The agencies that maintain the U.S. nuclear weapons stockpile are reportedly preparing to notify Congress that they have evidence showing their systems were breached by foreign hackers in a monthslong cyberespionage campaign that came to light this week.
Officials from National Nuclear Security Administration and its parent agency, the Energy Department, were “coordinating notifications” about the breach, which they said also affected the Federal Energy Regulation Commission, to House and Senate energy and armed services committees on Thursday, according to Politico.
Hackers were “able to do more damage at FERC than the other agencies,” and officials were able to obtain evidence of “highly malicious activity,” the report said.
The DOE acknowledged that its “business networks” were compromised in the attack but rebuffed claims that its investigation has yielded evidence that the NNSA was affected by the attack.
“The Department of Energy is responding to a cyber incident related to the Solar Winds compromise in coordination with our federal and industry partners,” DOE spokeswoman Shaylyn Hynes told the Washington Examiner. “The investigation is ongoing and the response to this incident is happening in real time. At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA).”
FERC Commissioner Neil Chatterjee told the Washington Examiner that it likewise did not find “any conclusive evidence that the malicious actors” infiltrated FERC systems or accessed data.
“FERC uses SolarWinds Orion to help manage its IT assets like many agencies and organizations. In accordance with direction provided by the Department of Homeland Security, we have removed use of this tool from our infrastructure,” Chatterjee said. “We are currently reviewing our IT environment comprehensively. At this time, we do not have any conclusive evidence that the malicious actors accessed our systems or exfiltrated any data. We will continue working with our vendors and federal partners to comply with DHS guidance and ensure the security of our systems and data.”
“When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network,” Hynes added.
On Sunday, SolarWinds, an IT company that runs network management systems and whose thousands of clients include the Justice Department, the Treasury Department, NASA, the Pentagon, the State Department, and other federal agencies, as well as hundreds of companies and local governments, acknowledged that its systems had been compromised by a “highly sophisticated, targeted” campaign likely carried out by foreign actors.
The Cybersecurity and Infrastructure Security Agency said Thursday the reported attacks were part of a “massive global hacking campaign” that began as early as March 2020.
“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” CISA wrote. “The SolarWinds Orion supply chain compromise is not the only initial infection vector this [advanced persistent threat] actor leveraged.”
“CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,” it added.
? ACTIVITY ALERT ?
Review @CISAgov’s new Alert on the #APT campaign against federal agencies & critical infrastructure, providing updated affected product versions, IOCs, ATT&CK® techniques, and mitigation steps. https://t.co/ZgzAbUNKjL #Cyber #Cybersecurity #Infosec pic.twitter.com/QnntuVhUXb— US-CERT (@USCERT_gov) December 17, 2020
The cyberattacks, which involved infiltrating SolarWinds’s Orion update system in order to distribute malware to its customer’s computers, gave hackers “God-mode” access to victims’ networks, making everything visible.
The Energy Department would be at least the sixth federal agency compromised in the attack — in addition to the departments of Commerce, Treasury, State, and Homeland Security, as well as the National Institutes of Health. The tactics used to infiltrate the DOE and the other agencies were “previously unknown tactics for penetrating government computer networks,” according to the Washington Post, which also reported that the NNSA’s systems were compromised.
The NNSA consumes the majority of the DOE’s budget. It manages the national nuclear weapons stockpiles, and agency labs in Sandia and Los Alamos conduct atomic research regarding both civil nuclear power and the development of nuclear weapons. Another agency within the DOE, the Office of Secure Transportation, oversees the movement of enriched uranium and other nuclear stockpile materials across the country.
The Washington Examiner reached out to the DOE for further comment.
Following news of the attacks, the National Security Council established a coordinated government response to “ensure continued unity of effort across the United States Government in response to a significant cyber incident.” That effort, comprising officials from the FBI, CISA, and the Office of the Director of National Intelligence, is still investigating the reach of the attack and who was behind it.
Neither the federal government nor any of the private partners involved publicly identified who might have been behind the SolarWind attack, but the FBI is looking into the Russian hacking group APT29, also known as Cozy Bear, as a potential culprit, according to the Washington Post.
If Russian culpability is definitively established as being behind the hacks of United States government agencies, it would harken back to Russia’s large-scale hacking of the State Department in 2014. Actors affiliated with Russia’s Main Intelligence Directorate of the General Staff, or GRU, were also named by the U.S. as responsible for the hacking of the Democratic National Committee’s email systems in 2016.
Josh Siegel contributed to this report.
