Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says

An NSA official says 24 hours after Equifax's breach was made public, a nation-state was scanning DoD for unpatched Apache Struts instances.
dod apache struts
(chucka_nc / flickr )

A government-backed hacking group tried to breach the Department of Defense via the exact same software vulnerability that was used to breach Equifax, an official with the National Security Agency said Tuesday during a speech at the 2018 RSA conference.

“The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” said David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC).

The malicious activity caught by NSA shows how most attackers, regardless of skill or available resources, will first rely on simplistic and easily accessible methods to compromise their victims. In this case, the attackers relied on a known vulnerability in the Apache Struts software framework to target the DoD.

Hogue said that most data breach incidents that are analyzed by his team are caused by phishing emails or unpatched vulnerable systems. Failing to patch the flaw in Apache Struts, despite it being available for months, allowed attackers to siphon millions of data points housed by Equifax.


Basic cyber hygiene, Hogue explained, could prevent a majority of these cases. It is the NSA’s mission to protect sensitive Pentagon computer networks, including U.S. Army computers located in warzones like Afghanistan.

“Within 24 hours I would say of whenever an exploit or vulnerability is released, it is weaponized and used against us,” said Hogue.

Hogue also said the use of “zero-day” vulnerabilities to breach systems appears to be increasingly rare, based on his own work.

“At NSA we have not responded to an intrusion response that’s used a zero-day vulnerability in over 24 months,” Hogue said. “The majority of incidents we see are a result of hardware and software updates that are not applying.”

A Ponemon Institute survey published earlier this year noted that 53 percent of polled cybersecurity experts said that the time between patch release and a related cyberattack attack had decreased an average of 29 percent over the last two years. In addition, the study described that 57 percent of respondents admitted to being breached because of a vulnerability for which a patch was already available.


Another 2018 study by cybersecurity firm Mimecast found that “94 percent of respondents had seen an increase in phishing attacks, and 92 percent had seen an increase in targeted spear phishing attacks with malicious links.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts