CISA's hit parade of malware aimed at federal agencies

malware detection (Alexander Yakimov/ 

Remote Access Tool exploitation, fileless Trojan malware and cryptocurrency mining software accounted for 90 percent of the observed threat activity against civilian federal systems and networks in May, according to insights pulled from the Department of Homeland Security's Intrusion Detection System.

The system -- also referred to as EINSTEIN -- is run out of the Cybersecurity and Infrastructure Security Agency and is designed to record and analyze network traffic flowing to and from federal agencies in order to identify and mitigate cybersecurity threats.

According to a June 30 CISA post looking at trend data for the month of May, nearly all the network intrusion signatures picked up by the system fall into one of three groups.

The first is actually a legitimate software program – NetSupport's Manager Remote Access Tool – used to give system administrators remote access to employee devices. However, it can also be used in phishing schemes to trick users into downloading the tool, giving malicious actors unauthorized access to their machines. In May, Microsoft's Security Intelligence wing warned the public about a massive phishing campaign that utilized emails leveraging interest in the COVID-19 pandemic and spoofing organizations like the Johns Hopkins Center to entice users to click on links that would install the NetSupport RAT on their computers. Other companies like Palo Alto and Zscaler have identified similar campaigns.

The second most popular attacks use a fileless Trojan named Kovter that initially started out as ransomware but has since also evolved to carry out a number of different attacks, including click-fraud schemes that steal information and beam them back to command and control servers. According to 2017 research from TrendMicro, clicking on attachments from Macro-based malicious spam – usually in the form of Microsoft Office files – is among the most common ways users are infected by this malware.

Finally, malware called XMRig that uses an infected device's computing power to mine Monero cryptocurrency was also highlighted as a common attack.

According to a CISA official, the data pulled from EINSTEIN does include instances where federal devices or systems were infected.

"Malware detection signatures vary in what they are looking for and range from detecting outbound activity, meaning malware contained on an agency device is being detected beaconing back to the threat actor, to other signatures that detect traffic before it makes its way to the targeted device," a spokesperson for the agency told FCW through email. "When we become aware of an agency affected by malware, regardless of the type, we notify that agency and provide mitigation support."

Cryptocurrency malware "is prevalent in all networks, whether public or private" the spokesperson said, and CISA works with network defenders on a regular basis to better understand and manage the risk.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected