Kremlin-backed hackers breach US Treasury and Commerce: by Tyler Van Dyke
https://www.washingtonexaminer.com/news/foreign-government-backed-hackers-breach-u-s-treasury-report
A “sophisticated hacking group” backed by the Russian government reportedly infiltrated the Department of Treasury’s systems and stole information related to internet and telecommunications policymaking as part of a broader campaign that also hacked the Commerce Department and other government agencies.
The FBI is investigating the attacks and is looking into the Russian hacking group APT29, also known as Cozy Bear, as a potential culprit, according to the Washington Post. The foreign-backed hack was first reported by Reuters. An FBI spokesperson told the Washington Examiner that the bureau “is aware of today’s reporting and is appropriately engaged, however, we decline to comment further.”
As a result of the hack, the National Security Council held a meeting at the White House on Sunday.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency confirmed the incident in a statement but did not suggest who was behind the attack.
“We have been working closely with our agency partners regarding recently discovered activity on government networks,” the agency said. “CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”
SolarWinds, an IT company, runs network management systems that were breached by the hackers, as first reported by the Washington Post.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” Kevin Thompson, the president and CEO of the company, told the Washington Examiner in a statement. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”
CISA released an emergency directive to the rest of the government, aside from the Pentagon and the intelligence community, just before midnight on Sunday.
“SolarWinds Orion products … are currently being exploited by malicious actors,” the statement said, adding that “this tactic permits an attacker to gain access to network traffic management systems.”
The agency said it “determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action” and ordered federal agencies to “forensically image system memory and/or host operating systems,” analyze “for new user or service accounts,” and analyze “network traffic for indications of compromise.” The cybersecurity agency said that “affected agencies shall immediately disconnect or power down SolarWinds Orion products,” and federal agencies had until noon on Monday to report the existence of specific SolarWind indicators to CISA.
The cybersecurity agency said that “after (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed,” the other agencies should “treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.”
NSC spokesman John Ullyot said that the government is “aware of these reports” and was “taking all necessary steps to identify and remedy any possible issues related to the situation.” The Office of the Director of National Intelligence declined to comment.
A Commerce Department spokesperson told the Washington Examiner that “we can confirm there has been a breach in one of our bureaus” and that “we have asked CISA and the FBI to investigate, and we cannot comment further at this time.” The Wall Street Journal reported that the hack of Commerce Department systems targeted the National Telecommunications and Information Administration, which advises the executive branch and the president on information policy.
The New York Times reported that the cyberattacks on Treasury and Commerce gave the hackers “free access to their email systems.”
APT29 has been linked to several high-profile hacking campaigns, including attempts to steal coronavirus vaccine research. The group was also connected to a Tuesday attack on FireEye, a cybersecurity firm that works with government agencies and specializes in exposing and fighting foreign cyberattacks.
FireEye, a $3.5 billion Silicon Valley company famous for helping governments and its large corporate clients respond to cyberattacks, announced last week that a “state-sponsored attack” resulted in the cyber theft of secretive “Red Team” cybertools that mimic a cyber adversary’s online attacks and assist clients with defending against them. The group said it was working with the FBI and Microsoft to investigate, and the New York Times reported at the time that the “evidence points to Russia’s intelligence agencies” while the Wall Street Journal reported that “a person familiar with the matter said Russia is currently seen by investigators as the most likely culprit but stressed that the investigation was continuing.”
Kevin Mandia, the president of FireEye, wrote a blog post late Sunday night, saying that the company “identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain.” He said, “This compromise is delivered through updates to a widely-used IT infrastructure management software — the Orion network monitoring product from SolarWinds.” Mandia added that “the campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.”
The FireEye leader said, “We have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations.” He added that his company has determined that “each of the attacks require meticulous planning and manual interaction.”
“We have been in close coordination with SolarWinds, the Federal Bureau of Investigation, and other key partners,” Mandia said. “We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps.”
In a separate post, FireEye said it had identified hacking victims, including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” and “we anticipate there are additional victims in other countries and verticals.”
Microsoft, which is also believed to be helping with the broader investigation into the intrusions against the U.S. government, released a threat warning on Saturday about malicious behavior detected by Microsoft Defender Antivirus, which it had dubbed “Win32/Solorigate.C!dha” — a likely reference to the SolarWinds hack.
CISA tweeted late Sunday night about the “publicly identified nation state backed threat actor activity.” The short statement also noted that the agency was “aware of active exploitation of SolarWinds Orion Platform software … released between March 2020 and June 2020” and CISA “encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures.”
The incident comes weeks after President Trump fired Chris Krebs, who had headed CISA. His role has not been permanently filled.
Last week, the National Security Agency released a cybersecurity advisory warning that “Russian state-sponsored malicious cyber actors are exploiting a vulnerability” in products created by the California-based VMware software company, and that the vulnerability was “allowing the actors access to protected data and abusing federated authentication.” The NSA said then that it “encourages National Security System, Department of Defense, and Defense Industrial Base network administrators to prioritize mitigation of the vulnerability on affected servers.”
If Russian culpability is definitively established for the hacks of U.S. government agencies, it would harken back to Russia’s large-scale hacking of the State Department in 2014. Cyber actors affiliated with Russia’s Main Intelligence Directorate of the General Staff, or GRU, were also named by the U.S., including in federal indictments from special counsel Robert Mueller, as responsible for the hacking of the Democratic National Committee’s email systems in 2016.
Comments are closed.