In particular, the Cybersecurity and Infrastructure Security Agency said it has determined that the SolarWinds Orion software vulnerability disclosed earlier this week is not the only way hackers have compromised a variety of online networks – warning that in some cases they appeared to be victims. violated despite it using the problematic software.
The news is likely to only exacerbate already escalating concerns about the scale and magnitude of the data breach, which CISA said Thursday “poses a serious risk” to networks in both the public and private sectors.
“CISA has determined that this threat poses a serious risk to the federal government and state, local, tribal and territorial governments, as well as to critical infrastructure entities and other private sector organizations,” the agency warned. “CISA expects that removing this threat actor from compromised environments will be very complex and challenging for organizations.”
The agency also acknowledged on Thursday that the hackers “used tactics, techniques and procedures that have not yet been discovered,” adding that it continues to investigate whether and how other methods of intrusion have been used since the campaign began months ago.
The analysis comes as the list of US agencies, private companies and other entities affected by the hacking campaign continues to grow.
Hours after the CISA warning was released, the US energy department said it had evidence that hackers had access to some of its networks with the same malware related to the ongoing data breach, which already affects nearly half a dozen federal agencies.
The department claims the impact “has been isolated to corporate networks” and “has not affected the mission’s essential national security functions, including the National Nuclear Security Administration (NNSA),” which oversees the country’s stockpile of nuclear weapons.
Energy Department spokeswoman Shaylyn Hynes also said that once the department identified the vulnerable software, “immediate action was taken to mitigate the risk, and any software identified as vulnerable to this attack was disconnected from the DOE network. . “
Politico was the first to report a possible burglary at DOE.
“It is a certainty that the number and location of victims will continue to grow,” said Microsoft president Brad Smith, adding that the company has been working to notify affected organizations.
Searching for soul and pointing finger
The broad and extraordinary intrusion launched a technical mission among the government’s leading cyber officials and outside experts on how this month-long, continuous cyber campaign went unnoticed for so long.
On Wednesday evening, the US government’s top security agencies formally acknowledged in a joint statement that the ongoing cyber campaign was still active. The revelations come at a particularly fraught moment during a divisive presidential transition and after an election that was, in all likelihood, free from foreign interference.
Wednesday’s joint statement from the FBI, the intelligence community, and the Department of Homeland Security’s cyber division served in part as an admission of their own shortcomings, clearly stating that those charged with protecting the country from foreign cyber threats were newly learned of the massive intrusion over the past “several days.”
While U.S. officials said they only heard about the data breach in recent days, an early indicator of SolarWinds’ security vulnerabilities emerged last fall after an independent researcher contacted the company and said he had one of its update servers on it. public internet.
The server was protected by a weak password: “solarwinds123,” said researcher Vinoth Kumar. Emails reviewed by CNN of Kumar’s exchange showed that SolarWinds corrected the login issue, but Kumar told CNN that he had determined that the server was open to the public since at least June 2018.
SolarWinds declined to comment.
The ongoing cyber campaign itself started back in March of this year, CISA said Thursday, but experts tell CNN hackers likely had previously accessed government networks.
“It appears that the Russians had six to nine months of ‘sustained access’ to some of the Department of Homeland Security’s networks,” said Tony Lawrence, CEO and founder of Light Rider, a cybersecurity firm with clients in both public and private. sector. “If this is the case, it means that the Russians at that time could navigate all the networks and control selected US domestic security networks.”
Several sources have since confirmed that until the end of last week or when CISA went public on Sunday evening, the US government was not aware of the breach, raising concerns about how the hackers managed to keep the detection of these authorities for several months. to avoid.
“It’s complicated in that sense, the way our government is organized, it’s not even clear, given our existing framework in this country, which agency would actually have primary jurisdiction over this whole issue,” said acting chair of the Senate Committee. for intelligence, Florida Republican Senator Marco Rubio, told CNN Thursday.
Security experts have also expressed concern about the Trump administration’s abolition of the cyber coordinator’s position in the National Security Council. CNN reported at the time that the elimination, which came just weeks after the tenure of former national security adviser John Bolton, was part of an effort to “streamline the authority for senior directors of the National Security Council.”
“There is no person whose job it is to coordinate the entire government response at this point,” said Carrie Cordero, a senior fellow and general counsel at the Center for a New American Security and CNN legal and national security analyst. “Despite the good efforts of people at work level in various agencies, that is not a substitute for high-level leadership, which I don’t think will exist until the next government.”
House and Senate intelligence committees were briefed on the matter on Wednesday, but lawmakers have since made it clear that there are still more questions than answers. The House Oversight and Homeland Security Committees on Thursday sent a letter to the country’s top national security officials requesting more information about the ongoing investigation.
U.S. officials and cybersecurity experts warn that the incident should serve as a wake-up call to both the federal government – including the upcoming Biden administration – and private sector companies, as foreign actors will no doubt launch similar attacks and improve their tactics. in the future.
What is next?
In the future, there is likely to be more research on the Department of Homeland Security’s EINSTEIN system, which is designed to prevent intrusion and detect malicious traffic on federal computer networks.
The system is based on finding known malicious activity and works well if it knows what it is looking for, said a former senior DHS official.
“If you don’t know what you’re looking for, that’s a problem,” the official said, adding that it is likely to cause concern among lawmakers who have allocated billions of dollars to the program. Biden’s new administration will need to “take a closer look at Einstein,” the former official said.
However, it is unclear whether the current systems would have passed the latest hack.
“Even if everything were very effective in government cybersecurity, it is very likely that this breach would not have been discovered,” said Vijay A. D’Souza, a GAO director of the information technology and cybersecurity team, based on external research. about the incident. GAO has not yet done an independent analysis.
“Agencies will have to keep doing more to put together the whole puzzle piece, so if they get hacked – how can they find out what happened and then clean up in case they can’t catch something.”
D’Souza said agencies lack their “logging” capabilities – the ability to go back and look at a network and find out what happened after a breach.
“Our work has generally shown that agencies don’t keep enough of this data. They don’t have the ability to bring it together and they don’t have the ability to figure out that kind of research,” he said.