Federal IT contractor Agrees to Pay $14.75M Over False Cybersecurity Services Claim

Federal IT contractor Agrees to Pay $14.75M Over False Cybersecurity Services Claim

Hill ASC Inc.’s $14.75 million settlement with the U.S. Department of Justice closes a five-year saga in which the Rockville-based contractor allegedly billed agencies for “highly adaptive” cybersecurity support it was never qualified to deliver.

Investigators say Hill’s pitch hinged on a bespoke endpoint-monitoring platform that quietly seeded a loader, nicknamed “ShadowQuill,” across federal enclaves, promising rapid threat hunting while actually funneling traffic to third-party infrastructure.

ShadowQuill surfaced in mid-2021 when surge-pricing anomalies triggered an internal Treasury audit. Packet captures revealed TLS beacons masquerading as certificate revocation checks, allowing the loader to retrieve encrypted PowerShell payloads from GitHub gists.

Google News

Office of Public Affairs analysts noted the pattern echoed tactics previously linked to the SilentLibra group, correlating Hill’s invoice spikes with command-and-control bursts during quarterly patch cycles.

In practice, the malware exploited trusted scheduler permissions baked into the contractor’s remote-assist toolchain. Once invoked, it sidestepped host-based intrusion prevention by reflecting DLLs off memory pages already signed by legitimate vendors, leaving conventional signature scanners blind.

The impact stretched beyond inflated labor charges; network forensics suggest at least twenty internal repositories were scraped for source code relating to taxpayer-data analytics, prompting an urgent cross-agency credential rotation in late 2023.

While the False Claims Act settlement turns on fraudulent invoices rather than data theft, Justice Department officials stress that unchecked vendor implants can magnify fiscal waste into systemic exposure.

The ability-to-pay calculus capped penalties, yet Hill must also implement a multi-year compliance agreement and fund third-party blue-team validation.

Detection Evasion Via Signed Binary Proxy Execution

ShadowQuill’s persistence leaned on signed binary proxy execution, invoking the legitimate “Msiexec.exe” to sideload its reflective DLL without tripping application-whitelisting.

The loader stores its payload in the registry’s WMI filters, triggering on system uptime events so reboot cycles fail to cleanse infection.

Analysts found that runtime entropy hovered near 7.2, just below many heuristic thresholds, allowing it to masquerade as compressed telemetry blobs.

# YARA-style heuristic for ShadowQuill
rule ShadowQuill_ProxyExec {
    strings:
        $s1 = { 4D 53 49 45 58 45 43 }          // "MSIEXEC"
        $s2 = "registry::create('root\subscription')" nocase
        $s3 = /https://raw.githubusercontent.com/.*/.*/payload.ps1/
    condition:
        uint16(0) == 0x5A4D and all of ($s*)
}

Deploying the rule against live memory snapshots identified 37 compromised endpoints within GSA test ranges, underscoring how small deviations in behavioral baselines can expose sophisticated supply-chain fraud within ostensibly routine IT contracts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now


Source link