A government team of hackers tasked with testing the Department of the Interior’s cyber vulnerabilities cracked more than 16 percent of the department’s 85,000 passwords in 90 minutes, a new report reveals.
An unclassified Jan. 3 report (pdf) from the Inspector General for Audits, Inspections, and Evaluations found that the department’s password protection and use of multi-factor authentication were woefully insecure.
“Our objective was to determine whether the Department’s password management and enforcement controls were effective enough to prevent a malicious actor from gaining unauthorized access to Department computer systems by capturing and ‘cracking’ user passwords,” the report stated.
“We initiated this inspection because we were able to crack between 20 and 40 percent of the passwords we captured during past projects.”
In total, the team cracked 18,174 of 85,944 department accounts, including 288 with elevated privileges, and 362 belonging to senior government employees.
The report also detailed that management practices and password complexity requirements employed by the department were insufficient to prevent unauthorized access to vital government systems and data.
‘High Probability’ of Significant Damage if Hackers Attack
The Department of the Interior manages federal lands and national resources including dams and reservoirs. Such vital infrastructure has come to the forefront of national security concerns following the Colonial Pipeline Attack in May 2021, in which cyberattackers shut down a U.S. oil pipeline stretching from Texas to New Jersey for five days—a point the report noted.
“We found that the Department’s computer system authentication mechanisms and account management practices exhibited weaknesses similar to those that were reportedly exploited in the Colonial Pipeline attack,” the report said.
“Should the Department experience a similar attack, there is a high probability that bureau mission operations could be significantly affected.”
The report follows a flurry of executive orders in recent years aimed at rapidly adapting the United States’ governmental bureaucracy to a new era of technology and cyber threats.
The report itself explicitly mentions Executive Order No. 14028, titled “Improving the Nation’s Cybersecurity,” which was issued by President Joe Biden in May 2021.
That order mandated the implementation of multi-factor authentication in all federal information systems and that exceptions must be documented and sent to the Cybersecurity and Infrastructure Security Agency (CISA).
The report stated that, while the Department of the Interior used multi-factor authentication through Microsoft’s Azure AD, the failure of many employees to change their passwords and the presence of black market lists of passwords from previous hacks allowed the red team to create a system to “crack” the otherwise secure password hashes generated by the program.
“For less than $15,000, we built a system designed specifically to crack password hashes using open-source software and a custom wordlist made up of dictionaries from multiple languages, U.S. Government terminology, pop culture references, and publicly available password lists harvested from past data breaches across public and private sectors,” the report stated.
“We created a set of rules and processes for manipulating and combining those words into password candidates.”
From there, the team raised havoc, cracking more than 13,000 accounts in the first hour and a half of their attack.
To that end, the team issued a number of recommendations to the department including that it implement multi-factor authentication methods that could not be bypassed to allow single-factor authentications, develop a process to track and validate the status of systems using multi-factor authentication, and that it strengthens its password requirements.
“In the current cyberthreat environment, strong authentication methods and robust account and password management practices are necessary to help protect computer systems from unauthorized access,” the report stated.
“Overreliance on passwords to restrict system access to authorized personnel can have catastrophic consequences.”