US cybersecurity agency warns suspected Russian hacking campaign broader than
Specifically, the Cybersecurity and Infrastructure Security Agency said it has determined that the SolarWinds Orion software vulnerability disclosed earlier this week is not the only way hackers compromised a variety of online networks — warning that in some cases, victims appeared to have been breached despite never using the problematic software.
The news will likely only compound already escalating concerns about the scale and scope of the data breach, which CISA said Thursday “poses a grave risk” to networks across both the public and private sector.
“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the alert issued by the agency said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The agency also acknowledged Thursday that the hackers used “tactics, techniques and procedures that have not yet been discovered,” adding that it is continuing to investigate whether, and how, other intrusion methods may have been used since the campaign began months ago.
The analysis comes as the list of US agencies, private companies and other entities affected by the hacking campaign continues to increase.
Hours after the CISA alert was released, the US Energy Department said it had evidence that hackers accessed some of its networks using the same malware associated with the ongoing data breach already impacting almost half a dozen federal agencies.
The department maintains that the impact has been “isolated to business networks” and “has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA),” which oversees the nation’s stockpile of nuclear weapons.
Energy Department Spokeswoman Shaylyn Hynes also said once the department identified its vulnerable software, “immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
Politico was first to report a possible intrusion at DOE.
Soul searching and finger pointing
The wide-ranging and extraordinary intrusion has launched a technical soul-searching mission among the government’s leading cyber officials and outside experts over how this months-long, ongoing cyber campaign managed to go undetected for so long.
On Wednesday night, the US government’s top security agencies formally acknowledged in a joint statement that the ongoing cyber campaign was still active. The revelations come at a particularly fraught time during a divisive presidential transition and after an election that had been, by all accounts, free of foreign interference.
Wednesday’s joint statement by the FBI, intelligence community and the cyber arm of the Department of Homeland Security served partially as an admission of their own shortcomings, clearly stating that those charged with protecting the nation from foreign cyber threats only learned of the massive intrusion in the past “several days.”
While US officials said they only learned of the data breach in recent days, an early indicator of SolarWinds’s security issues emerged last fall, after an independent researcher contacted the company saying he had found one of its update servers on the public internet.
The server was protected by a weak password: “solarwinds123,” according to the researcher, Vinoth Kumar. Emails reviewed by CNN of Kumar’s exchange showed that SolarWinds corrected the credential issue, but Kumar told CNN that he determined the server was accessible to the public since at least Jun 2018.
SolarWinds declined to comment.
The ongoing cyber campaign itself began as early as March of this year, CISA said Thursday, but experts tell CNN that hackers likely accessed government networks before then.
“It appears the Russians had six to nine months of ‘persistent access’ to some Department of Homeland Security networks,” said Tony Lawrence, CEO and founder of Light Rider, a cybersecurity firm that has clients in both the public and private sector. “If this is the case, it means the Russians had the ability to navigate all networks and control select US homeland security networks during this time.”
Several sources have since confirmed that the US government was unaware of the breach until the end of last week or when CISA went public on Sunday night, fueling concerns about how the hackers managed to remain evade detection from these agencies for several months.
“It’s complicated in the sense, the way our government is organized, it’s not even clear given our existing framework in this country, what agency would actually have the primary jurisdiction over this entire matter,” acting chairman of the Senate Intelligence Committee, Florida Republican Sen. Marco Rubio, told CNN Thursday.
Security experts have also raised…
Read More:US cybersecurity agency warns suspected Russian hacking campaign broader than