The Cybersecurity and Infrastructure Security Agency (CISA) warned today that threats to government networks caused by previously reported breaches of SolarWinds Orion products pose a “grave risk” to Federal government, state, tribal and territorial governments, critical infrastructure entities, and other private-sector organizations.
The alert issued by CISA on Dec. 17 ratchets up the stated threat implications of the breach, and says that the hackers behind the effort – believed to be Russian government intelligence services – have used additional attack vectors. Further, it warned that quelling the cyber attacks won’t be easy.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said, adding it will update its alert when it gets more information. “The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA emphasized.
The agency said it’s now “aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations” by an advanced persistent threat (APT) actor beginning in at least March 2020. CISA didn’t name the agencies and entities that have been targeted.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” CISA said, adding it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” CISA said.
The agency added that not all organizations “that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions,” but said organizations with suspected compromises “need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.”
Meanwhile, the House Homeland Security and Oversight and Reform committees said today they are launching an investigation into the breaches, and want more information from intelligence agency officials in a closed briefing by tomorrow, Dec. 18.
In their Dec. 17 letter to Director of National Intelligence John Ratcliffe, Homeland Security Acting Secretary Chad Wolf, and FBI Director Christopher Wray, the committee heads asked for “damage assessments of this attack, including interim analyses” as soon as possible.
“While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devasting consequences for U.S. national security,” said House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and House Oversight and Reform Chairwoman Carolyn Maloney, D-N.Y., in their letter.
They cited news reports – but provided no confirmation – that the departments of Treasury, Commerce, State, and Homeland Security, along with the National Institutes of Health, had been impacted by the breach.
And they reinforced that the scope of the attack and its impact are still far from fully known, citing a CISA briefing to congressional staff on Dec. 14 warning that “it will take weeks, if not months, to determine the total number of agencies affected by the attack and the extent to which sensitive data and information may have been compromised.”
The House committee chairs said it’s imperative that their panels get the latest information on the breaches, including classified intelligence, on the extent of damage from the breach and what the Trump administration is doing to prevent further damage, secure networks, and take action against the attackers.
Finally, President-elect Biden weighed in on the cyber breach, saying, “there’s a lot we don’t know, but what we do know is a matter of great concern.”
“My administration will make cybersecurity at top priority at every level of government – and we will make dealing with this breach a top priority from the moment we take office,” Biden pledged. He added, “a good cyber defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place.”
Separately, Politico reported late Thursday that the Department of Energy (DoE) and the National Nuclear Security Administration have “evidence that hackers accessed their networks,” citing unnamed officials. DoE has not officially confirmed the details of that report.