CISA's hit parade of malware aimed at federal agencies

malware detection (Alexander Yakimov/ 

Remote Access Tool exploitation, fileless Trojan malware and cryptocurrency mining software accounted for 90 percent of the observed threat activity against civilian federal systems and networks in May, according to insights pulled from the Department of Homeland Security's Intrusion Detection System.

The system -- also referred to as EINSTEIN -- is run out of the Cybersecurity and Infrastructure Security Agency and is designed to record and analyze network traffic flowing to and from federal agencies in order to identify and mitigate cybersecurity threats.

According to a June 30 CISA post looking at trend data for the month of May, nearly all the network intrusion signatures picked up by the system fall into one of three groups.

The first is actually a legitimate software program – NetSupport's Manager Remote Access Tool – used to give system administrators remote access to employee devices. However, it can also be used in phishing schemes to trick users into downloading the tool, giving malicious actors unauthorized access to their machines. In May, Microsoft's Security Intelligence wing warned the public about a massive phishing campaign that utilized emails leveraging interest in the COVID-19 pandemic and spoofing organizations like the Johns Hopkins Center to entice users to click on links that would install the NetSupport RAT on their computers. Other companies like Palo Alto and Zscaler have identified similar campaigns.

The second most popular attacks use a fileless Trojan named Kovter that initially started out as ransomware but has since also evolved to carry out a number of different attacks, including click-fraud schemes that steal information and beam them back to command and control servers. According to 2017 research from TrendMicro, clicking on attachments from Macro-based malicious spam – usually in the form of Microsoft Office files – is among the most common ways users are infected by this malware.

Finally, malware called XMRig that uses an infected device's computing power to mine Monero cryptocurrency was also highlighted as a common attack.

According to a CISA official, the data pulled from EINSTEIN does include instances where federal devices or systems were infected.

"Malware detection signatures vary in what they are looking for and range from detecting outbound activity, meaning malware contained on an agency device is being detected beaconing back to the threat actor, to other signatures that detect traffic before it makes its way to the targeted device," a spokesperson for the agency told FCW through email. "When we become aware of an agency affected by malware, regardless of the type, we notify that agency and provide mitigation support."

Cryptocurrency malware "is prevalent in all networks, whether public or private" the spokesperson said, and CISA works with network defenders on a regular basis to better understand and manage the risk.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected