The IRS Hack Probably Began With Compromised Endpoints – Chuck Leaver

Written By Michael Steward And Presented By Chuck Leaver CEO Ziften


IRS Hackers Make Early Returns Because of Previous External Attacks


The IRS breach was the most distinct cyber attack of 2015. Classic attacks today include phishing emails aimed to obtain preliminary access to target systems where lateral movement is then performed until data exfiltration happens. However the IRS hack was different – much of the data needed to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s what we understand:

The IRS website has a “Get Transcript” function for users to recover previous income tax return info. As long as the requester can supply the correct details, the system will return past and current W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the hackers might begin the retrieval procedure of past filing year’s info. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based upon the requested users credit history.

KBA isn’t fool proof, however. The questions it asks can oftentimes be predicted based on other information already known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of automobiles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer info through Get Transcript, where they were successful in 334,000 of those efforts. The not successful efforts appear to have gotten as far as the KBA questions where the hackers failed to provide the correct answers. It’s estimated that the attackers made away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the assailants utilized information from previous attacks such as SSNs, DOBs, addresses and filing statuses to try to obtain previous tax return info on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, many times increasing the withholdings quantity on the tax return form to obtain a bigger return. As mentioned formerly not all attempts succeeded, however over 50% of the efforts resulted in major losses for the Internal Revenue Service.

Detection and response solutions like Ziften are focused on determining when there are jeopardized endpoints (like through phishing attacks). We do this by providing real time visibility of Indicators of Compromise (IoC’s). If the theories are right and the enemies utilized information gleaned from previous attacks outside of the IRS, the jeopardized businesses might have taken advantage of the visibility Ziften supplies and mitigated against mass-data exfiltration. Ultimately, the Internal Revenue Service seems to be the vehicle – instead of preliminary victim – of these cyber attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *