A government watchdog hacked a US federal agency to stress-test its cloud security

Lorenzo Franceschi-Bicchierai
Updated ·3 min read
1

A U.S. government watchdog stole more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The good news: The data was fake and part of a series of tests to check whether the Department’s cloud infrastructure was secure.

The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week.

The goal of the report was to test the security of the Department of the Interior’s cloud infrastructure, as well as its “data loss prevention solution,” software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report.

The Department of the Interior manages the country’s federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud.

According to the report, in order to test whether the Department of the Interior’s cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that “would appear valid to the Department’s security tools.”

The OIG team then used a virtual machine inside the Department’s cloud environment to imitate “a sophisticated threat actor” inside of its network, and subsequently used “well-known and widely documented techniques to exfiltrate data.”

“We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system,” the report read.

The OIG said it conducted more than 100 tests in a week, monitoring the government department’s “computer logs and incident tracking systems in real time,” and none of its tests were detected nor prevented by the department’s cybersecurity defenses.

“Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data,” said the OIG's report. “In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system’s controls for protecting sensitive data from unauthorized access.”

That’s the bad news: The weaknesses in the Department’s systems and practices “put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access,” read the report. The OIG also admitted that it may be impossible to stop “a well-resourced adversary” from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

This test "data breach" was done in a controlled environment by the OIG, and not by a sophisticated government hacking group from China or Russia. This gives the Department of the Interior a chance to improve its systems and defenses, following a series of recommendations listed in the report.

Last year, the Department of the Interior’s OIG built a custom password cracking rig worth $15,000 as part of an effort to stress-test the passwords of thousands of the department's employees.