U.S. Hack on Government Agencies Affects Microsoft and Many More
The alert from the Cybersecurity and Infrastructure Security Agency (CISA) also warns that removing the hackers from compromised systems won't be easy.
UPDATE: Microsoft was also hacked, according to Reuters, citing unnamed sources. The company's own software tools were then used to attack other victims. However, Microsoft President Brad Smith is denying the report.
The massive hack against the US government may be much worse than previously thought.
On Thursday, Politico reported the hackers broke into the US Energy Department and National Nuclear Security Administration, which maintains the country's nuclear weapons stockpile. However, it remains unclear what the culprits might have accessed.
On the same day, the cybersecurity division under the Department of Homeland Security warned the massive breach was pulled off using a variety of tactics. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the Cybersecurity and Infrastructure Security Agency said in the alert.
The additional "access vectors" refers to a report from the cybersecurity firm Volexity, which revealed evidence the same culprits hacked a think tank by exploiting a vulnerability in its Microsoft Exchange Control Panel. The attackers then bypassed the multi-factor authentication system to access a victim's email inbox.
As a result, it’s possible the culprits behind the breach may have hit more victims through other vulnerable software. The other bad news deals with recovering from the attack. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,” the agency added.
CISA's alert goes on to describe the threat as a “grave risk” to not only the federal government, but also to state, local, and tribal governments, in addition to organizations that run the US’s critical infrastructure. Investigators currently believe the breach began in March.
CISA refrained from naming specific victims. But according to The Washington Post, the suspected Russian state-sponsored hackers hit several federal agencies, including DHS and the State, Commerce, and Treasury Departments. The attackers did so by tampering with software updates from IT company SolarWinds, enabling the culprits to distribute malicious computer code to about 18,000 customers.
As the US grapples with the hack’s full scope, lawmakers are concerned the breach may have also ensnared US taxpayer data since the IRS appears to have been a SolarWinds customer.
On Thursday, Senators Chuck Grassley (R-Iowa) and Ron Wyden (D-Oregon) sent a letter to the IRS’s commissioner demanding a briefing on the matter. “It is imperative that we understand the extent to which the IRS may have been compromised. It is also critical that we understand what actions the IRS is taking to mitigate any potential damage," the senators wrote.
The IRS did not immediately respond to a request for comment. In the meantime, the incoming Biden administration has said it'll make "cybersecurity a top priority at every level of the government" in response to the hack.
"But a good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place," the statement from the Biden transition team added.