Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime
SolarWinds Hack: Lawmakers Demand AnswersRepublicans and Democrats Alike Seek Information From Agencies
This story has been updated.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Republican and Democratic lawmakers are pressing government agencies for answers following disclosures this week about an advanced persistent threat group's massive hacking efforts involving compromised SolarWinds Orion network management software (see: Microsoft Finds Backdoor; CISA Warns of New Attack Vectors).
Secretary of State Mike Pompeo said in a Friday evening radio interview that “the Russians engaged in this activity."
“I can’t say much more as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified," Pompeo said, according to a transcript provided by the State Department. “But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well. This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity."
In a pair of tweets on Saturday, President Donald Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role (see: President Trump Downplays Impact of SolarWinds Breach).
"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."
On Thursday, the House committees on Homeland Security and Oversight and Reform announced they have launched investigations into the hacking campaign, which hit government agencies as well as corporations.
Meanwhile, Sen. Chuck Grassley, the Republican chair of the Senate Finance Committee, and the panel’s top-ranking Democrat, Ron Wyden, sent a letter to the Internal Revenue Service demanding additional information about whether taxpayer information and other data may have been affected by a breach at the Treasury Department.
President-elect Joe Biden issued a statement about the attacks and the ongoing investigations, noting that he plans to make the SolarWinds breach probe a top cybersecurity priority for his administration when he's sworn in next month.
On Friday, Reuters reported that the Trump administration held a classified briefing about the attacks for some lawmakers. But the briefing reportedly provided few details.
More Than One Attack Vector
The Cybersecurity and Infrastructure Security Agency warned on Thursday that the compromise of the SolarWinds Orion platform "is not the only initial infection vector this actor leveraged."
Security blogger Brian Krebs reported Friday that sources claimed a vulnerability in some of VMware's products could have served an additional attack vector. But a company spokesperson says that no agencies have contacted it about this possibility. Earlier this month, the National Security Agency warned that Russian-linked hackers were trying to exploit this flaw (see: NSA: Russian Hackers Exploiting VMware Vulnerability).
In addition to federal agencies, the APT group’s campaign has affected corporations, including Intel and Cisco. Microsoft acknowledged Thursday that it found traces of malicious code used in the operation within its network.
Microsoft has identified 40 of its customers that were targeted "more precisely" by the APT group, writes Brad Smith, the company’s president. Those customers downloaded the malicious SolarWinds updates and were "compromised through additional and sophisticated measures," he writes.
On Thursday, Homeland Security Committee Chair Bennie Thompson, D-Miss., and Oversight and Reform Committee Chair Carolyn Maloney, D-NY, sent a joint letter to the FBI, Department of Homeland Security and Office of the Director of National Intelligence demanding information about the SolarWinds-related breach investigation.
"Our committees are seeking information related to the apparent widespread compromise of multiple federal government [agencies], critical infrastructure and private sector information technology networks. While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for U.S. national security," Thompson and Maloney write.
The FBI, CISA and ODNI released a joint statement Wednesday acknowledging the attack and revealing that a Cyber Unified Coordination Group has been created to coordinate a response.
"As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue and disrupt the responsible threat actors," the joint statement says. "The FBI is engaging with known and suspected victims, and information gained through the FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action."
Questions for IRS
In their letter, Sens. Grassley and Wyden asked the IRS for additional information about the breach and the steps that have been taken to ensure that citizens' data has not been compromised. The two senators note that the IRS, which is one of the largest agencies within the Treasury Department, has been a SolarWinds customer since 2017.
"Given the extreme sensitivity of personal taxpayer information entrusted to the IRS, and the harm both to Americans' privacy and our national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised," the senators write. "It is also critical that we understand what actions the IRS is taking to mitigate any potential damage, ensure that hackers do not still have access to internal IRS systems and prevent future hacks of taxpayer data."
It's not known if the IRS was targeted during this attack, which hit the Treasury Department, its parent agency. The Wall Street Journal reported Thursday that the IRS has, so far, ignored requests from the lawmakers for additional information and details.
Pressing for More Details
In yet another bipartisan effort, a group of senators is seeking more details from the FBI and CISA about the security breach.
In a letter, the lawmakers seek details about how many federal agencies are SolarWinds customers; what data, including classified information, might have been exposed; and the roles that CISA and the FBI are playing in the investigation.
"We are seeking all available information on the scope and details of the recently exposed vulnerability’s impacts on the U.S. federal government," according to the letter, which was signed by Republican senators Jerry Moran, Roger Wicker and John Thune and Democrats Maria Cantwell, Richard Blumenthal and Jeanne Shaheen.
Meanwhile, the Government Accountability Office issued a report this week noting that many federal agencies are not doing enough to protect against attacks originating with third-party suppliers that are part of the global supply chain. The report was commissioned before details emerged this week about the SolarWinds breach.
And The New York Times reported Wednesday that the Department of Homeland Security's intrusion detection system, known as Einstein, failed to detect the attacks against government agencies.