The Congressional websites of 19 House Democrats were knocked offline in an incident that the technology firm managing the sites believes is linked to last week's sit-in calling for a vote on gun control legislation.
The websites of House members Reps. Earl Blumenauer, John Carney, Rosa DeLauro, Lloyd Doggett, Tammy Duckworth, Donna Edwards, Elizabeth Esty, Sam Farr, Tulsi Gabbard, Alan Grayson, Marcy Kaptur, William Keating, John Larson, Jim McDermott, Richard Neal, Ed Perlmutter, Jackie Speier, Bennie Thompson, and Filemon Vela were knocked offline last Friday.
With the exception of Rep. Perlmutter's website, all of the websites were managed by DCS Congressional, a technology contractor founded by political insider Gerry Kavanaugh, a former Chief of Staff to Sen. Ted Kennedy.
Scott Ferson, president of the communications firm representing DCS, stated that an attacker uploaded a web shell to a House website on Thursday. “Other than the timing we have no evidence to date that it was targeted and planned, but it is an odd coincidence at this point,” he wrote, in an email to SCMagazine.com.
Last month, the House IT team temporarily banned the use of software apps residing on a Google cloud service, in order to prevent this kind of attack.
Data contained on the House network would be an attractive target to state actors or state-backed groups, Nathan Leamer, a policy analyst at Washington, D.C.-based think tank R Street Institute, told SCMagazine.com. He noted that it “might be politically motivated” to draw a connection drawing the House websites incident to the sit-in last week.
The attack follows a series of breached political targets that have been attributed to state-sponsored actors. Last week, two cybersecurity firms linked the Democratic National Committee (DNC) breach to the Cozy Bear and Fancy Bear APT groups, which are both believed to have ties to Russian intelligence. Russian hackers are also believed to have breached the Bill, Hillary and Chelsea Clinton Foundation.
It's unlikely that a foreign intelligence agency would use a webshell, John Bambenek, senior threat researcher at Fidelis Cybersecurity, told SCMagazine.com. Rather, the numerous vulnerabilities affecting Joomla could provide an easy target for a politically motivated hacktivist. Only “an exceptional event” would motivate an intelligence agency to use the technique, he said. “If I were the NSA, I would take notice, but I wouldn't sound the alarm yet.”
The incident has attracted the attention of the House Homeland Security committee. “Cyber threats are rapidly evolving in their sophistication and intensity,” wrote House Homeland Security cybersecurity subcommittee chairman, Rep. John Ratcliffe (R-Texas) in an email to SCMagazine.com. “It's critical that we continue to be vigilant against the threats posed by our cyber adversaries as no one is immune to their potential damage.”
The attack highlights the need for Congress to gain a stronger overall security posture – including considering whether lawmakers follow industry best practices – before trying to pass cybersecurity policies that the industry opposes. “Congress has a ‘Do as I say, not as I do' mentality,” said Leamer.
Indeed, the attack raises concerns over the security of Americans' personal information contained in databases and emails that are stored on House servers. “There's a lot of personal information in there, including name, age, location, social security numbers,” Leamer said. “They should be looking at how to keep that secure.”