Culprit behind 2014 CIA hack turned out to be ... the CIA

Culprit behind 2014 CIA hack turned out to be … the CIA

Emails show the Agency alleged that their FOIA portal had been the victim of a still classified attack that never happened

Written by
Edited by JPat Brown

Declassified CIA emails released to Michael Morisy show that the Agency believed that their online FOIA Reading Room had been taken down by a vicious cyberattack. Later emails admitted, however, that the attacks against the Agency’s website had been unsuccessful - and that the damage had been entirely self-inflicted.

According to the classified email from June 20th in 2014, the issue had come to the attention of one of the deputy branch chiefs, before being brought up with Douglas Wolfe, the Agency’s Chief Information Officer (CIO), and Joseph Lambert, the Director of Information Management Services and Todd Ebitz, the Agency Spokesman.

The email describes a series of “several denial of service attacks” on the Agency’s public-facing website. None of the attacks were successful in damaging or disrupting the website, and are not described as being distributed denial of service attacks or advanced in any way. In response, the Agency did something that’s almost always recommended - they applied updates and security patches. In any other circumstances, this would have been the right move. This time, however, it would prove to be a fatal error for the Agency’s website. Following the security patches, the Agency believed they were the victim of a new attack. The details, and even the type, of the attack remain classified.

Another email states flatly that “the attack did take down the site.”

The only problem? The attack never happened.

The problem had been more modestly and realistically described in an email that had been sent earlier that morning. The 6:44 AM memo simply stated that the FOIA website was down despite the email’s author having worked on it all night, and restored the database and the servers multiple times. Even a “complete server reinstall of all the servers” had proven successful in getting the website back online.

At one point, they’d gotten the mirror server working …

and the support ticket was marked as resolved …

followed by a celebratory email that turned out to be premature - “famous last words,” as they say.

Half a day later, the Agency seemed to have gotten the problem resolved …

Which allowed them to move on to analyzing the attack - which is also where the Agency’s narrative fell apart.

According to the Deputy Branch Chief involved, an after action report would have to wait since they were without the help of their developer, who was on vacation.

While the Reading Room was back up, the Agency’s FOIA submission form wasn’t. A formerly SECRET email from the Agency’s Deputy Director shows that since they considered the form to be nonfunctional, they disabled it altogether until the developer’s vacation ended. To get the website working again, they’d need to restore it to a snapshot from May 8th - nearly a month before the first denial of service attack was detected.

An email sent several weeks later showed that the Agency was getting ready to implement new measures to prevent and monitor such attacks. Despite apparently involving no internal systems and having been carefully coordinated, “an internal issue” was “holding up a change to an external entity and protection for a site that needs to be protected right away.”

While additional security measures may have been a good idea, emails show that the Agency’s narrative completely fell apart the next day. “It was not an attack,” an unclassified memo wrote, “but error in the code that caused the outage.”

Another, formerly SECRET, email seeks to confirm the understanding that the error was a result of the Agency’s own code. Some of the details of the non-attack discussed in this email remain classified.

In response, another declassified email confirms this.

The Agency took notice when people on Twitter began discussing the FOIA website’s outage, though it’s unclear if the exclamation point was more excited or worried.

When some “frequent requesters” noticed that the Agency hadn’t actually disabled the FOIA submission form, the Agency decided this was “unfair” and declassified emails show they had only disabled links to the page rather than actually “unpublishing” it.

On June 30th, the Agency was optimistic that everything was finally about to be fixed …

only to discover that they had brought the entire site down, instead. The site seemed to be “basically rejecting any kind of security updates” and the FOIA website had “wide open directories” where “anyone can access them.”

The developer was stymied, and finally thought it was time to bring in an outside programmer “to come in and access the web site.”

Less than an hour later, however, the website was reported as being back up. No details on how or what happened have been released - or when the request form would be working again.

In addition to being embarrassing for the Agency, this turn of events undermines the Agency’s prior claims that keeping CREST offline was necessary for security, lest there be “unauthorized attempts to modify any information stored on” CREST.

You can read the emails on the imaginary attack and the Agency’s self-inflicted website damage below, or on the request page.

Like M Best’s work? Support them on Patreon.

Image via Paramount Pictures