White House Establishes Group to Investigate Exchange AttacksFederal Agencies Working on Incident Response, Other Issues
The White House on Wednesday unveiled the formation of a Unified Coordination Group to lead the government's response to attacks exploiting unpatched vulnerabilities in on-premises Microsoft Exchange email servers.
Representatives of the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence are participating in the new group. The National Security Agency is providing support.
The group, which was established last week, held its first meeting Monday, with representatives of Microsoft and other firms attending, White House press secretary Jen Psaki says.
"We invited the private sector partners based on their specific insights to this incident," Psaki said Wednesday. At its first meeting, the group "discussed the remaining number of unpatched systems, malicious exploitation and ways to partner together on incident response."
This week, Check Point Research released a report that found a tenfold increase in a recent five-day period in the number of attempts worldwide to exploit vulnerable on-premises Exchange mail servers. About 17% of these exploits have targeted U.S. organizations, Check Point says (see: Microsoft Exchange: Server Attack Attempts Skyrocket).
Microsoft has issued patches for the four Exchange flaws. And this week, it offered a free tool that smaller organizations can use to mitigate the risk of the ProxyLogon flaw until a patch can be implemented (see: Microsoft Issues Mitigation Tool for an Exchange Server Flaw)
Microsoft attributed the original attacks to a Chinese hacking group it calls Hafnium. But the security firm ESET says at least 10 advanced persistent threat groups have been exploiting the unpatched flaws. This has led to an increase in ransomware attacks.
In announcing the Unified Coordination Group, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, noted: "This administration is committed to working with the private sector to build back better - including to modernize our cyber defenses and enhance the nation’s ability to respond rapidly to significant cybersecurity incidents."
SolarWinds Supply Chain Attack
The White House is also preparing to respond to the SolarWinds supply chain attack, which investigators believe involved Russian hackers waging a cyberespionage campaign.
The response could include sanctions and actions targeting hacking groups, as well as some policy changes, which could include a security ranking system for software, a senior administration official told reporters last week (see: Exchange Hacks: How Will the Biden Administration Respond?).
Neuberger is coordinating the ongoing federal investigation into the SolarWinds incident.
DHS Director's Comments
Also on Wednesday, Alejandro Mayorkas, secretary of the Department of Homeland Security, testified at a House committee hearing about several issues, including the department's response to the Exchange and SolarWinds attacks.
Mayorkas told the panel that $650 million in new funding for CISA included in the American Rescue Plan economic relief package would help the agency take action to prevent cyberattacks.
"CISA remains laser-focused on protecting and providing assistance to federal civilian agencies and working with the private sector to improve our defenses," Mayorkas told members of the House Homeland Security Committee.
Lack of Leadership
At Wednesday's hearing, Rep. John Katko, R-N.Y., the ranking member of the committee, asked Mayorkas about the lack of a permanent leader for CISA at a time when the department is investigating two major hacking incidents. CISA has been without a Senate-confirmed director since Christopher Krebs was fired by former President Donald Trump in November 2020 (see: Trump Fires Christopher Krebs, Head of CISA).
Mayorkas told the committee that he is working with the White House on selecting a permanent leader. Brandon Wales is serving as acting director.
"We're very focused on filling the vacancies of leadership across the department," Mayorkas said. "It's an issue that I work with the White House every single week. … I will say that yes, we do need politically appointed, Senate-confirmed leadership in a number of positions throughout the Department of Homeland Security."
On Tuesday, Psaki was also asked during her daily press briefing about the lack of a permanent CISA leader as well as the yet-to-be-made appointment of a national cyber director, as required under a law passed last year.
Psaki noted that the White House is conducting a 60-day review of the national cyber director position before sending a nominee's name to the Senate.
"Addressing cyber - ensuring there's an across-government approach - is a priority for the president and something that he feels there’s a role for many components of the federal government to play," Psaki said. "So we're going to pursue that role and ensure that we're approaching it in the right way … that will address the threats we're facing."