Capitol rioters’ breach of government computers is cybersecurity ‘worst case scenario’, says expert

‘When such a large group of unidentified people has physical access to your unlocked systems and network connections [it] means you can’t trust them anymore’

Adam Smith
Thursday 07 January 2021 12:18
comments
Moment pro-Trump rioters storm Senate chamber
Leer en Español

The risk posed to the US government’s cybersecurity, as supporters of president Trump stormed the Capitol Building in Washington DC, has been called a “worst case scenario” by one cybersecurity expert.

Hoards of rioters entered the building past Capitol police yesterday in an attempt to disrupt the confirmation of Democrat Joe Biden as the 46th president of the United States. At least 50 arrests have been made after uncovering molotov cocktails, pipe bombs and guns, and four people have died as a result of the violence. 

In shocking images, rioters also managed to get access to at least one computer system in the office of House Speaker Nancy Pelosi, which has led to serious concerns about what digital infrastructure could have been compromised by the insurrectionists.

In a now-deleted tweet, Elijah Schaffer, a reporter for the right-wing publication The Blaze, wrote that he was "inside Nancy Pelosi’s office" with what he described as "revolutionaries" who had "stormed the building."

A message reading "Capitol: Internal Security Threat: Police Activity” can be seen in the bottom-right corner of the computer screen. It appeared over an unprotected email client, with emails dating back until at least 2019.

As government employees left their workstations many other devices, such as laptops and phones, may have been left accessible.  

The presence of unmonitored individuals may also mean physical bugs were planted, either by foreign actors or other malicious persons who planned for Capitol Building security forces to be overcome.

In the wake of the recent SolarWinds hack which compromised federal government systems as well as the administration’s concerns over national security, the defence of government devices are imperative.

“This is a worst case scenario," Victor Gevers, a cybersecurity expert who claimed to have hacked President Trump’s Twitter account, told The Independent.  

“When such a large group of unidentified people has physical access to your unlocked systems and network connections [it] means you can’t trust them anymore. You need to redeploy everything, change credentials and investigate every[one] that was in that building.

“It also shows the IT department does not enforce an automatic screen lock after a short while of inactivity which is not a advisable thing to do."

It is possible that individuals planning for the event could have downloaded malware onto the machines, either through the internet or using a memory stick, Peter Yapp, former Deputy Director at the UK’s National Cyber Security Centre (NCSC) and partner at Schillings, told The Independent.

Hacking devices are not particularly uncommon, nor are they expensive, Mr Yapp said; many of them could be easily purchased from “spy shops”. Without such equipment, it is also possible that the individuals could have simply looked at locally-stored information saved on the devices.

Despite how quickly the situation escalated, it was not unexpected. Arieh Kovler, a communications and public affairs consultant, pointed out in December that many supporters of the president would be attending a protest on 6 January – with messages spreading on sites such as Reddit encouraging them to be heavily armed and to shoot counter protestors.

However it seems unlikely, Mr Yapp said, that the individuals actually expected to enter the Capitol Building, believing it to be “just an opportunity that opened up for them”. 

As such, the likelihood that the rioters would have sought long-term access to sensitive information is lessened, but officials should still be concerned about the possibility.

“I would definitely be scanning for bugs. It's likely that, if anything was left behind, it will, it will set off a signal, and you'd be able to find it”, Yapp said, adding that expert teams should look for physical bugs in ceiling recesses, light switches, and plugs, wiping computer systems, as well as monitoring incoming and outgoing radio frequencies.  

“As long as there's no locally saved information, I would be inclined to wipe those computers clean and then [reinstall] the standard image [a copy of all data on a drive volume] that they're using”, Yapp said.

Richard Barnett, a supporter of US President Donald Trump sits inside the office of US Speaker of the House Nancy Pelosi as he protests inside the US Capitol

Mr Gevers echoed similar sentiments, although such an act would “cost a lot of resources and time.”

“I am sure they can temporarily rely on their WFH [work from home] solution but it will mean there will be downtime”, he added.  

Some protections will already exist on government computers. “You’d need a CAC card to install anything on a government network. It’s an actual physical ID card you have to put into the computer,” Vinny Troia, a former longtime Defense Department cybersecurity contractor, told Fortune.

The USB ports of all government employee devices should also already be disabled, a rule put into effect after Edward Snowden leaked details of a massive US domestic and foreign surveillance programme

It is also easier for state-sponsored hackers from countries hostile to the United States to target more valuable computers through more sophisticated means – launching cyberattacks on top secret devices from their home states rather than trying to physically infiltrate a government building.

While in this instance it is likely that government information remains protected, the simple fact that average, unknown citizens managed to breach Capitol police and gain unprecedented access to the building should not be understated. 

“I think the administration will be shocked by those photographs of someone sitting at a computer that still logged in in the[ir] office”, Mr Yapp said.

“We have seen attempts where attackers leave power extension box behind in the buildings to keep remote access. I used to build these myself almost a decade ago during red team exercises. Nowadays you can buy off the shelf solution which is easy to deploy”, Mr Gevers said, hypothesising about the next steps for government security teams.

“Yanking everything electrical out sounds like a very drastic solution but it´s not overkilling. I can´t imagine why they would not do such a thing. Or at least inspect everything. It is a time-consuming job. But it has to be done. And let’s hope they do not find anything.”

Neither United States Capitol Police, nor the Department for Homeland Security, responded to requests for comment from The Independent by time of publication.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments