By Michael Steward

IRS Hack Likely Began With Compromised Endpoints

Early Returns For IRS Hackers Thanks to Previous, Outside Attacks

No other cyber security hack in 2015 was quite as unique as the IRS breach. Classic attacks today involve phishing emails aimed to get initial access to target systems where lateral movement is then performed until data exfiltration occurs. But the IRS hack was different — much of the data needed to perform it was already acquired. In this case, all the hackers had to do was walk in the front door and file the returns. How could this happen? Here’s what we know:

The IRS website has a “Get Transcript” feature for users to retrieve previous tax return information. As long as the requester can provide the correct information, the system will return past and present W2’s and old tax returns, etc. With anyone’s SSN, Date of Birth and filing status, the hackers could begin the retrieval process of past filing year’s information. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t fool proof, though. The questions it asks can often times be guessed based on other information known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s estimated that the hackers attempted to gather 660,000 transcripts of past tax payer information via Get Transcript, where they were successful in 334,000 of those attempts. The unsuccessful attempts appear to have gotten as far as the KBA questions where the hackers failed to provide the proper answers. It’s estimated that the hackers made away with over $50 million dollars. So, how did they do it?

Security researchers theorize that the attackers used information from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to get prior tax return information on its target victims. If they were successful and answered the KBA questions correctly, they filed a claim for the 2015 calendar year, often times increasing the withholdings amount on the tax return form to get a larger return. As mentioned previously not all attempts were successful, but over 50% of the attempts resulted in major losses for the IRS.

Detection and response solutions like Ziften are aimed at identifying when there are compromised endpoints (like through phishing attacks). We do this by providing real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the attackers used information gleaned from previous attacks outside of the IRS, the compromised companies could have benefited from the visibility Ziften provides and mitigated against mass-data exfiltration. Ultimately, the IRS seems to be the vehicle — rather than initial victim — of these attacks.

Get the General Here