US cyber officials warned that the massive espionage campaign unearthed this week posed a grave risk to the government, critical infrastructure and private sector, as the US department of energy was the latest agency to confirm it had been breached.
Microsoft also admitted late on Thursday that it had been hacked, making it the second tech company, after FireEye, to be caught up in what is quickly turning into the most sweeping cybersecurity crisis on record.
Thousands of businesses and US government agencies may have been exposed after downloading compromised software from Texas-based IT group SolarWinds. Brad Smith, Microsoft president, said the software company had identified 40 customers that had been breached, and called it an act of recklessness that created a serious technological vulnerability for the United States and the world.
The energy department said on Thursday that it was responding to a cyber incident as part of an ongoing investigation.
However, a spokesperson for the agency said there was no evidence so far that the attack had any impact on national security functions, including the National Nuclear Security Administration, which is responsible for managing and safeguarding the US nuclear weapons arsenal. Politico first reported the energy department breach.
The US Cybersecurity and Infrastructure Security Agency warned that the hackers had also gained access to systems using means other than the SolarWinds software, and of the difficulty involved in finding and removing hackers from compromised systems.
Cisa said the hackers had demonstrated sophistication and complex tradecraft in these intrusions and that it would be highly complex and challenging to eject the perpetrators.
It added that it had evidence of access vectors, other than the SolarWinds Orion platform which were being investigated. Microsoft said it had found absolutely no indications that our systems were used to attack others.
The agency cited a report published by cyber group Volexity detailing attacks by the same hackers against an unnamed US think-tank, including one that used new methods to bypass multi-factor authentication security.
FireEye, SolarWinds and some US officials have blamed nation-state hackers for the breach, which first came to light at the end of last week. Cyber security experts, plus several politicians, have singled out Russian intelligence as the culprit, although Russia has strongly denied any involvement.
Todays classified briefing on Russias cyber attack left me deeply alarmed, in fact downright scared, Richard Blumenthal, Democratic senator from Connecticut wrote on Twitter on Wednesday. Americans deserve to know whats going on. Declassify whats known and unknown.
On Thursday, House committees for homeland security and oversight announced they were launching a probe into the hack, urging the FBI, the DHS and the intelligence agencies to share more information about the scale and implications of the attack. They also requested a classified inter-agency briefing on Friday.
While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for US national security, the committees chairs said.
President-elect Joe Biden also said in a statement that he had been briefed by US government officials on the attack and vowed to impose substantial cost on adversaries who penetrate US computer systems.
We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place, Mr Biden said. Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.
Cisa warned that the hackers demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks.
The agency also confirmed reports that, once inside a victims networks, the hackers were able to pose as other accounts and gain privileged access to certain systems, such as email services, travel services and file storage services.
In particular, it said it had seen adversaries targeting email accounts belonging to key personnel, including IT and incident-response personnel.
As a result, it warned that discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. It recommended that victims communicate via other channels that have not been exposed in any way.
FireEye said on Wednesday it had identified a kill switch that could stop the attackers from continuing to lurk inside networks in some cases.
– Copyright The Financial Times Limited 2020
Microsoft and FireEye admit they have been hacked in what could be the biggest cybersecurity crisis ever
