DHS officials said they learned about the allegation on December 8 after Georgia Secretary of State Brian Kemp claimed that DHS IP addresses attacked state computers 10 times in the last 10 months. He said the most recent one was an attempt to look at the voter registration database.
Kemp said they looked into it, and traced it to an employee with the Federal Law Enforcement Training Center in Georgia. Apparently, this person was doing a simple background check on new armed guards, and wanted to make sure these people had the correct certification. That meant going to a Georgia state website to review the license numbers. The employee then copied-and-pasted this info from the web onto an Excel file.
Well, this caused a routine normal command—basically, the Excel program needed to “ask” the website if it could copy-and-paste the license numbers. So something this routine trigged a medium-priority alert. They say no scanning or “nefarious activity” went on.
Kemp previously said his cyber-security vendor reported the “hacking” incident happened in November, and that they couldn’t replicate DHS’ claim as to what happened.
On Friday, DHS officials said that they worked with Microsoft to confirm that yes, copy-and-pasting did trigger this. While they say they couldn’t “speak to” why the Georgia officials couldn’t recreate the scenario, they are making their logs available. They say the other nine instances were linked to one IP address—one of 14 the agency uses. Again, they say the incidents were triggered by “normal commands” much like the copy-and-pasting in the November 15 incident. We contacted Microsoft so they can confirm the DHS’ account, but a spokesperson declined comment.
Kemp has said he reached out to Presidential-elect Donald Trump to look into this.
Update – December 20, 4:54 p.m.: Added information from a Microsoft spokesperson.
[image via Shutterstock]