Credentials and email messages pilfered in a breach of a federal government contractor that could be used to access the contractor’s systems and those of its customers – including the U.S. Department of Transportation, the National Institutes of Health (NIH), and the U.S. Citizenship and Immigration Services (USCIS) – were auctioned off in a Russian cybercrime site in August, prompting an investigation by the U.S. Secret Service.
The information is “all old stuff in our own internal test environment, and it is no longer valid,” a KrebsOnSecurity report cited Miracle Systems LLC CEO Sandesh Sharda as saying. The company claims to be a prime contractor to more than 20 federal agencies.
report noted that multiple systems of one company, Hold Security, had been
compromised three times by Emotet malware from November 2018 to July 2019.
The FISMA Act of 2002 as well as FAR 52.204-21 in 2017, respectively, require agencies to manage their security and privacy controls and make sure their contractors meet 15 security controls. “But how can a government agency efficiently test its suppliers’ information security?” said Dov Goldman, director of risk and compliance at Panorays. “What’s more, how can they manage many more subcontractors’ InfoSec?”
While “private companies with mature third-party
information security programs are increasingly aware of the need to manage security
deep in their supply chain,” smaller, more innovative providers often “have
less sophisticated infosec programs,” Goldman said, noting that the vast sprawl
of federal government contracting. “Because there are so many smaller players
as you dive deeper into the supply chain, it becomes more and more important to
implement highly automated approaches to assess suppliers’ InfoSec controls and
the integrity of their attack surface.”
The breach at Miracle Systems “seems to have caused no
harm,” but should still “serve as a wakeup call for U.S. federal government
agencies to find the most innovative, effective and automated solutions for
assessing, managing and monitoring supply chain security.”