Specifically, the Cybersecurity and Infrastructure Security Agency said it has determined that the SolarWinds Orion software vulnerability disclosed earlier this week is not the only way hackers compromised a variety of online networks — warning that in some cases, victims appeared to have been breached despite never using the problematic software.
The news will likely only compound already escalating concerns about the scale and scope of the data breach, which CISA said Thursday “poses a grave risk” to networks across both the public and private sector.
“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the alert issued by the agency said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The agency also acknowledged Thursday that the hackers used “tactics, techniques and procedures that have not yet been discovered,” adding that it is continuing to investigate whether, and how, other intrusion methods may have been used since the campaign began months ago.
The analysis comes as the list of US agencies, private companies and other entities affected by the hacking campaign continues to increase.
Hours after the CISA alert was released, the US Energy Department said it had evidence that hackers accessed some of its networks using the same malware associated with the ongoing data breach already impacting almost half a dozen federal agencies.
The department maintains that the impact has been “isolated to business networks” and “has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA),” which oversees the nation’s stockpile of nuclear weapons.
Energy Department Spokeswoman Shaylyn Hynes also said once the department identified its vulnerable software, “immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
Politico was first to report a possible intrusion at DOE.
“It’s a certainty that the number and location of victims will keep growing,” said Microsoft President Brad Smith, who added that the company has worked to notify the affected organizations.
Soul searching and finger pointing
The wide-ranging and extraordinary intrusion has launched a technical soul-searching mission among the government’s leading cyber officials and outside experts over how this months-long, ongoing cyber campaign managed to go undetected for so long.
On Wednesday night, the US government’s top security agencies formally acknowledged in a joint statement that the ongoing cyber campaign was still active. The revelations come at a particularly fraught time during a divisive presidential transition and after an election that had been, by all accounts, free of foreign interference.
Wednesday’s joint statement by the FBI, intelligence community and the cyber arm of the Department of Homeland Security served partially as an admission of their own shortcomings, clearly stating that those charged with protecting the nation from foreign cyber threats only learned of the massive intrusion in the past “several days.”
While US officials said they only learned of the data breach in recent days, an early indicator of SolarWinds’s security issues emerged last fall, after an independent researcher contacted the company saying he had found one of its update servers on the public internet.
The server was protected by a weak password: “solarwinds123,” according to the researcher, Vinoth Kumar. Emails reviewed by CNN of Kumar’s exchange showed that SolarWinds corrected the credential issue, but Kumar told CNN that he determined the server was accessible to the public since at least Jun 2018.
SolarWinds declined to comment.
The ongoing cyber campaign itself began as early as March of this year, CISA said Thursday, but experts tell CNN that hackers likely accessed government networks before then.
“It appears the Russians had six to nine months of ‘persistent access’ to some Department of Homeland Security networks,” said Tony Lawrence, CEO and founder of Light Rider, a cybersecurity firm that has clients in both the public and private sector. “If this is the case, it means the Russians had the ability to navigate all networks and control select US homeland security networks during this time.”
Several sources have since confirmed that the US government was unaware of the breach until the end of last week or when CISA went public on Sunday night, fueling concerns about how the hackers managed to remain evade detection from these agencies for several months.
“It’s complicated in the sense, the way our government is organized, it’s not even clear given our existing framework in this country, what agency would actually have the primary jurisdiction over this entire matter,” acting chairman of the Senate Intelligence Committee, Florida Republican Sen. Marco Rubio, told CNN Thursday.
Security experts have also raised concerns about the Trump administration’s elimination of the cyber coordinator position on the National Security Council. CNN reported at the time that the elimination, which came just weeks into former national security adviser John Bolton’s tenure, was part of an effort to “streamline authority for National Security Council Senior Directors.”
“There is not a person whose job it is to coordinate the whole of government response right now in this administration,” said Carrie Cordero, a senior fellow and general counsel at the Center for a New American Security and CNN legal and national security analyst. “Despite what will be good efforts by people at working levels across agencies, that’s not a replacement for high level leadership, which I don’t think will exist until the next administration.”
The House and Senate Intelligence Committees were briefed on the matter Wednesday, but lawmakers have since made clear that there are still more questions than answers. The House Oversight and Homeland Security Committees sent a letter to the nation’s top national security officials Thursday requesting more information about the ongoing investigation.
US officials and cyber security experts are warning that the incident should serve as a wake-up call for both the federal government — including the incoming Biden administration — and private sector companies, as foreign actors will undoubtedly conduct similar attacks and improve their tactics in the future.
What comes next?
Going forward, there is likely to be increased scrutiny of the Department of Homeland Security’s EINSTEIN system, which is intended to prevent intrusions and detect malicious traffic on federal computer networks.
The system is based on finding known malicious activity and works well if it knows what it’s looking for, according to a former senior DHS official.
“If you don’t know what you’re looking for, it’s a problem,” the official said, adding that it will likely raise concerns among lawmakers who have allocated billions of dollars for the program. The incoming Biden administration will need to take a “hard look at Einstein,” the former official said.
However, it’s unclear if the current systems in place would have caught the latest hack.
“Even if everything was highly effective in the government’s cyber security, it’s quite likely this breach wouldn’t have been caught,” said Vijay A. D’Souza, a GAO Director on the Information Technology and Cybersecurity Team, based on outside research done on the incident. GAO has not yet done an independent analysis.
“Agencies are going to have to continue to do more to build all the piece of the puzzle, so if they do get hacked — how do they figure out what happened and clean up afterward in the event they can’t catch something.”
D’Souza said agencies are lacking in their “logging” capabilities — the ability to go back and look at a network and figure out what occurred in the wake of a breach.
“Our work has generally found that agencies don’t keep enough of this data. They don’t have the ability to pull it together and they don’t have the ability to figure out that kind of research,” he said.