An ominous e-mail message landed in the inboxes of a small group of U.S. Army employees last month, warning of a security breach in their federal retirement plans and urging them to log in and check their accounts.
The e-mail was a fake — a classic spear phishing expedition looking for unwitting victims willing to share their personal financial information.
But the perpetrator was not a criminal hacker. It was an Army combat commander, acting on his own authority to test whether anyone on his staff would fall for the trick. In the process of sussing out internal vulnerabilities, though, the commander sowed panic across the government: Employees forwarded the e-mail to thousands of friends and colleagues at the Defense Department, the FBI, Customs and Border Protection, the Labor Department and other agencies.
Even the Pentagon’s Chief Information Office, which oversees computer networks across the military, was unaware of the phony e-mail.
The embarrassing play, a security awareness test of the sort that’s become increasingly common practice at private companies and federal agencies, tested the limits of how far the government should go with quality control to protect against cyberthreats. Testing security by toying with federal employees’ nest eggs? In hindsight, all agree that should be off-limits.
Account holders saw the words “Thrift Savings Plan Alert: Passcode Reset” in the e-mail’s subject line, sent from the account services department at “tspgov[.]us.” Puzzled by the message and wondering whether it was legitimate, they shared it over and over and flooded the Thrift Savings Plan’s call center with anxious queries. Information technology staffs scrambled to figure out whether it was real.
It was close to three weeks from when the e-mail was sent until it was traced to the Army command. Now, Defense officials say they will require more oversight of security tests that try to trip up employees.
At the Thrift Savings Plan, the small agency near Union Station that holds the 401(k)-style portfolios of most federal workers, officials are furious that their trusted brand was tampered with, no less by the government’s largest employer.
“While I can see how that particular test served the interests of the Department of Defense,” executive director Greg Long said, “that’s not my concern. Anything that causes our participants to question whether their account is safe and secure damages our interest.”
Federal agencies conduct routine cybersecurity training. But the constantly evolving and increasingly sophisticated attacks, particularly by foreign hackers, make them difficult to defend against. To reinforce this urgency, a growing number of agencies are sponsoring their own phishing attacks, experts said.
In some cases, if the employee takes the bait, the link or phony attachment delivers a short security message or even locks out the user. Agencies collect data on the success of the “attacks” and develop metrics about what techniques work with whom. Some private companies dock managers’ pay if their employees repeatedly fall for the pranks.
“Every agency should be doing it,” said Jacob Olcott, a former counsel for the Senate Commerce committee who now works for Good Harbor Consulting, a cyber-risk-management company.
The upside to the Army-TSP episode: No one clicked on the fake site, which was shut down last week. No personal or account information was compromised, but federal employee unions are furious that their members, who watched their investments plummet in the financial crisis, were put in such a position.
“It’s big old DOD and you’ve got little TSP,” said Matthew Biggs, legislative director of the International Federation of Professional and Technical Engineers, which represents Defense workers. “The big government bullies are just pushing us around and using us as guinea pigs.”
J. David Cox Sr., president of the largest federal union, the American Federation of Government Employees, said in a statement, “We are strong advocates of cybersecurity, but DoD should be much more prudent in the future in deciding how they test federal employees.”
Spear phishing e-mails are among the biggest weapons of choice for hackers trying to gain entry into computers inside and outside government. They use what Internet security experts call “bait,” usually a legitimate-looking e-mail, to get their victims to provide log-in or account information or visit a malicious site that will upload malware to the computer.
Fewer than 100 uniformed and civilians in the Army unit got the original e-mail, which directed them to a phony TSP Web site with the address hxxp://www[.]tspgov[.]us/, a variation on the real address, www.tsp.gov. Employees were asked to verify changes to their account. “Your security is important to us,” they were told. “If you are unaware of this change, please contact us immediately: ThriftLine — 1-TSP-YOU-FRST.”
The savings plan holds the portfolios of 4.6 million current and retired federal employees, who last year had nearly $400 billion in investments. Rumors that accounts were at risk grew so fast just before Presidents’ Day that plan officials posted a warning on the TSP Web site telling account holders to beware of potential scams. The FBI did the same.
When Mary Burnham Curtis saw the fake e-mail pop up at her desk at the Fish and Wildlife Service in southwest Oregon, she thought something was wrong because she hadn’t looked at her account in more than six months and needed to change her password. A two-time victim of credit-card theft, she was suspicious and deleted the message.
Still, she said, the Army was irresponsible.
“Why didn’t the Army just go to the TSP and ask, is it okay for us to experiment like that?” said Curtis, a forensic scientist who investigates wildlife trafficking.
The call centers in Maryland and Virginia were getting calls for two weeks, but the staff had no answers for anxious employees. “What the heck are we supposed to say to them?” the telephone operators asked their bosses, spokeswoman Kim Weaver recalled.
A break in the case came Feb. 24, when John Ramsey, the plan’s low-key chief of information security, traced the e-mail to an Internet provider address and domain name registered to the Army. But there still was no clue to which unit of the sprawling service had sent it, or why. Ramsey, a retired Army reservist who managed IT security operations for the Army and the State Department, called his contacts there. They were stumped.
It was several more days before the Pentagon tracked down the source. Lt. Col. Damien Pickart, a Defense spokesman, declined to release the commander’s name or unit. He was not reprimanded for acting on his own, because the rules were vague.
The incident has embarrassed Defense officials, who have pledged to set up “DOD-wide guidelines for the conduct of phishing exercises,” Pickart said in a statement. He called the fake e-mail a “regular phishing exercise” to test the effectiveness of cybersecurity training in the Army.
“DoD respects the integrity of the TSP brand and has assured [officials] that no TSP user credentials were compromised or seen by DoD as a result of the exercise,” Pickart said.
A Defense official, who spoke on the condition of anonymity to talk freely about the incident, called the test a “well-intentioned exercise” that should have been coordinated with the information security office and the savings plan, which should have had the option not to participate.
“This is people’s nest eggs, their hard-earned savings,” the official said. “When you started hearing TSP of all things, the rumor mill ran rampant.”
Future phishing tests will be approved by the Chief Information Office, the official said. If a recognizable entity such as the savings plan is used, the organization will be asked whether it wants to participate. Long said he wouldn’t.
This wasn’t the first time a federal agency used the TSP’s name recognition to test the vulnerability of employees to cyberattack. In 2009, the Justice Department sent an e-mail to Bureau of Prisons workers asking for personal information to claim reimbursement for value their portfolios had lost as stock market values were falling.
And in 2011, the plan confronted a real-life data breach when hackers got into a contractor’s computer containing the Social Security numbers of 123,000 account holders. Plan administrators were unaware of the intrusion and had neglected a series of recommended security changes that they have since implemented.
The call center is still hearing from confused account holders about the Army’s phony phishing expedition.
“Like Monty Python, it’s not quite dead yet,” Weaver said.
The Defense Department still hasn’t revealed to savings plan officials which unit sent the e-mail. They’ve asked for the name in writing, to share with account holders, Weaver said.
“We want a record to put in the file,” she said, “so when this happens again three to five years from now, people won’t worry so much.”