Hill ASC Inc., operating as Hill Associates and based in Rockville, Maryland, has agreed to a settlement of at least $14.75 million with the U.S. Department of Justice. This settlement addresses allegations that the company violated the False Claims Act by misrepresenting its qualifications and services under a General Services Administration (GSA) contract for information technology services.
Background and Allegations
From 2018 to 2023, Hill Associates provided IT services to federal agencies through the GSA’s Multiple Award Schedule (MAS) program. This program streamlines the procurement process for commonly used commercial goods and services by federal agencies. The settlement resolves several key allegations:
1. Unqualified Personnel: Hill Associates allegedly billed federal agencies for IT personnel who lacked the required experience or education specified in the contract.
2. Unauthorized Cybersecurity Services: The company purportedly offered highly adaptive cybersecurity services without passing the necessary technical evaluations mandated by the GSA. Despite not meeting these requirements, Hill Associates submitted claims for such services, which were beyond the scope of their MAS contract.
3. Unapproved Fees and Misrepresented Discounts: Hill Associates is accused of charging the government unapproved fees, failing to provide required information about discounts for prompt payment, and including unallowable incentive compensation in cost submissions related to new contract proposals.
The ShadowQuill Incident
A significant aspect of the case involves a custom endpoint-monitoring platform developed by Hill Associates, which covertly deployed a loader known as ShadowQuill across federal systems. This tool was intended to enhance threat detection but instead redirected traffic to unauthorized third-party infrastructure.
The existence of ShadowQuill came to light in mid-2021 when unusual pricing patterns prompted an internal audit by the Treasury Department. Investigations revealed that the loader used encrypted communications disguised as legitimate certificate revocation checks to retrieve malicious PowerShell scripts from external sources.
Further analysis indicated that the malware exploited trusted scheduler permissions within the contractor’s remote-assist tools. By reflecting dynamic link libraries (DLLs) off memory pages signed by legitimate vendors, ShadowQuill evaded detection by standard security measures.
The repercussions extended beyond financial misconduct. Network forensics suggested that at least twenty internal repositories containing sensitive taxpayer data analytics were compromised, leading to an urgent cross-agency credential reset in late 2023.
Government Response
Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division emphasized the importance of contractors adhering to their obligations: Information technology contractors are expected to charge the government appropriately for their services. We will continue to pursue cyber fraud and hold accountable those companies that knowingly fail to meet contractual obligations to the American taxpayers.
GSA Deputy Inspector General Robert C. Erickson added, Federal agencies should get what they have paid for from GSA contractors, nothing less. I appreciate the hard work of all the attorneys, auditors, and special agents involved in this investigation.
Detection Evasion Techniques
ShadowQuill employed sophisticated methods to avoid detection:
– Signed Binary Proxy Execution: The malware used the legitimate Msiexec.exe to sideload its DLL, bypassing application whitelisting mechanisms.
– Registry-Based Persistence: It stored payloads in the registry’s Windows Management Instrumentation (WMI) filters, triggering execution based on system uptime events, ensuring persistence through reboots.
– Entropy Manipulation: By maintaining runtime entropy levels just below heuristic detection thresholds, ShadowQuill masqueraded as compressed telemetry data, evading many security scanners.
A YARA rule was developed to detect ShadowQuill’s presence:
“`
rule ShadowQuill_ProxyExec {
strings:
$s1 = { 4D 53 49 45 58 45 43 } // MSIEXEC
$s2 = registry::create(‘root\\subscription’) nocase
$s3 = /https:\/\/raw\.githubusercontent\.com\/.\/.\/payload.ps1/
condition:
uint16(0) == 0x5A4D and all of ($s)
}
“`
Applying this rule to live memory snapshots identified 37 compromised endpoints within GSA test environments, highlighting the potential for sophisticated supply-chain attacks within standard IT contracts.
Conclusion
While the settlement primarily addresses fraudulent billing practices, the case underscores the broader risks associated with inadequate cybersecurity measures and misrepresented qualifications. The Department of Justice’s Civil Cyber-Fraud Initiative continues to hold contractors accountable for endangering sensitive information through deficient cybersecurity practices or misrepresentations.
