US Merit Systems Protection Board compromised in Iranian government-linked hack: report

The quasi-judicial agency was hit earlier this year during the attack, according to The Washington Post.
Photo by Sean Gallup/Getty Images

The agency responsible for arbitrating disputes with federal employees was compromised in an Iranian government-linked hack earlier this year, according to a report.

Hackers exploited the well-known Log4Shell vulnerability to install cryptocurrency mining software and compromise credentials, the Cybersecurity and Infrastructure Security Agency said Wednesday in an alert.

Details of which federal government agency was affected by the attack were first reported by The Washington Post.

It remains unclear what information may have been compromised because of the incident, but hackers broke into an unpatched VMware Horizon server in February and then used that access to move laterally within the network of an unidentified federal agency, according to the CISA alert.


The Log4Shell vulnerability stems from a flaw with open-source software Log4j, and represents one of the most wide-ranging security compromises in recent years. Log4j is a nearly ubiquitous tool that software developers have built into a huge range of software. 

In response to the Log4Shell flaw, CISA at the time ordered agencies under its jurisdiction to carry out an emergency patching operation, and state-backed hackers immediately began scanning for vulnerable systems to target. 

MSPB is a quasi-judicial entity responsible for safeguarding the merit system principles, which are the standards that govern the civil service federal workforce. The board was established by the Civil Service Reform Act of 1978.

Commenting on the compromise, Yaron Kassner, chief technology officer and co-founder and identity protection platform Silverfort said: “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched.”

He added: “As we see here, once a toehold is gained – attackers are then able to simply pick up administrator credentials and use them to move laterally, before eventually compromising the entire domain.”


MSPB declined to comment. CISA did not immediately respond to a request for comment.

John Hewitt Jones

Written by John Hewitt Jones

John is the managing editor of FedScoop, and was previously a reporter at Institutional Investor in New York City. He has a master’s degree in social policy from the London School of Economics and his writing has appeared in The Scotsman and The Sunday Times of London newspapers.

Latest Podcasts