Written By Michael Steward And Presented By Chuck Leaver CEO Ziften
Internal Revenue Service Attackers Make Early Returns Because of Previous External Attacks
The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails aimed to obtain initial access to target systems where lateral motion is then performed until data exfiltration takes place. But the Internal Revenue Service hack was various – much of the data required to execute it was already acquired. In this case, all the hackers had to do was walk in the front door and submit the returns. How could this happen? Here’s what we know:
The IRS site has a “Get Transcript” function for users to obtain previous tax return information. As long as the requester can offer the right details, the system will return previous and present W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and submitting status, the hackers could start the retrieval process of previous filing year’s details. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.
KBA isn’t fool proof, however. The questions it asks can often times be predicted based on other information already learned the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following automobiles have you owned?”
After the dust settled, it’s estimated that the attackers attempted to gather 660,000 transcripts of past tax payer info via Get Transcript, where they succeeded in 334,000 of those efforts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers failed to provide the correct answers. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?
Security analysts think that the opponents utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they succeeded and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, often times increasing the withholdings quantity on the income tax return form to obtain a larger return. As mentioned previously not all efforts achieved success, but over 50% of the attempts resulted in significant losses for the IRS.
Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (for example through phishing attacks). We do this by supplying real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the attackers used information gleaned from previous attacks beyond the Internal Revenue Service, the jeopardized companies could have benefited from the visibility Ziften supplies and alleviated against mass-data exfiltration. Eventually, the IRS seems to be the vehicle – instead of preliminary victim – of these cyber attacks.