He received a reply from Gail Porter at NIST, which he posted on Google+. Porter said the servers had been taken down on 8 March after a firewall at NIST had detected “suspicious activity” and took steps to block unusual traffic. Investigations of the activity revealed malware on two of NIST’s servers, which was then “traced to a software vulnerability”. No further details of that vulnerability were given, though Halavakoski notes that the NIST servers had been running Windows Server 2008 and Microsoft-IIS up to the date they were attacked; after the attack, the servers reported running Linux and Apache.
According to the Porter mail, there was no evidence that the NIST servers or public pages were used to spread malware to visitors. The organisation is following its own guidanceon malware incident handling, which does include advice on restricting network access to systems while working on clearing up an infection. No planned date for restoration of services has been given: the NIST site reads “We are working to restore service as quickly as possible”.
Motivation for the attack is unclear though the NVD site could have made a valuable location for a watering hole attack because its visitors would be interested in security issues and are likely to work for organisations with systems containing valuable data.