U.S. Agencies Warned of Widespread Cyber-Espionage Hack
U.S. government agencies are hunting for signs of compromise and malware after authorities learned that the Treasury and Commerce departments were hacked as part of a months-long cyber-espionage campaign.
In an emergency directive issued Sunday, the U.S. Department of Homeland Security (DHS) warned of an “unacceptable risk” to the executive branch from a feared largescale penetration of government agencies that could date back six months or longer, according to The Washington Post. The possible campaign was discovered after cybersecurity firm FireEye disclosed it had been breached—which signaled potential compromises of government agencies and major corporations, as well.
Hackers apparently got into computers at the U.S. Treasury Department and possibly other federal agencies, touching off a government response involving the National Security Council. https://t.co/8KEpoiFLbe
— The Associated Press (@AP) December 13, 2020
Reuters broke the story of the breach of U.S. agencies after originally breaking the story of the FireEye hack last week, noting that an arsenal of hacking tools used in penetration tests had been stolen. However, cybersecurity experts warn that the latest discoveries around new vulnerabilities and hacking methods used in the FireEye attack are likely to uncover deeper vulnerabilities and compromises as the investigation continues.
Common refrain from sources:
— Chris Bing (@Bing_Chris) December 14, 2020
today's news about USG hacks (Commerce + Treasury) and the larger supply chain compromise at Solar Winds, an IT provider for the USG, is "just the tip of the iceberg"
This breach is much worse than it appears atm. And it appears very bad already
While the attacks have not been attributed by FireEye or the government to any particular threat actor, signs point to Russian involvement, especially given the careful tradecraft. Russia’s foreign ministry has refuted the allegations as “baseless.”
The investigation so far has discovered that the conduit for all these attacks is server software product SolarWinds Orion, which is used by the Pentagon, all branches of the U.S. military, numerous other government agencies, telecommunications companies, accounting firms, and educational institutions. SolarWinds issued a security advisory on Sunday, recommending all customers upgrade their software.
"SolarWinds has just been aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020," the company said. "We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack."
Details on the SolarWinds supply chain attacks. https://t.co/HNBlZKWojI
— John Hultquist (@JohnHultquist) December 14, 2020
The DHS directive told U.S. agencies to immediately disconnect or power down any machines using the affected SolarWinds software. All agencies using SolarWinds products need to provide a completion report to the DHS Cybersecurity & Infrastructure Security Agency (CISA) by noon, Eastern Standard Time, today.
JUST RELEASED: Emergency Directive 21-01 calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. Read more: https://t.co/VFZ81W2Ow7
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 14, 2020
The malware in question gives hackers remote access to victims’ networks, potentially enabling malicious actors monitor government communications, the BBC reported.
