A US government watchdog stole more than a gigabyte of apparently sensitive personal data from the US Department of the Interior's cloud systems. The good news: The data was fake and part of a series testing to see if the Department's cloud infrastructure was secure.
The experiment is detailed in a new report from the Attorney General's Office of the Department of the Interior (OIG), published last week.
The goal of the report was to test the security of the Interior Department's cloud infrastructure as well as its “data loss prevention solution,” software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report.
The Department of the Interior manages the country's federal lands, national parks, and a multibillion-dollar budget, and hosts a significant amount of data in the cloud.
According to the report, to check whether the Interior Department's cloud infrastructure was secure, the OIG used an online tool called simulacrum to create false personal data that “appeared valid to the Department's security tools.”
The OIG team then used a virtual machine within the Department's cloud environment to mimic “a sophisticated threat actor” within its network, and subsequently used “well-known and widely documented techniques to exfiltrate data.”
“We used the virtual machine as is and did not install any tools, software or malware that would facilitate the extraction of data from the system in question,” the report reads.
The OIG said it conducted more than 100 tests in one week, monitoring the government department's “computer logs and incident tracking systems in real time,” and none of its tests were detected or prevented by the department's cybersecurity defenses.
“Our tests were successful because the Department did not implement security measures capable of preventing or detecting well-known and widely used techniques by malicious actors to steal sensitive data,” the OIG report says. “In the years that the system has been hosted in a cloud, the Department has never performed the required periodic testing of system controls to protect sensitive data from unauthorized access.”
That's the bad news: Weaknesses in the Department's systems and practices “put the sensitive (personal information) of tens of thousands of federal employees at risk of unauthorized access,” the report reads. The OIG also admitted that it may be impossible to prevent “a well-resourced adversary” from getting in, but with some improvements, it may be possible to prevent that adversary from exfiltrating sensitive data.
This “data breach” test was conducted in an environment controlled by the OIG, and not by a sophisticated government hacking group from China or Russia. This gives the Department of the Interior the opportunity to improve its systems and defenses, following a series of recommendations listed in the report.
Last year, the Interior Department's OIG built a custom $15,000 password cracking platform as part of an effort to test the passwords of thousands of department employees.