In the latest cybersecurity breach, the Defense Contract Management Agency (DCMA), responsible for administrating contracts on behalf of the Department of Defense (DoD), has taken several of its servers offline in response to a potential cybersecurity incident. According to Krebsonsecurity, a Cyber Protection strike team from the DoD is now working closely with the DCMA to elevate its security posture following the incident.
“So far, no DCMA, DoD or Defense Industrial Base data nor any personal identification information has been breached (…) DCMA’s website has been intentionally taken offline while the team investigates the activity,” the spokesperson says. “All other network operations have proceeded as normal (…)”
David Wray, DCMA Spokesman
The two week long “Corrective Action” message found on the home page of the DMCA.
According to an unidentified source in the DCMA, the agency has been having “major system issues, including a number of internal systems.” This incident adds to the string of cyber attacks on US Government systems from the U.S. Central Command’s Twitter and YouTube accounts, the United States Postal Service data breach, the National Oceanic and Atmospheric Administration website compromise, and the White House’s unclassified network breach.
What was the attack vector?
DCMA employees leverage resources for telework to review federal contracts between external companies and the DoD. At CyberSheath, we have seen a number of successful cyber attacks leverage these third party relationships and integrations to gain access to the internal trusted network of a partner. This methodology also follows the trends of recent attacks against the US Government. Albeit, this is only speculation as we do not have enough information to analyze who and how the attackers breached DCMA.
What was the motivation?
It is highly likely that hackers targeted DCMA in an effort to obtain intel on the entities that hold specific contracts for the DoD so that they may target those entities and breach more sensitive networks. Alternatively the groups responsible may be trying to release confidential information to the public to embarrass the US Government. In either case, this attack may set the stage for a greater incident in the coming weeks.