Written by Dave Nyczepir
In 2020, the Department of Health and Human Services was hit by more than eight billion scan attempts over 18 hours in a distributed denial-of-service attack, according to the agency’s former chief information officer.
In an interview with FedScoop, José Arrieta said attackers waited for the agency to roll down its perimeter firewall and clear its cache — because the network was reloading about 50 million packets, which was slowing it down — to gain access to the department’s network.
HHS was hit by a major DDOS-style attack on March 15, 2020, when malicious actors attempted to exploit the agency’s pandemic switch to full teleworking to infiltrate its network.
“And when we did [lower the firewall] They were trying to embed themselves into the HHS network so they could exfiltrate data when we started full telecommuting,” Arrieta told FedScoop. “And we would have no visibility or understanding of whether it was normal remote work or if it was an enemy combatant actually trying to steal data.”
According to Arrietta, HHS’s network remained operational because the agency had already upgraded its firewalls, trusted Internet connection capacity in multiple locations, server capacity and the virtual private network’s telecommuting capability.
Scanning attacks are used to collect network information from sophisticated cyber attacks. Commonly used scanning techniques to gather computer network information include IP address scanning, port scanning, and version scanning.
More details about the cyber threat HHS faced at the height of the coronavirus pandemic come after several former senior officials questioned key findings of a dismissed watchdog report on the cyber security of COVID-19 data analytics systems in place at the time.
Officials who spoke to that publication said the report, which was retracted by the HHS inspector general last month, failed to consider the speed with which agency leaders had to respond to the situation, the lack of high-quality data available, and the cybersecurity measures , which the Office of the CIO introduced in response to the March 15 attack.
Two officials briefed on the investigation refuted their findings, saying the capabilities the technology quickly made available to senior medical decision-makers outweighed any potential cyber risks.
HHS did not respond to a request for comment.