No classified information was exposed after a U.S. Geological Survey employee with “an extensive history” of watching pornography at work infected the organization’s networks with Russian malware, an Interior Department watchdog found.

Between Sept. 26, 2016 and March 13, 2017, the employee used his work computer to visit more than 9,000 adult websites, many of which linked to Russian web pages containing malware, investigators found. That averages out to roughly 79 different porn sites every business day.

The resulting malware made it harder for the agency to monitor network vulnerabilities and automatically connected USGS systems to malicious Russian websites, according to a redacted inspector general report published Tuesday. The code also created a covert pathway bad actors could use to steal information from USGS, though investigators found no evidence that any data was transferred.



The IG first described the incident in a March report and issued a management advisory last month, but the latest report offers additional details on the malware and the employee who introduced it.

The IG traced the infection to an unnamed male employee who visited thousands of adult websites on his government-issued computer. The employee, who held a GS-12 position at a satellite imaging facility in Sioux Falls, S.D., retired from USGS the day before he was supposed to be fired, according to the report.

He eventually admitted to investigators that he’d “routinely” viewed adult content at work “for many years.”

The employee also saved much of the pornographic material on an unauthorized USB drive and personal Android cellphone, both of which were connected to his computer against department policy. His cellphone was also infected with malware, the IG said.

“Though the introduction of unauthorized devices was intentional, we found no evidence that the employee intended to infect government systems with malware, or that he knew it was there,” investigators wrote in the report.

Once downloaded to his computer, the malware spread across the USGS network, they said. The infection came to light during a routine audit of the facility’s IT security, when inspectors discovered servers were trying to connect to IP addresses affiliated with the former Soviet Union.

USGS immediately took action to address the vulnerabilities once they were discovered, acting Public Affairs Officer Karen Armstrong told Nextgov.

The department’s rules of behavior explicitly prohibit employees from using government networks for viewing pornography and other inappropriate activities, and the IG found the employee had agreed to these rules through various training programs every year since 2009. His computer also required him to agree to an “acceptable use” warning each time he logged in.

In a prior report, auditors recommended USGS more closely monitor employees’ web browsing and enforce blacklists of prohibited websites. They also advised the agency to strengthen its IT security policies to stop employees from connecting personal devices to government computers, which could propagate malware on government networks.

Armstrong said USGS “is committed to taking any appropriate additional action toward preventing further incidents.”

Editor's note: This article was updated to clarify when the inspector general office first reported the incident.