wasn't until October 7, nearly a month after being first alerted to the intrusion, that investigators found signs that a large encrypted data file had been copied from one of the compromised systems and transferred to an external system.

It took another several days for investigators to determine that the file potentially contained personally identifiable information on all postal service employees, as well as recent retirees. Around this time, the postal service finally decided to bring in private sector experts in intrusion detection and remediation to assist in the effort to shut down the breach.

Around mid-October, postal services CIO James Cochrane decided to invoke the Mass Data Compromise Response Plan and set up a formal incident response center for coordinating investigation, mitigation, and incident communication activities. Also in mid-October, the FBI's cyber unit provided a Top Secret briefing to command center leadership, again emphasizing the sophisticated nature of the adversary and the need for operational secrecy, Miskanic said.

The FBI also warned that "implementing mitigation activities or communicating the threat to employees or the public at that point could result in the threat being further embedded into the Postal Service network," he said.

On November 7, Cochrane's organization finally activated a remediation plan, developed in conjunction with US-CERT and private firms, to remove the threat.

The operation required a "network brownout" that limited the US Postal Service' Internet connectivity, virtual private network (VPN) connections, and remote network access, Miskanic said. All email from non-postal accounts was blocked and workstation administrator rights were revoked during the brownout. To mitigate the risk of spear-phishing attacks, all access to personal email accounts such as Gmail and Yahoo was also blocked, and continues to be blocked, according to Miskanic.

"Direct database access is now enabled only to technology support staff, and a number of business applications have been retired," he noted, adding that the safeguards will be periodically reviewed and updated if needed.

Without knowing the exact causes, it is difficult to speculate on why the USPS's initial response was to allow the attack to continue, said John Pescatore, director of emerging security trends at the SANS Institute. "In order to be prepared to respond rapidly and effectively to an incident, you need to have some processes and controls in place," he said in an email to InformationWeek.

Pescatore also recommended that organizations need to have a baseline, or a known good state that they can revert back to quickly in an emergency. "[It] sounds like some or all of that was missing with USPS, or they were depending on contractor services that couldn't start right away."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep getting your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
H Kaur
H Kaur,
User Rank: Apprentice
11/25/2014 | 10:26:17 AM
Re: USPS no longer offers tracking for International Registered mail...
Common misunderstanding. We are referring to INBOUND registered mail and other service classes shipped TO the USA, that were previously tracked by from the time they entered the country, until they were delivered to their USA destination. As of November 17, 2014, that service is no longer functioning and appears to have been "retired".

There was an update to the BSN service on November 17, 2014, the exact date the service stopped functioning:

Without the ability to confirm delivery to the USA destination from abroad, small international businesses are taking a tremendous risk shipping to their USA customers. Customers can file an INR (Item Not Received) complaint and be refunded for a product they did in fact receive. Without "Proof of Delivery", eCommerce sites such as Amazon, Newegg, eBay and Etsy, to name a few, will likely take the buyer's side and withdraw the refund directly from the Seller's account.

Small businesses can not afford DHL, which is about the only service offered other than their country's national post system.

Small overseas suppliers and small businesses depend on USA sales to keep them afloat. Approximately 60% of their sales (my guess, nothing official) are to US customers. This can turn into a nightmare for these smaller foreign businesses.
User Rank: Ninja
11/25/2014 | 9:51:38 AM
Re: USPS no longer offers tracking for International Registered mail...
International registered mail was not as comprehensive as the domestic service because of the other postal systems involved. You might be better shipping with FedEx or UPS or another USPS product. I've been doing this for years with ebay sales.
User Rank: Ninja
11/25/2014 | 9:49:55 AM
Smart Steps
An excellent article. Enjoyed reading it. It is good to see the government actually took the right steps to identify, plan and destroy this type of attack. Too often people are tempted to go in and clean up what they see which is easily restored. These steps allowed law enforecement and IT experts to see how the hackers were functioning and respond in such a way that would destroy the operation. Well done.
H Kaur
H Kaur,
User Rank: Apprentice
11/24/2014 | 3:35:42 PM
USPS no longer offers tracking for International Registered mail...
In light of the newly released information in this article, can the author further verify if the sudden suspension of INBOUND International Mail tracking, which began one week ago on November 17, after a system update at USPS, is one of the systems affected in this statement,  "Direct database access is now enabled only to technology support staff, and a number of business applications have been retired..." ?

Sometime after 6:00 PM (EST), on November 17, all tracking for inbound international mail went from the normal blue updates, which may read, "In Transit" or "Origin Post is Preparing Shipment", to an amber ALERT which is now reading, "USPS Tracking is unavailable for this product for (insert any country name)".

There are numerous Twitter posts from @USPShelp that are reading:

"Unfortunately, the USPS no longer offers tracking for International Registered mail."
"Unfortunately the USPS no longer tracks inbound international mail. Sorry."

This is a terrible blow to international sellers abroad and their customers in the USA. To suspend this system right before the busiest time of the year with aabsolutely no notice to customers is bordering on unforgivable.

Thank you.


Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll