The Department of Energy released a special report recently announcing that during the Department’s 2016 Cyber Conference, the audience was intentionally hacked as part of an exercise aimed at gauging real vulnerability.
The report does not say where the conference took place, but notes that it was a “non-federal facility” in Atlanta. According to the DOE Inspector General’s official special report, “During the conference, the Office of Cyber Assessments conducted an unannounced assessment related to the use of mobile device charging stations.”
“Officials indicated that the purpose was to determine whether conference participants would connect government and/or personal devices to a charging station.”
According to the report, the “Office of Cyber Assessments had used data collection devices that were disguised as mobile device charging stations and intended to collect specific, non-sensitive information from devices (such as cell phones) connected to them.”
This assessment was categorized as a “Red-Team Exercise,” which the report defines as “Unannounced tests” that “are conducted without informing the site but are required to include coordination with a trusted agent.”
All of their assessments, both announced and unannounced, “must be carefully and thoroughly conducted and coordinated,” according to the department.