February 10, 2015

The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues, KrebsOnSecurity has learned.

The public Web site for the DCMA has been offline for nearly two weeks.

The public Web site for the DCMA has been offline for nearly two weeks.

A notice posted to the DCMA’s home page communicates little about the investigation, other than to note that “corrective action is in progress,” and that “work is being done to restore service as quickly as possible.”

Contacted about the outage, DCMA spokesman David Wray said suspicious activity was detected on a DCMA public-facing server January 28, resulting in an ongoing investigation.

“So far, no DCMA, DoD or Defense Industrial Base data nor any Personal Identification Information has been breached. A cyber protection team from Joint Forces Headquarters, Department of Defense Information Network, is working with DCMA to enhance network security. DCMA’s website has been intentionally taken offline while the team investigates the activity. All other network operations have proceeded as normal.”

Wray declined to elaborate on the nature or extent of the intrusion. However, sources within the DCMA say the agency has been having “major system issues, including a number of internal systems.”

“We have been told it was due to issues with unscheduled maintenance, but the regular emails from [DCMA higher-ups] seem to indicate a larger, unspoken problem,” said one DCMA employee who asked to remain anonymous.

Sources say the problem relates not just to the DCMA’s main Web site but to resources that DCMA employees use for telework to review federal contracts between external companies and the Department of Defense.

Headquartered at Fort Lee, VA, the DCMA often handles Foreign Military Sales contracts.

This is a developing story. More as it becomes available. Stay tuned.


40 thoughts on “Defense Contract Management Agency Probes Hack

  1. Michael Martin

    How you find this information is mind boggling, Do you think that a Government should be required to give as much information to the public about such intrusions, as the public sector is?

    1. rainbow unicorn

      This Murica, the Government does it wants! C’mon buddy!

  2. Donald J Trump

    China, Iran, Russia, or North Korea Take your pick who’s responsible

    1. Mark Allyn

      I used to work for the federal government once upon a time a long ago.

      May I suggest that we hold off on blaming russia/north koria/iran/hippies/height asbury/gay (I am one)/or anyone else . . .

      May we consider blaming the incredible short-time type attitudes that I have witnissed during my tenure while working for the U.S. Navy as an engineer?

      I cannot count all of the work that I had to re-do because the person who was supposed to do it was waiting for retirement or leaving early to go play the horse races or complaining about the world while working or whatever.

      When I left civil service (cilly service), I did more in one day than I saw some of my colleagues do in a week and with far fewer re-works

      1. Tomi Olivia

        Coming from private industry (13 years) to civil service (many more), I can say that I’ve had that same observation on BOTH sides.

        I will not, however, make any all-inclusive comments except to say that I’ve seen good and bad in both environments.

        Certainly can’t say that IA is any better on either side either…

        1. IA Eng

          Ahhhh One of my favorite sayings;

          Q: Whats the difference between Complaint and Compliant?
          A: The direction “IA” is facing.

  3. petepall

    Gotta give them Feds some credit. At least they didn’t say, “Your security is very important to us and we take this breach very seriously. This was a sophisticated attack. Free credit monitoring is on the way! Now, on to business as usual…”

    1. IA Eng

      One would figure, government entities that make the rules, would have a better security posture. I am not pointing fingers at any organization, simply hear me out.

      Some of the “security scores” these organizations receive are pretty bad. I figure most would lead by example, rather than do as I say, not as I do. DOJ, DOE and a few others had terrible scores a few years back – when attacks were not as active. As the threat/ threat activity increases, the security posture must go through the roof as well….

      Since I currently do not know the typical ‘security score” for this organization, it cannot be judged in that manner. But old habits die hard. I just hope that the breach was caught early enough to thwart a massive issue.

      If some one was to infiltrate a database like this, it could create a lot of issues. Let’s leave it at that.

  4. Edward

    “We don’t know what the hell is going on, but nothing was compromised”… Well I certainly feel better now.

  5. Mark Giles

    See https://ccacprompter.dcma.mil/ for more information. The SSL is not trusted

    Your connection is not private

    Attackers might be trying to steal your information from ccacprompter.dcma.mil (for example, passwords, messages, or credit cards).

    NET::ERR_CERT_INVALID

    1. Rod

      That is probably due to your computer’s certificate store lacking the DOD root and Intermediate CAs. Check the certification path on the site.

  6. Ivo

    Seems like the Russians are getting entsy and trying to find out if we are sending boom care packages to the Ukranians.

    1. Soy Tenley

      Yes, it looks like they got a DCMA takedown notice …

      1. Bob

        You do realize it’s Digital Millennium Copyright Act, right?

  7. JCitizen

    I saw my first virus wreck our field computers off a floppy from Ft. Lee, Virginia – brings back memories. Back then logistics could be easily swapped to manual mode – I wonder about now?

  8. Katrina L.

    There literally needs to be a new federal holiday created in which all federal entities go about testing the strength of their security on their websites.

    No matter how many times this happens, I’m always in shock.

    1. Tomi Olivia

      A new federal holiday sounds great! Let’s put it between President’s Day and Memorial Day (that’s a long stretch!). 😀

      AFA it goes… You really shouldn’t be surprised. Civil servant pay is a bit lower than private industry pay and there are a LOT less bonuses, etc. If the brainiacs in private industry can’t stop the hacks, chances are pretty good that the Feds can’t either (well, they *could* but then this wouldn’t be a democracy and we probably wouldn’t have web access… 😉 ).

      1. Soy Tenley

        Easter is a major holiday that falls in that time period.

        Also April Fool’s Day … except some people WANT to go to work that day, to make merry on their coworkers.

        1. SeymourB

          My phone starts ringing off the hook on 4/1 after coworkers run around sticking post-it notes to the undersides of optical mice.

    2. Soy Tenley

      The states will have to have a “security test” day on the same day as the federal entities.

      No reason to try to access any federal internet site while it is DDOSing itself. Or pentesting. Or GIGO testing.

    3. IA Eng

      Give the Government a Holiday, and they will take it. They will sit at home and task contractor leads to do the project.

      It shouldn’t boil down to a day – week – month or year. Compliance scans should be done on a regular basis, meaning they should happen – practically – all the time. A person scanning the network isn’t guaranteed to find all the systems and devices on the network each and every time.

      Without going into much details, reports are sent to the people in charge of the systems, and given a deadline to get compliant. Once they say they are, another scan is performed. So, if the system is used as intended, all works right.

      Obviously there will be holes found and exploited by the evil side, which seems like is an ongoing event. I talk with a few pen testers and they often refer to the old adage ” It only takes one” – meaning an evil entity only needs to land within a network, and eventually the odds are in their favor that they will get elevated privileges to do more damage.

      Due diligence, due care should always be on the forefront of many managers, engineers, analysts and workers. It’s almost a daily drumbeat to keep the network secure.

  9. Bill Ender

    Brian:

    Just curious why the publication date/dateline on all of your recent articles reads “Feb 15” — are you writing back to us from the future? That would explain some of your more prescient observations.

    B

    1. JimH

      @Bill.. ummmmmmmmmm.. might have something to do with what YEAR this is (you’ll note the DATE is also just above the ‘Feb 15’ item)..

      like the picture that was posted about the landing on a platform :: Just Read The Instructions.. heh..

      have a happy and safe day.. imma outta here for now

      1. steve

        So much for the Y2K lessons! seems we’ve reverted back to two digit years to save memory and storage.

    2. Old School

      Google: Date format by country
      Then read the Wikipedia entry.

  10. Katie

    Question: How can we maintain security in the U.S., when most or all computers have their manufacture controlled by countries such as China?

    1. mica

      Brian is amazingly productive isn’t he? He – along with his blossoming network of friends, confidants and contributors to this website are a collective force majeure. Positive results of said parties in concert with our government are near at hand although seemingly painfully protracted in this hurry-up world.

  11. JustAguyInCT

    This story reminds of an episode of NCIS:LA that aired not long ago.

  12. Rodney Thayer

    As of 15Feb2015 https://www.dmca.mil is still running their 2014-vintage certificate. And RC4-128. And whether or not ccacprompter has a valid cert (chrome’s error message is quite arcane) that cert was issued in 2012. Makes one question their certificate hygiene…

Comments are closed.