The attack on the supply chain used to breach federal agencies and at least one private company poses a “serious risk” to the United States, in part because the attackers likely used means other than just the SolarWinds backdoor to penetrate networks of interest. , federal officials said on Thursday. One of those networks is owned by the National Nuclear Security Administration, which is responsible for the Los Alamos and Sandia labs, according to a report by Politico.
“This adversary has demonstrated its ability to exploit software supply chains and has demonstrated significant knowledge of Windows networks,” Cybersecurity Infrastructure and Security Agency officials wrote in a warning. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures (TTPs) that have not yet been discovered.” CISA, as the agency is abbreviated, is part of the Department of Homeland Security.
Elsewhere, officials wrote, “CISA has determined that this threat poses a serious risk to the federal government and state, local, tribal and territorial governments, as well as to critical infrastructure entities and other private sector organizations.”
Reuters, meanwhile, reported that the attackers had breached a separate major technology supplier and used the compromise to get into high-value end targets. The news services quoted two people as being briefed on the matter.
The attackers, who CISA said began their operation no later than March, managed to go undetected until last week when security firm FireEye reported that hackers with the backing of a nation-state had penetrated deep into its network. Earlier this week, FireEye said the hackers infected targets with Orion, a widely used network management tool from SolarWinds. After the attackers took over the Orion update mechanism, they used it to install a backdoor that FireEye researchers call Sunburst.
Sunday was also the time when multiple news sources, citing unnamed people, reported that the hackers had used the back door in Orion to breach networks of the ministries of commerce, the Treasury and possibly other agencies. The Department of Homeland Security and the National Institutes of Health were later added to the list.
Thursday’s CISA warning gave an unusually dismal assessment of the hack; the threat it poses to government agencies at the national, state and local levels; and the skill, persistence and time needed to drive the attackers off networks they had invaded undetected for months.
“This APT actor has shown patience, operational security and complex conduct in these break-ins,” officials wrote in Thursday’s warning. “CISA expects it will be very complex and challenging for organizations to remove this threat actor from compromised environments.”
The officials gave another dismal assessment: “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still under investigation. CISA will update this warning as new information becomes available.”
The advisory didn’t say what the additional vectors might be, but the officials noted the skill required to infect the SolarWinds software building platform, distribute backdoors to 18,000 customers, and then go undetected in infected networks for months.
“This adversary has demonstrated his ability to exploit software supply chains and has demonstrated significant knowledge of Windows networks,” they wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures that have not yet been discovered.”
One of the many federal agencies that used SolarWinds Orion was reportedly the Internal Revenue Service. On Thursday, Ron Wyden (D-Ore.) and Senate Finance Committee Chair Chuck Grassley (R-Iowa) sent a letter to IRS Commissioner Chuck Rettig requesting that he provide a briefing on the question whether taxpayer data has been compromised.
The IRS appears to have only been a customer of SolarWinds in 2017. Given the extreme sensitivity of personal tax information entrusted to the IRS, and the damage to both American privacy and national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised. It is also critical that we understand what actions the IRS is taking to mitigate potential damage, ensure that hackers cannot access internal IRS systems, and prevent future hacks of tax data.
Representatives from the IRS did not immediately return a phone call requesting comment on this message.
The CISA warning said the main conclusions from the study so far are:
- This is a patient, well-equipped and focused adversary who has been active on victim networks for a long time
- SolarWinds Orion supply chain compromise isn’t the only initial infection vector this APT player has used
- Not all organizations that have the back door delivered via SolarWinds Orion have been attacked by the adversary with follow-up actions
- Organizations with suspected compromises should be highly aware of operational security, including when conducting incident response activities and planning and implementing recovery plans
What has been revealed so far is that this is an extraordinary hack, the full scope and effects of which will not be known for weeks or even months. Extra shoes are likely to fall early and often.
Go to discussion…