Want CNET to notify you of price drops and the latest stories?

Russian hackers behind $50 million IRS scheme, report says

The hackers used data stolen from the IRS to file fraudulent tax returns and received $50 million before they were caught, according to the report.

Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
4 min read

The IRS is in some hot water after a hack. Screenshot by Dara Kerr/CNET

Hackers in Russia are again proving to be a thorn in the side of US government agencies.

The theft of critical information of more than 100,000 taxpayers from the Internal Revenue Service (IRS) database was the work of hackers in Russia, CNN reported on Thursday after speaking to Rep. Peter Roskam (R - IL), chairman of a House subcommittee that oversees the US tax agency. The lawmaker didn't say whether the Russian government played any role in the attack.

The admission comes just days after the IRS announced that hackers acquired critical taxpayer information from over 100,000 people through its "Get Transcript" tool. The agency said that the hackers used information obtained from previous hacks, including names, Social Security numbers and intimate details on the individuals, to receive a transcript of past tax returns. Those transcripts were then used to file fraudulent returns for the current year before the April 15 tax deadline. According to the Associated Press, over $50 million in tax refunds was handed to the hackers before the attack was discovered this month.

The hack is just the latest evidence that Russian hackers -- whether they are part of the government or not -- are maliciously infiltrating a number of US agencies.

In April, the US revealed that the Russian government had hacked into the White House's computer systems. The attack, which occurred last year, was initially cast as a breach that saw no sensitive data reach the hackers' computers. However, a report out last month suggested that sensitive information was stolen, including confidential details about the president's schedule. The US Department of State was also hacked as part of the breach, forcing the government agency to shut down part of its network to thwart the hackers.

Russia's hack was in part the basis for modifications the US has made to existing policies to respond to cyberthreats. In April, US Defense Secretary Ash Carter outlined a new protocol that will see the US launch cyberattacks on foreign threats to either thwart or discourage cyberattacks on US government agencies and companies. That announcement followed an executive order signed by President Obama in early April that will allow his cabinet to issue sanctions on foreign hackers. Like the Defense Department's move, that tweak is aimed at stopping attacks before they happen.

"Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity," Lisa Monaco, assistant to the president for homeland security and counterterrorism, said in a statement at the time. "And this means, in addition to our existing tools, we need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts -- at their bottom line."

It's unclear whether the IRS attack will fall under the auspices of either of those efforts. The government agency was quick to point out that it's investigating the matter, along with the Treasury Inspector General for Tax Administration and the FBI.

So far, the key details in the attack have not followed other hacks from Russia. In the IRS case, hackers used the legitimate "Get Transcript" tool to access all the taxpayer information they needed to file fraudulent returns. Those hackers conducted targeted attacks with information they already had from a previous hack on a third-party service, the IRS said, without noting which hack may have caused the initial data breach. The "Get Transcript" tool was used to obtain other information needed to file a new tax return. Even more alarming, in order to obtain a transcript, a user must answer "verification questions that typically are only known by the taxpayer," the IRS said. In over 100,000 cases, the hackers had that information on-hand. In total, 200,000 attempts were made to obtain transcripts.

"A further review by the IRS identified that these attempts were quite complex in nature and appear to have started in February and ran through mid-May," the IRS said. "In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles."

According to the IRS, no attempts were made to hack into its tax return database to steal more information; the hack was ostensibly intended only to generate a quick sum of cash. The other Russian attacks seemed to have been more politically motivated in order to obtain access to files and information.

Still, for the more than 100,000 taxpayers affected by the breach, there is little relief. For one, they've fallen victim to identity theft on a grand scale as their most intimate information has landed in the hands of hackers. The IRS says that the fraudulent returns will not affect taxpayer liability and those affected will be given free credit-monitoring.

The IRS did not immediately respond to a request for comment.