SolarWinds Attackers Accessed DHS Emails, Report

solarwinds dhs emails

Current and former administration sources say the nation-state attackers were able to read the Homeland Security Secretary’s emails, among others.

The SolarWinds cyberattackers compromised the head of the Department of Homeland Security (DHS) under former president Trump and other top-ranking members of the department’s cybersecurity staff, according to a report.

In the campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft and 100 others hard.

The Associated Press reported that as part of the federal government infiltration, the hackers were able to access the email accounts of then-acting Secretary Chad Wolf and his staff, according to anonymous government sources.

“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” Sen. Rob Portman (R-Ohio), ranking member of the Senate’s Homeland Security and Governmental Affairs Committee, told the AP. “We are talking about DHS’s crown jewels.”

In the wake of the discovery of the massive operation, DHS officials, including Wolf, switched to using new mobile phones with Signal encrypted messaging to communicate, officials told the AP.

DHS spokesperson Sarah Peck told the outlet that “a small number of employees’ accounts were targeted in the breach” and that the agency “no longer sees indicators of compromise on our networks.”

It’s unclear whether the information in the emails was of a classified nature.

“If there is a silver lining in this news, it’s that we should expect that protocols related to information classification should have precluded more sensitive details from being directly accessible and exposed without a hostile, foreign actor first finding access and exfiltration channels on classified networks,” said Tim Wade, technical director on the CTO team at Vectra, via email. “Nevertheless, even unclassified communication between sensitive parties can disclose a great deal of actionable intelligence – the apprehensions raised by this story should not be minimalized.”

FAA, DoE Also Affected

One source, an administration official under Trump, also confirmed that the Federal Aviation Administration was one of the among the agencies affected by the attacks. The person noted that the FAA struggles with outdated and legacy software – to the point that it didn’t know “for weeks” how many servers it had that were running SolarWinds software.

Meanwhile at the Department of Energy, the AP investigation revealed that the adversaries were able to access top officials’ schedules, including that of then-Secretary Dan Brouillette. It should be noted that schedules are not confidential, however, and a DoE spokesperson said that it “has found no evidence the network that maintains senior officials’ schedules was compromised.”

Ongoing Federal SolarWinds Response

The Biden administration is taking steps to address the aftereffects of the SolarWinds campaign throughout the federal government. For instance, the just-passed COVID-19 stimulus package includes $650 million in funding for the Cybersecurity and Infrastructure Security Agency (CISA) to help with ongoing cyber-defense.

Also, President Biden is expected to issue an executive order as soon as this week. According to a draft order obtained by Reuters, the executive order will mandate a “software bill of materials” for all packages in use across the government, detailing the source of all code, including open-source and partner pieces. It would also require the use of multifactor authentication and data encryption for federal agencies; and vendors would be required to disclose any security issues, vulnerabilities or breaches to their government users.

The Biden administration tapped Rob Joyce, who formerly served at the U.S. Embassy in London, to lead the cybersecurity division at the National Security Agency. He inherited the job from Anne Neuberger, who left the post to serve as deputy national security adviser for the National Security Council, putting her in charge of cybersecurity for the entire federal government.

Neuberger has been assigned to respond to the SolarWinds attack.

Further Reading:

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

Suggested articles