Hacked government contractor shares breach details as investigation continues
The president of a hacked U.S. government contractor says a recent breach has cost his company $500,000 to $1 million in what he deemed a “learning experience” that should be shared with other organizations to raise their network defenses.
“It could happen to anyone,” Sandesh Sharda, president of Arlington, Virginia-based Miracle Systems, told CyberScoop. “We keep hearing about all these hacks all the time, whether it’s Baltimore, whether it’s Texas, whether it’s Capital One, commercial or government. This is not going to go away…How we prepare our industry for these kinds of hacks is [what’s] most important.”
It’s been a month since Miracle Systems, which provides IT, engineering and other services to more than 20 federal agencies, learned that its internal server had been breached. On at least one cybercriminal forum, a hacker or hackers has advertised access to internal company data, as journalist Brian Krebs reported.
Sharda downplayed the breach, saying the access the hacker boasted about consisted of a handful of outdated IP addresses that the company was using for testing purposes. No federal data was exposed, he said, because the company does all of its contracting on site with agencies and not on the corporate network that was compromised.
CyberScoop could not independently confirm that only obsolete data from Miracle Systems was exposed in the breach. The Secret Service is still investigating the incident, according to Sharda. A Secret Service spokesperson declined to confirm or deny an investigation, per its policy.
“We do not have any in-house projects that require government access,” said Sharda, adding that he spoke to CyberScoop in order to share preliminary lessons learned from the breach with other organizations. “We want to see that this doesn’t happen to any other small business….or any other business for that matter.”
Private-sector investigators say the account advertising Miracle Systems credentials on the criminal forum claims to have sold that access. Asked about the sale, Sharda reiterated that the attacker was offering obsolete data.
The same account that was advertising access to Miracle Systems data has been active since January 2011, according to Harrison Van Riper, a research analyst at Digital Shadows.
The person or people behind the account have claimed other victims, including hotels in Dubai and a health care-sector organization in Louisiana, according to Van Riper and other researchers with visibility into the forum. That, analysts say, is indicative of the broad-brush approach that some cybercriminals take, hitting targets in multiple sectors.
What is clear is that the breach has forced Miracle Systems, which Sharda founded in 2003, to reexamine its security practices and double down on training for employees. Sharda suspects the hacker broke into the server via a phishing email sent to one of its employees — despite regular warnings the company sends its personnel about malicious emails.
“People are people,” Sharda told CyberScoop. “Even though we have various preventive briefings not to click any of the links, not to click any discounted coupons or business offers, people do sometimes click those.”
After learning of the breach, the company shut off communication to the infected server and took its systems offline for four to five days, according to Sharda. It ran scans of its network and hired a cybersecurity forensics firm, which he declined to name, to investigate the breach.
The cost for those several days of downtime, new security software, and spinning up a new server amounts to between $500,000 and $1 million, Sharda estimated.
Sharda said the attacker had been evicted from his company’s network, citing investigators, but declined to elaborate.
Jeff Stone contributed reporting.