TIGTA says IRS successfully prevented ransomware attacks

The Treasury Inspector General for Tax Administration praised the Internal Revenue Service for its successful efforts in fending off possible ransomware attacks.

The report outlined inspectors’ review of IRS policies and procedures related to incident response plan requirements and their consistency with National Institute of Standards and Technology guidance. Inspectors also reviewed IRS policies and procedures related to required alternate storage site and system backup contingency planning controls, and determined they were generally consistent with NIST guidance as well.

Overall, TIGTA inspectors found the IRS plan is in line with NIST best practices, which could be a factor in why there were no successful ransomware attacks against the service prior to June 2022 (the period covered by the review). In fact, according to the report, the use of these procedures was credited with stopping an attempted ransomware attack on IRS systems in May 2022. While certain details were redacted, personnel from the IRS Computer Security Incident Response Center analyzed the website browsing log and identified website traffic patterns consistent with ransomware, and then removed the affected computer from the network. TIGTA compared the details of this incident response report against current policies and procedures and determined that the CSIRC took appropriate actions to resolve the incident.


TIGTA inspectors also selected four information systems and reviewed the results of annual testing of their Information System Contingency Plans from July 1, 2021, through June 30, 2022. For three of the information systems, TIGTA concluded these systems had effective controls to enable them to be restored in the event of a ransomware attack. The test results for the fourth information system identified unresolved issues related to the failure to back up system data on a daily basis as required. During the TIGTA audit, the IRS corrected these deficiencies by performing daily backups, but system data was at risk for approximately two years until the IRS addressed the deficiencies.

Due to their findings, TIGTA made no recommendations to the IRS in the report. The IRS, as one might imagine, agreed with…