US meteorological agency the National Oceanic and Atmospheric Administration (NOAA) has come under fire this week after allegations that it first covered up and then failed to notify the proper authorities about a cyber intrusion that occurred in late September.
Three people “familiar with the hack” told the Washington Post that the agency, which runs the National Weather Service, stayed silent about the incident for almost a month.
It finally indicated it had a problem on 20 October but even then didn’t admit its systems may have been breached, the report asserts.
The NOAA even went as far as to claim that “unscheduled maintenance” on its network last month was to blame for the unavailability of satellite images.
The National Ice Center website was also down for a week in late October, although it’s not been confirmed whether this was connected to the hack.
Commerce Department inspector general Todd Zinser told the paper that his office was not told of the breach until 4 November, despite a rule which states that any incidents must be reported within two days of being discovered.
“We’re in the process of looking into the matter, including why NOAA did not comply with the requirements to notify law enforcement about the incident,” he’s quoted as saying.
The NOAA finally released a statement on the matter on Wednesday during which spokesman Scott Smullen is said to have admitted a cyber incursion took place and that four sites were affected.
But he apparently maintained that “incident response began immediately” and would not answer more questions because of an ongoing investigation.
Republican Representative Frank Wolf told the paper that the NOAA revealed to him that the attack had originated from China.
It’s not clear whether the hackers were after sensitive data or planned to disrupt or infect systems with malware.
The NOAA’s satellite data and systems generate advanced weather forecasts for civilian and military use and feed into centers in Canada and Europe, which were apparently disrupted by last month’s outage.
F-Secure security advisor, Sean Sullivan, told Infosecurity by email that if the attacks did come from China, they could have been the result of an overzealous amateur.
“The US and China have just agreed on climate goals — perhaps some Chinese citizen hacked into the weather systems looking for a bit of climate conspiracy,” he argued.
“China discovers IT talent from university computing clubs. The PLA provides competition money and the students then go hacking. This helps the PLA locate potential new recruits and/or identifies people to keep an eye on in case they turn on the state. When you develop talent that way, you’re likely to get a few wild cards in the deck.”
It’s worth mentioning that the NOAA’s security controls were singled out for criticism in a report from the Commerce Department’s Office of Inspector General in July.
It found that “critical security controls remain unimplemented” in the information systems of the agency’s National Environmental Satellite, Data, and Information Service (NESDIS).
It also criticized “NESDIS' inconsistent implementation of mobile device protections” which it said could lead to an increased chance of malware infection, and warned that “improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous.”