The SolarWinds cyberattackers compromised the head of the Department of Homeland Security (DHS) under former president Trump and other top-ranking members of the department’s cybersecurity staff, according to a report.
In the campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft and 100 others hard.
The Associated Press reported that as part of the federal government infiltration, the hackers were able to access the email accounts of then-acting Secretary Chad Wolf and his staff, according to anonymous government sources.
“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” Sen. Rob Portman (R-Ohio), ranking member of the Senate’s Homeland Security and Governmental Affairs Committee, told the AP. “We are talking about DHS’s crown jewels.”
In the wake of the discovery of the massive operation, DHS officials, including Wolf, switched to using new mobile phones with Signal encrypted messaging to communicate, officials told the AP.
DHS spokesperson Sarah Peck told the outlet that “a small number of employees’ accounts were targeted in the breach” and that the agency “no longer sees indicators of compromise on our networks.”
It’s unclear whether the information in the emails was of a classified nature.
“If there is a silver lining in this news, it’s that we should expect that protocols related to information classification should have precluded more sensitive details from being directly accessible and exposed without a hostile, foreign actor first finding access and exfiltration channels on classified networks,” said Tim Wade, technical director on the CTO team at Vectra, via email. “Nevertheless, even unclassified communication between sensitive parties can disclose a great deal of actionable intelligence – the apprehensions raised by this story should not be minimalized.”
FAA, DoE Also Affected
One source, an administration official under Trump, also confirmed that the Federal Aviation Administration was one of the among the agencies affected by the attacks. The person noted that the FAA struggles with outdated and legacy software – to the point that it didn’t know “for weeks” how many servers it had that were running SolarWinds software.
Meanwhile at the Department of Energy, the AP investigation revealed that the adversaries were able to access top officials’ schedules, including that of then-Secretary Dan Brouillette. It should be noted that schedules are not confidential, however, and a DoE spokesperson said that it “has found no evidence the network that maintains senior officials’ schedules was compromised.”
Ongoing Federal SolarWinds Response
The Biden administration is taking steps to address the aftereffects of the SolarWinds campaign throughout the federal government. For instance, the just-passed COVID-19 stimulus package includes $650 million in funding for the Cybersecurity and Infrastructure Security Agency (CISA) to help with ongoing cyber-defense.
Also, President Biden is expected to issue an executive order as soon as this week. According to a draft order obtained by Reuters, the executive order will mandate a “software bill of materials” for all packages in use across the government, detailing the source of all code, including open-source and partner pieces. It would also require the use of multifactor authentication and data encryption for federal agencies; and vendors would be required to disclose any security issues, vulnerabilities or breaches to their government users.
The Biden administration tapped Rob Joyce, who formerly served at the U.S. Embassy in London, to lead the cybersecurity division at the National Security Agency. He inherited the job from Anne Neuberger, who left the post to serve as deputy national security adviser for the National Security Council, putting her in charge of cybersecurity for the entire federal government.
Neuberger has been assigned to respond to the SolarWinds attack.
Further Reading:
- Executive Order Would Strengthen Cybersecurity Requirements for Federal Agencies
- SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover
- Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
- Malwarebytes Hit by SolarWinds Attackers
- SolarWinds Malware Arsenal Widens with Raindrop
- SolarWinds Hack Potentially Linked to Turla APT
- SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Attack
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)
