Investigation is ongoing, there is no official attribution

May 28, 2015 13:25 GMT  ·  By

Russia is often named as the place of origin for various cyber-attacks targeting US government’s institutions and the latest data breach announced by the IRS makes no exception.

From February through mid-May, cybercriminals abused the authentication system set up by the US Internal Revenue Service for the Get Transcript online application and managed to access tax records of more than 100,000 taxpayers.

The Criminal Investigation Unit and the Treasury Inspector General for Tax Administration are currently investigating the incident. The effort is still at an early stage and accurately identifying the perpetrators is a difficult process.

Attackers could be from anywhere in the world

According to CNN, citing two unnamed sources, the agency believes that the origin of the breach is Russia, suggesting that the attackers may also be citizens of the country.

There is no official information to confirm it, but the theory is not far-fetched, since Russia is the home of multiple groups running financially motivated cyber-attacks.

However, cybercriminal activity is often conducted via proxies that route the connection between the attacker and the target through multiple hosts in order to cover tracks. This means that the perpetrators could be located anywhere in the world.

No hacking took place

The IRS data breach was not the result of a hack or a compromise of any of the agency’s servers because the attackers used information (social security numbers, dates of birth) from other breaches to authenticate with the Get Transcript service.

“In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer,” the agency said on Tuesday.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer,” the official announcement from the IRS noted.

The agency identified about 200,000 total attempts to access tax data belonging to US citizens in the aforementioned time interval, half of them being successful.