The U.S. Census Bureau was targeted by a cyberattack last year that compromised some systems but did not result in the theft of census data, according to a new report from the Office of the Inspector General.

The attack, said to have taken place in January 2020, involved the attackers gaining access to servers providing remote access to staff to access production, development and lab networks.

The cyberattack used a publicly available exploit and was partially successful, with the attack modifying user account data to prepare for remote execution. However, the attempts to maintain access to the system by creating a backdoor to the servers were unsuccessful after being blocked by a firewall.

While exposing the previously unknown attack, the OIG report also found that the Census Bureau lacked in its response. The findings include the bureau missing opportunities to mitigate a critical vulnerability. When the servers were breached, the bureau did not discover and report the incident in a timely manner.

The bureau was also found to not maintain sufficient logs, which hindered the investigation and that following the incident, the bureau did not conduct sessions to identify improvement opportunities. Finally, it was found that the bureau was operating servers the vendor no longer supported.

The OIG made several recommendations including identifying critical vulnerabilities when they are publicly released, implementing vulnerability scanning and a range of review and management procedures to avoid the same thing happening again.

“The important takeaway from this event is that additional logging and visibility may have supported more timely identification and reporting, which could have both limited persistent access and subsequent impact,” Tim Wade, technical director of the CTO Team at AI-based cybersecurity company Vectra AI Inc., told SiliconANGLE.

Wade explained that an exploitable vulnerability being discovered and abused should not be the main takeaway because an adversary will always uncover some exploitable condition but “by developing an organization’s detection, response and recovery capabilities there is an opportunity to mitigate the risks of such discovery and abuse before material damage is realized.”

Andrew Barratt, managing principal for solutions and investigations at cybersecurity firm Coalfire Systems Inc., noted that the “disclosure offers up some common failings but with a glimmer of hope that defenses were considered.”

“Preventing back doors or a persistent threat usually requires the defense to assume compromise during the process of designing their systems,” Barratt said. “However, the lack of access logs, monitoring and out-of-date systems perhaps shows where budgets have been trimmed and unfortunately created a false economy for the tax dollars spent.”

Image: U.S. Commerce Department