The Department of Homeland Security issued a government-wide directive to purge agency networks of potentially compromised servers after discovering the Treasury and Commerce departments were victims of a monthslong cyberattack campaign.
Last night, SolarWinds, an IT company that runs network management systems whose thousands of clients include the Department of Justice, the Census Bureau, the Department of Veterans Affairs, NASA, the Pentagon, the State Department, other federal agencies, and hundreds of companies and governments, acknowledged that its systems had been compromised.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” Kevin Thompson, the president and CEO of the company, told the Washington Examiner in a statement. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state.”
“CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” DHS’s Cybersecurity and Infrastructure Security Agency wrote in the late-night directive. “CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.”
An FBI spokesperson told the Washington Examiner on Sunday that the bureau “is aware of today’s reporting and is appropriately engaged, however, we decline to comment further.”
The scope of the attack continues to expand, with internal communications at the Department of Homeland Security, a sprawling bureaucracy that oversees border security, cybersecurity, and the distribution of the COVID-19 vaccine, also reportedly being compromised.
“The Department of Homeland Security is aware of reports of a breach. We are currently investigating the matter,” DHS spokesman Alexei Woltornist told the Washington Examiner.
As a result of the hack, the National Security Council held a meeting at the White House on Sunday.
NSC spokesman John Ullyot said on Sunday that the government was “taking all necessary steps to identify and remedy any possible issues related to the situation.” On Monday, he said that the NSC “is working closely with CISA, the FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise.”
“This can turn into one of the most impactful espionage campaigns on record,” cybersecurity expert and CrowdStrike co-founder Dmitri Alperovitch told the Associated Press.
FireEye, a cybersecurity firm that works with government agencies to expose and fight foreign cyberattacks, reported that it discovered a “highly evasive attacker” infiltrated SolarWinds Orion’s software updates in order to distribute malware.
SolarWinds said in a financial filing that of its 300,000 customers around the world, roughly 18,000 were affected by the hack.
“SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” the company said.
Solarwinds added in the filing that it believes “an attack vector” also compromised the company’s emails, which are hosted by Microsoft Office 365. The company expressed that the compromised emails “may have provided access to other data contained in the Company’s office productivity tools.” The company is working with Microsoft to determine “whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration.”
Alperovitch said the malware updates gave hackers “God-mode” access to victims’ networks, making everything visible.
“FireEye has detected this activity at multiple entities worldwide,” the company wrote. “The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.”
John Hultquist, FireEye’s director of threat analysis, said he anticipates “this will be a very large event when all the information comes to light,” adding that FireEye was “still finding targets that they manage to operate in.”
Kevin Mandia, the president of FireEye, wrote a blog post that the company “identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain.”
Just last week, FireEye was hacked by a “highly sophisticated threat actor” that compromised its “Red Team” cybertools.
Microsoft, which is helping FireEye and other affected groups respond to the hack, released guidance about “increased activities from a sophisticated threat actor that is focused on high value targets such as government agencies and cybersecurity companies” and assessed that “this is nation-state activity at significant scale.”
The company said that “because of the sophistication of the techniques and operational security capabilities of the actor, we want to encourage greater scrutiny by the broader community” and that one common element in many of the cyberattacks was “an intrusion through malicious code in the SolarWinds Orion product.”
A Commerce Department spokesperson told the Washington Examiner that “we can confirm there has been a breach in one of our bureaus” and that “we have asked CISA and the FBI to investigate.” The New York Times reported that the cyberattacks on Treasury and Commerce gave the hackers “free access to their email systems.”
Neither the federal government nor any of the private partners involved publicly identified who might have been behind the SolarWind attack, but the FBI is reportedly looking into the Russian hacking group APT29, also known as Cozy Bear, as a potential culprit, according to the Washington Post.
If Russian culpability is definitively established for the hacks of United States government agencies, it would harken back to Russia’s large-scale hacking of the State Department in 2014. Actors affiliated with Russia’s Main Intelligence Directorate of the General Staff, or GRU, were also named by the U.S. as responsible for the hacking of the Democratic National Committee’s email systems in 2016.
APT29 has been linked to several high-profile hacking campaigns, including attempts to steal coronavirus vaccine research and last week’s attack on FireEye.
The Kremlin has denied any involvement in the attack.
“Once again, I can reject these accusations,” Kremlin spokesman Dmitry Peskov told reporters. “If for many months the Americans couldn’t do anything about it, then, probably, one shouldn’t unfoundedly blame the Russians for everything.”
