Cybersecurity

Recent massive infiltration of government, Fortune 500 company networks is reminder that hackers are a real threat

By ALLEN JONES/TEXPERS Communications Manager

The threat of cybersecurity attacks on government agencies became very real on Dec. 13 with the reveal that suspected Russian hackers infiltrated government and corporate networks to steal sensitive information.

The group alleged to have committed the breach is known to the U.S. military and intelligence community, according to a national security and investigations report published by Yahoo news.

Among the government agencies, the hackers gained access to are the U.S. Treasury and Commerce departments. According to an article in The Washington Post, officials say the computer espionage campaign began months ago.

The hackers, nicknamed CozyBear, are thought to be part of the Russian intelligence service. Classified as advanced persistent threat APT29, the group gained access to email systems. This isn't the first time the group is accused of hacking the U.S. government. The group allegedly infiltrated the State Department and the White House email systems during the Obama administration.

CozyBear is believed to have been in operation in 2008. According to various reports by cybersecurity companies; however, the hacker group has been compromising diplomatic organizations and governments since at least 2010. The FBI is investigating the recent cybersecurity breach that targeted government agencies as well as consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia, and the Middle East.

Investigators say CozyBear utilized a combination of techniques to insert harmful code into federal computer systems through a piece of server software offered through an Austin-based company called SolarWinds Corp, according to an article on Bloomburg.com. The company provides its clients with IT management and remote monitoring capabilities. Hundreds of thousands of organizations globally, including Fortune 500 companies and multiple U.S. federal agencies, use its tools and are now working to patch up their networks.

The recent hack is a reminder to public pension funds that trustees and administrators must make cybersecurity a priority to protect its active and retired members' sensitive information. Financial services organizations such as public pension funds and investment firms have a wealth of information that they keep on hand about their members that thieves would find attractive.

CozyBear is not the only hacker group looking to obtain sensitive information. Texas is among the states with the highest number of cybercrime victims. In 2017, the state ranked third among states in the number of cybercrime victims and second in its financial losses, according to the Texas Comptroller's Office.

There have been several major network breaches in Texas, according to IronEdge, a cybersecurity solutions provider with offices in Houston and San Antonio. In February 2020, the company posted a list of the top five cybersecurity breaches in Texas history. The Texas Lottery was the victim of a cybersecurity breach in 2008, which impacted the lottery's retailers, vendors, and commission employees--more than 100,000 people. Other high-profile hacks in the state include the Texas government in 2011, the Office of the Texas Attorney General in 2012, Omni Hotels and Resorts in 2016, and 22 Texas municipalities in 2019.

A significant factor in the theft of sensitive information is the abundance of poor security practices. When tracked by industry, 12 percent of network breaches in 2017 were among financial institutions, 11 percent were among government agencies, and 1 percent were among nonprofits. All are areas that public pension systems, their investment managers, consultants, vendors, and stakeholders could be classified.

Public pension funds should take steps to ensure their digital data is secure. Here are a few suggestions TEXPERS compiled from various cybersecurity experts, firms, and nonprofit resources:

1. Follow any government regulations for data security and develop procedures to secure data networks to help limit breaches. A helpful resource is the National Institute of Standards and Technology, a non-regulatory of the U.S. Department of Commerce, which lists best practices for collecting, housing, storing, and disposing of sensitive data.
2. Consider hiring an information technology expert to work with on a full- or part-time basis. Internet Technology professionals maintain computer systems for companies and other organizations. According to the College of Information Systems and Technology School of Business and College of Criminal Justice at the University of Phoenix, IT is a growing job field. Public pensions do not necessarily have to create a new staff position. It could mean that a fund contracts with a cybersecurity firm or seeks out a consultant.
3. Ensure their third-party service providers have cybersecurity experts securing sensitive data.
4. Offer resources to help a fund’s retired members, especially the elderly, a high-risk population when it comes to falling victim to cyber scams, fraudsters, and identity thieves. The Identity Theft Resource Center is a nonprofit organization that guides consumers, victims, businesses, and the government to minimize risk and mitigate the impact of identity theft.

Follow TEXPERS on Facebook and Twitter and visit its website for the latest news about the public pension industry in Texas.

Allen Jones is the Communications and Public Relations Manager at the Texas Association of Public Employee Retirement Systems. He has been with the association since January 2017. He can be reached at allen@texpers.org.