The list of compromised sites includes 49 US House member and three House committee websites. Praetorian Security Group believes that the hackers may have gained access through the content management system of third-party vendor GovTrends, although it cannot confirm this until more information is made available. It appears, however, that all the hacked websites are maintained through GovTrends’ Joomla CMS, but not all House websites managed through this service were victims of the attack.
The Red Eye Crew, believed to be based in Brazil, has been responsible for thousands of website attacks over recent years, including numerous attacks on Brazilian government websites and a hack of at least one US educational institution. Praetorian also noted in its company blog that US House websites managed by GovTrends were victims of a previous hack this past August in which 18 different House member websites were compromised.
This past Thursday, House Speaker Nancy Pelosi and House minority leader John Boehner sent a letter to Daniel Beard, the House Chief Administrative Officer, requesting an immediate review of the incident. The letter commended the office’s previous efforts to secure House-related websites, but cited last week’s attacks as evidence that “immediate and comprehensive assessment” was needed to determine how the hackers were able to execute the attacks, and ensure firewall security going forward.
The joint letter would go on to question the role played by vendor GovTrends, an Arlington, Va.-based third-party website manager whose sites were the common thread in the attack. While only a few dozen of the hundreds of House websites were hacked, all of the compromised sites were managed by GovTrends. Pelosi and Boehner subsequently asked for a review of whether GovTrends and other vendors are maintaining security standards as per their contracts.
Jeff Ventura, director of communications for the CAO, said that he did not have any additional details on the hacking incident, at least for the moment. “Our after-action report says that our systems engineers have identified a vulnerability that happened during some upgrades”, he told Infosecurity. Ventura expects a more detailed statement into the particulars of the attack to come very soon. “We want to brief the committee on House Administration first before releasing the details of the incident”, he added.
In response to the joint letter and its request to review the contractual obligations and security procedures of GovTrends, Ventura said that his office and systems engineers are currently discussing recommendations. “This will all be in play”, he said, “but details will not be made public until the Speaker is informed”.
GovTrends has yet to return inquires for comment, but its website has posted a response to the incident. The statement indicates that affected sites have been removed from the compromised server and that “any vulnerabilities on the hacked server were repaired and fortified with security in order to prevent future potential issues.”