Hackers aligning themselves with the Anonymous brand have been using a flaw in Adobe’s software to launch a year-long series of attacks on US government computers that the FBI believes is still ongoing, according to Reuters.
A memo sent out by the US Federal Bureau of Investigations (FBI) on Thursday described the attacks as “a widespread problem that should be addressed”, according to the news agency, which says that it’s seen the memo.
The FBI said that the hackers exploited a flaw in Adobe’s software to breach the US Army, Department of Energy, Department of Health and Human Services, and what ongoing investigations may reveal to be many more federal agencies.
The cyber break-ins began almost a year ago, in December 2012, and included the installation of “back doors” that would enable intruders to get back into the systems as recently as last month, the FBI said in the memo.
Officials linked the ongoing assault with Lauri Love, a British man who in October was charged with hacking into the computer systems of the US army, NASA, and many other federal agencies.
Investigators believe the attacks began when Love and others took advantage of a security flaw in Adobe’s ColdFusion web application development platform.
Reuters also referred to an internal email dated 10 October from Energy Secretary Ernest Moniz’s chief of staff, Kevin Knobloch.
The email described the breached data as including the personal information of at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on thousands of bank accounts.
Officials are reportedly “very concerned” that loss of the banking information could lead to attempts to swindle funds out of accounts.
Some of the breaches and pilfered data in this campaign have been publicized by self-proclaimed Anonymous members, as part of what the group calls “Operation Last Resort”.
Operation Last Resort purportedly demands that the US reform its computer crime law in the wake of Aaron Swartz‘s suicide.
Attacks carried out under the operation may have included the February 2013 hack of the US Federal Reserve during the Super Bowl, which might have also been enabled by ColdFusion vulnerabilities.
Other Operation Last Resort attacks, which began about a year ago, involved installing the Asteroids game on hacked sites belonging to US sentencing and probation agencies.
Besides such publicized intrusions, however, lies an undetermined number yet to be discovered, the FBI wrote in its memo:
The majority of the intrusions have not yet been made publicly known. It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed.