US government agency destroys hardware to clear malware
$170,000 of equipment, including mice and keyboards, was physically destroyed when, according to a report, the Economic Development Administration (EDA) over-reacted to an over-stated malware threat. The EDA, a part of the US Commerce Department, also spent $823,000 on a contractor to investigate the infection, over one million dollars on temporary infrastructure and $688,000 for assistance from a contractor for a long term recovery plan.
The story began on 6 December 2011 when the US-CERT alerted the Department of Commerce Computer Incident Response Team (DOC CIRT) that there was a potential malware infection on the IT systems in the Herbert C. Hoover Building (HCHB) network. DOC CIRT sent email notification to both the National Oceanic and Atmospheric Administration (NOAA) and the EDA, saying that there was a malware problem. The NOAA notification identfied a component which was fixed and returned to service by the 12 January 2012.
But the incident handler had incorrectly looked up the wrong network logging information and told the EDA that 146 components were infected with malware. DOC CIRT corrected that error with a second notification, that only 2 systems were affected, but failed to tell the EDA that the first notification had been wrong. That first notification had just identified equipment on the HCHB network that belonged to the EDA. Over the next weeks the misunderstanding rolled on with DOC CIRT testing the two componments and confirming a problem which the EDA took as a signal that all 146 components were infected with malware.
By 24 January 2012, the EDA's CIO decided to disconnect all their systems from the HCHB network to avoid the non-existant malware spreading. The EDA then brought in a contactor who found initial indications of malware but later decided these were false positives. The CIO sought assurance that the infection could not exist rather than did not exist from the contractor who contrinuted looking. By April they concluded they could not find any persistant malware or targeted malware and the NSA and US-CERT came to the same conclusion.
This was not enough for the EDA CIO and management who set about cleaning the data on the systems as part of recovery. In the end, only six systems were compromised, two with rootkits and four with "common malware". But, the EDA CIO decided that the potential risk made the destruction of all the IT components necessary, "including desktops, printers, TVs, cameras, computer mice, and keyboards" and only halted destruction in August 2012 because the agency had run out of funds to destroy the other $3 million worth of EDA equipment.