A watchdog report indicates that aging remote-access servers at the Census Bureau were successfully targeted by hackers in early 2020 using a known vulnerability, and while no data was stolen, the incident revealed flaws in the bureau's cybersecurity response.
Hackers targeted remote servers at the Census Bureau in January 2020, taking advantage of a publicly available and known exploit to gain access to government systems and create user accounts, according to a watchdog report released this week.
The Inspector General at the Department of Commerce reported that hackers were in the Census system for more than two weeks before being detected, in part because an automated cybersecurity tool was not configured to deliver alerts to incident responders. The attackers were blocked from communicating from the Census servers to their own system due to the bureau's firewalls. However, the bureau’s server logs may have delivered inaccurate information to security operations personnel that may have delayed a timely response, according to the report.
There were additional delays in communicating with the Cybersecurity and Infrastructure Security Agency, which is the lead agency for federal civilian government networks.
The report indicated that regular vulnerability scans of the remote-access servers were not being conducted as recommended under guidance from the Department of Homeland Security's Continuous Diagnostics and Mitigation program.
No census data was accessed in the exploit, the report states. The servers were used by bureau employees to access agency production, development and lab networks.
The report found that Census tech personnel missed the chance to reconfigure the servers ahead of the hack. The vendor (which is unnamed in the report) released a mitigation plan three weeks before the hack took place. The timing and some of the details in the report suggest that the vulnerability in question involved the Citrix Application Delivery Controller.
The servers in question were just a year away from their end-of-support date when the hack took place, and OIG auditors found that all of these servers (the number of servers is redacted in the report) were still online in February 2021.
In reply comments, sent under the signature of Ron Jarmin, acting director of the Census, the agency noted that a patch was not available for the vulnerability right away and that "in mid-January concern escalated when it was discovered that the vulnerability was being actively exploited." At that point, CISA launched an incident response effort, and bureau staff "reacted expeditiously" to CISA's guidance.
Census also noted that "a dependency on Citrix engineers (who were already at capacity supporting customers across the federal government who had realized greater impacts from the January 2020 attack" slowed the bureau's ability to migrate to newer hardware.
The agency acknowledged in reply comments some weaknesses in its formal incident response and after-action review, but noted that it made "numerous improvements … as a result of informal lessons learned following the January 2020 incident."