Potentially tens of thousands of government contractors could be impacted by fraud.
The General Services Administration began alerting vendors on March 22 after it found a third-party changed the financial information of “a limited number” of contractors registered on the governmentwide System for Award Management (SAM.gov) portal.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
“Entities should contact their federal agency awarding official if they find that payments, which were due their entity from a federal agency, have been paid to a bank account other than the entity’s bank account,” GSA writes in a SAM update on its website.
GSA says it has taken several steps to further limit any attempts to fraud the government by now “requiring an original, signed notarized letter identifying the authorized entity administrator for the entity associated with the DUNS number before a new SAM.gov entity registration will be activated.”
Vendors that haven’t been notified of fraudulent activity should log into SAM.gov and review their information to make sure it’s correct.
This is at least the third time SAM.gov has struggled to keep its information secure. In 2013, SAM.gov potentially exposed users’ information, including some Social Security numbers and bank-account information, to the public because of a cybersecurity vulnerability.
In 2016, the Justice Department unsealed charges against Dwayne C. Hans, a U.S. citizen, who was charged with wire fraud, computer fraud and money laundering. Part of the fraud was breaking into SAM.gov.
“During this unauthorized website intrusion, the defendant changed information in entries pertaining to the financial institution, including by replacing the bank account information for the financial institution with the defendant’s personal bank account information.” Justice stated. “As a result, the Pension Benefit Guarantee Corporation sent more than $1.5 million to the defendant instead of the financial institution. These fraudulent wire transfers were reversed once they were detected.”
Hans pleaded guilty in October and will be sentenced in April
“In April 2016, Hans accessed a website maintained by the GSA that allowed companies that worked with the U.S. government to provide information about how the government should disburse money to those companies. Hans modified payment information in an entry associated with Financial Institution 1 in order to redirect payments to accounts he controlled. As a result, a U.S. government agency transferred approximately $1.521 million to Hans instead of to Financial Institution 1,” Justice states. “Those transfers were ultimately detected and disrupted before the defendant withdrew or transferred the money.”
GSA’s inspector general is investigating this most recent fraud.
Additionally, a GSA source says this fraud has garnered attention within the agency at the highest levels, including the formation of a “Tiger Team” across GSA to help deal with the fallout from the fraud. The source says addressing the fraud issues must involve Dun & Bradstreet, which is the entity verification service and has its own process for vendors verifying who they are.
The source said it’s unclear how many vendors were impacted by the fraud. But the new approach to entity verification is a lot of work and a cost GSA was not prepared for.
Sources say GSA executives briefed the Senate Homeland Security and Governmental Affairs Committee on Friday, but it was unclear whether the briefing already was planned or called for because of the SAM.gov fraud issues.
An email to the committee seeking comment on the briefing was not returned.
A GSA spokesman emphasized to Federal News Radio that what happened to SAM.gov was not a cyber or technical breach, but a case of fraud.
But Jeremy Grant, the founder and former director of the National Strategy for Trusted Identities in Cyberspace (NSTIC), housed in the National Institute of Standards and Technology (NIST) and now managing director of technology business strategy at Venable in Washington, D.C., said this certainly sounds like a cyber incident.
“If passwords to the SAM accounts were phished, then that is the definition of a cyber incident. It just happens to be a cyber incident that was used to perpetrate fraud. The fact that money was stolen instead of data does not change the fact that the attack method was based on exploiting weaknesses in the SAM authentication system,” Grant said in an email to Federal News Radio. “Symantec just this week released their 2018 Internet Security Threat Report, which noted that 71 percent of cyberattacks last year began with spear phishing. Given that the SAM system is critical to how government contracts are managed — and how contractors get paid — it’s not surprising to see that SAM accounts would be a target for phishing attacks.”
Grant said any federal website that depends on password alone for authentication and protection is destined to be a victim of a cyber attack.
“Passwords are the single most commonly exploited attack vector in cyberspace,” he said. “Given the importance of SAM, GSA should follow NIST guidance (SP 800 63-3) and require use of multi-factor authentication to protect accounts — preferably ‘high assurance strong authentication’ where at least one factor leverages public key cryptography. That doesn’t require full-blown Public Key Infrastructure (PKI) — SAM could follow the lead of firms like Google and Bank of America, and turn on support for FIDO Alliance’s Security Keys that deliverable unphishable authentication.”
Whether it’s a cyber incident or not, acquisition experts say this is a big deal for contractors.
Christoph Mlinarchik, a government contracts expert and owner of ChristophLLC.com, a consulting firm, said GSA’s temporary fix of requiring a notarized letter shows the agency doesn’t have real solution for this problem.
“It’s a Band-Aid on a gunshot wound. GSA can say they’re doing something while they figure out how to actually prevent this in the future,” he said. “If you read between the lines, there was a rumor that bad actors breached SAM.gov and re-routed payments to themselves, although the payments were actually owed to contractors from the federal government. GSA seems to have confirmed this rumor. Here’s how it supposedly works. Company X wins a federal contract and performs the work, but the bad actors route the payments owed to their own bank accounts. Meanwhile, Company X and the federal government are clueless as to why Company X hasn’t been paid, not knowing the information in SAM.gov was changed to send payments to the bad actors. A financial scheme worthy of a Hollywood blockbuster!”
Larry Allen, president of Allen Federal Business Partners and a long-time GSA observer, said the fact that someone figure out a way to falsify SAM.gov information should be all vendors on high alert.
Another industry source with knowledge of GSA, but who requested anonymity because they do work for the agency, said while it’s unclear whether this latest problem for SAM.gov is part of the program’s overall troubled history, the attack is part of the problem every agency faces in securing legacy systems.
“SAM is an important system to secure and like a number of systems around the government, starting with OPM’s systems that were breached by the Chinese where before they were breached, they weren’t considered terribly important or strategic. Only when you do the analysis of what can be lost does it become clear how strategic these systems are. There may not be national security plans in OPM or SAM systems, but it does contain information that is important and sensitive like many systems and you have to consider it a target,” said the source. “It goes again to the importance of finding a secure identity management approach. A lot of problems still spring from transitioning from old to new systems and having strong access and identity management during those transitions can help.”
GSA is trying to upgrade SAM.gov, launching beta.sam.gov in 2017. The goal is to create a common acquisition platform where vendors can find all the information they want in one place instead of more than five different sites.
This second case of fraud and third overall problem is part of a long running saga to improve GSA’s acquisition systems. GSA has struggled to improve SAM.gov as part of the Integrated Acquisition Environment (IAE), first hiring IBM and then bringing in Booz Allen Hamilton after its initial effort failed.