U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

Washington — U.S. government agencies were ordered to scour their networks for malware and disconnect potentially compromised servers after authorities learned that the Treasury and Commerce departments had been hacked in a months-long global cyberespionage campaign. The campaign was discovered when a prominent cybersecurity firm learned it had been breached.

In a rare emergency directive issued late Sunday, the Department of Homeland Security's cybersecurity arm warned of an "unacceptable risk" to the executive branch from a feared large-scale penetration of U.S. government agencies that could date back to mid-year or earlier.
"This can turn into one of the most impactful espionage campaigns on record," said cybersecurity expert Dmitri Alperovitch.

And all federal civilian agencies have been told to disconnect from SolarWinds Orion, a computer network tool being exploited by "malicious actors."

Government, technology, and telecom organizations across North America, Europe, Asia, and the Middle East had all fallen victim to "a global campaign" employing "top-tier operations tradecraft and resources," FireEye said.

And this was consistent with state-sponsored attackers "patiently conducting reconnaissance [and] consistently covering their tracks."

The UK's National Cyber Security Centre (NCSC) said it was working closely with FireEye.

"Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact," it said.

'Highly sophisticated.'
SolarWinds said it's 300,000 global customers included all five branches of the US military, the Pentagon, the State Department, and the Office of the President of the United States - and all users of its Orion platform should upgrade immediately to address a "security vulnerability."

Updates to keep the system secure had been compromised with malicious code, in a "highly sophisticated... extremely targeted" attack, probably by a nation-state, between March and June this year, it said.

The powerful monitoring software allows IT staff remote access to computers on corporate networks.

And the fact the attackers had been able to monitor internal Treasury Department emails may be just the "tip of the iceberg," the Reuters news agency reported.


Analysis box by Gordon Corera, the security correspondent
GCHQ's head has described the compromises as "serious events," and British intelligence officials are now racing to see what exposure the UK may have.

Several UK government departments and other organizations use SolarWinds. The first task is to establish whether they were using a particular software package - Orion.

If they do and they have it configured in a particular way and took an update since the end of March, they may have a backdoor installed in their system.

The next question will be whether hackers used that access to steal data. Not everyone may be seen as a target worth exploiting.

The US was a few days ahead in learning about the compromise and checking its systems.

Intelligence officials say this was a highly sophisticated operation, but they are wary of attributing it to a particular group or state.

Some US reports have identified Russia's SVR intelligence agency, but UK officials say it is too early to comment.


'Necessary steps.'
Three people familiar with the investigations into the attack told Reuters Russia was believed to be behind it.

But Russia's foreign ministry described the allegations as "baseless" in a statement on Facebook.

In an emergency order, the US Cybersecurity and Infrastructure Security Agency (Cisa) said the attack had a high potential to compromise government systems.

And the US Department of Homeland Security ordered all federal agencies to disconnect and power down any device connected to SolarWinds products until further notice.

US National Security Council official John Ullyot said the government was "taking all necessary steps to identify and remedy any possible issues related to this situation."


Analysis box by Joe Tidy, Cyber reporter
In the world of cyber-security, it's often hard to work out the scale of hacks.

We are told as little as possible, and often the victims don't know much themselves at first.

When, last week, it was revealed FireEye had been hacked, it was like watching a horror film where the main character is looking through a dark basement, and her torch lights up something sinister.

The latest news is akin to a switch being flicked, and the full horror scene is revealed.

It turns out FireEye was just a small part of a much larger and more serious hack attack.

The so-called supply-chain attack means hackers effectively have access to all of SolarWinds's customers.

And looking at its client list - with some household-name companies and the US military - is truly chilling.

US government cyber-teams are in full crisis mode now - but once a hack has been discovered, it's often too late.

This text 15 ARALıK 2020 It was written on.

Other Blog Posts

Comments