A number of key US government departments have been hacked, with concern that the attack has allowed a foreign power to monitor American government communication.
Reuters reported that hackers thought to be working for Russia have been monitoring internal email traffic at the US Treasury and US Commerce departments, according to people familiar with the matter.
The US responded by ordering all federal agencies to disconnect from SolarWinds Orion, a computer network tool.
Indeed, so serious is the hack being viewed in Washington, that a National Security Council meeting at the White House was called on Saturday, one of the people familiar with the matter told Reuters.
US officials have not said much publicly beyond the Commerce Department confirming there was a breach at one of its agencies and that they asked the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate.
Last month President Donald Trump fired Cisa boss Chris Krebs after he publicly disagreed with the President’s claims of ‘massive’ voter fraud in the recent US election.
The US government has not publicly identified who might be behind the hacking, but three of the people familiar with the investigation told Reuters that Russia is currently believed to be responsible for the attack.
Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major US cybersecurity company with government and commercial contracts.
Last week FireEye admitted that the ‘state-sponsored attack’ had also resulted in the theft of its internal hacking tools (‘Red Team assessment tools’) used by FireEye to test the cyber defences of its customers.
It is reported that the hackers managed to tamper with updates released by SolarWinds, two people familiar with the matter told Reuters. The attack – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.
In a statement released late Sunday, SolarWinds reportedly said that updates to its monitoring software released between March and June of this year may have been subverted by what it described as a “highly-sophisticated, targeted and manual supply chain attack by a nation state.”
As a result, CISA issued an emergency directive, ordering federal agencies to stop using the tool immediately.
“CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” it stated.
“CISA understands that the vendor is working to provide updated software patches,” it added “However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.”
Russia meanwhile has denied it is involved in the mater.
The Russian foreign ministry, in a Facebook post, described the allegations as another unfounded attempt by the US media to blame Russia for cyberattacks against US agencies.
The attack prompted a response from experts in the security arena.
“The growing list of significant breaches underlines the fact that cybercrime knows no boundaries and everyone must be diligent, now more than ever,” said Stuart Reed, UK director at Orange Cyberdefense.
“While details of this incident are still emerging, a major security theme of this year has been vulnerabilities in leading perimeter security platforms – particularly those used to facilitate secure remote access for the instant army of remote workers the Covid-19 crisis presented us with,” said Reed. “As a result of fast implementation and scaling, patches and upgrades for these are taking far too long, and this problem appears to be getting worse. State-backed and criminal hackers have noted this opportunity and pivoted dramatically to explore it, with devastating effect.”
“We return again to the fundamental question how we deal with a new world where hacking is big business and we are up against some pretty smart and well-motivated adversaries,” said Reed. “Firstly, it is important to get the basics right. Unfortunately, the most determined and motivated attacker will keep probing until they do discover a weakness.”
“We have seen that commercial hackers can be as sophisticated and skilled as state sponsored adversaries,” said Reed. “There is one crucial difference however. A state adversary is often resource and time constrained while a commercial adversary is only constrained by economics. Economics which currently makes hacking very attractive and lucrative.”
Another expert noted that the attack was well executed compromised of the supply chain.
“This is significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism,” said Matt Walmsley, director enterprise market development at Vectra.
“The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence,” said Walmsley.
“Opportunities for these kind of attacks like this are vast and growing,” said Walmsley. “It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premise environments in a consolidated view. Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.”