Charles Leaver – Did The IRS Hack Begin With Compromised Endpoints?

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Because of Previous External Attacks

The IRS breach was the most distinct cyber attack of 2015. Traditional attacks today involve phishing emails aimed to obtain initial access to target systems where lateral motion is then performed till data exfiltration occurs. However the IRS hack was various – much of the data required to perform it was already obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this occur? Here’s what we know:

The Internal Revenue Service website has a “Get Transcript” function for users to retrieve previous tax return info. As long as the requester can supply the correct details, the system will return past and current W2’s and old tax returns, and so on. With anybody’s SSN, birth date and filing status, the hackers could start the retrieval process of previous filing year’s details. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, though. The questions it asks can many times be guessed based upon other information already learned the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s estimated that the hackers attempted to gather 660,000 transcripts of past tax payer details through Get Transcript, where they were successful in 334,000 of those attempts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the proper answers. It’s estimated that the attackers made away with over $50 million dollars. So, how did the attackers do it?

Security researchers theorize that the attackers utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to attempt to get prior income tax return information on its target victims. If they succeeded and addressed the KBA questions correctly, they submitted a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a bigger return. As discussed formerly not all attempts achieved success, but over 50% of the efforts resulted in significant losses for the IRS.

Detection and response services like Ziften are aimed at recognizing when there are jeopardized endpoints (like through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized info gleaned from previous attacks beyond the Internal Revenue Service, the jeopardized companies might have benefited from the visibility Ziften offers and alleviated against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle – rather than initial victim – of these attacks.