The Energy Department and its National Nuclear Security Administration (NNSA), which is the agency that maintains the U.S. nuclear stockpile, have been compromised as part of the widespread cyberattack uncovered this week stemming from the massive SolarWinds hack.
An exclusive report by Politico cited DoE official sources who said that their department was infiltrated by the cyberattackers, including hits on the NNSA; the Federal Energy Regulatory Commission (FERC) which has oversight for the entire department; the Sandia and Los Alamos national laboratories in Washington and New Mexico; and the Richland Field Office of the DoE. The DoE confirmed its compromise on Friday.
NBC News on Thursday evening said that it had confirmed the report.
The sources also said that not only was the DoE caught up in the espionage portion of the campaign, but that the attackers have been able to do “more damage at FERC than the other agencies,” and that they have evidence of “highly malicious activity” aimed there, the officials said. They offered no other details.
DOE and NNSA officials have begun the notification process for their congressional oversight bodies, sources added.
With the DoE, the number of government divisions known to be impacted comes to six; that includes the Pentagon, the Department of Homeland Security, the National Institute of Health, the Department of Treasury and the Department of Commerce.
The Cybersecurity and Infrastructure Security Agency (CISA) warned earlier on Thursday that the already sprawling cyberattack could be much larger than originally thought. The known attack vector for the incident is SolarWinds’ Orion network management platform, whose users were infected by a stealth backdoor that opened the way for lateral movement to other parts of the network. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe.
Now, it appears that SolarWinds may not be alone in its attack-vector role in the campaign. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” it said in an updated bulletin on Thursday.
CISA meanwhile, whose top official, Christopher Krebs, was fired for calling the 2020 U.S. Presidential election secure, told FERC that it was overwhelmed and lacked the resources to properly respond, sources said.
The full extent of the attack is unknown, as are the perpetrators. Researchers and lawmakers alike, citing the highly sophisticated nature of the attack, have said the intrusions were likely carried out by Russian intelligence. On Saturday, Secretary of State Mike Pompeo said that all evidence points to Russia.
Updated on Saturday at Noon ET to reflect Pompeo’s attribution remarks.
Further reading:
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!