The highly sophisticated and alarming breach of multiple government agencies, including the Department of Homeland Security, through the infection of routine software updates has sparked the establishment of an attack coordination group at the National Security Council and left an untold amount of damage in its wake.
“Based on what we are seeing, I would not be surprised to see that the FireEye and SolarWinds breaches are part of a larger campaign targeting the supply chain of cybersecurity companies,” Brig. Gen. Greg Touhill (USAF, ret.), who served from 2016-17 as the nation’s first federal chief information security officer, told HSToday.
On Sunday night, the Cybersecurity and Infrastructure Security Agency issued an emergency directive “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” calling on “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
Through breaching the SolarWinds Orion products, an attacker was able “to gain access to network traffic management systems,” the directive said, stressing that “disconnecting affected devices… is the only known mitigation measure currently available.”
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said then. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.” Agencies were ordered to report to CISA by noon Monday on mitigation efforts.
Citing unnamed sources, Reuters first reported Monday that DHS internal communications were hit by the same Russian government cyber campaign that, as first reported Sunday, struck the Treasury and Commerce departments. The New York Times reported that the Defense and State departments were also breached in the operation, and the Washington Post reported that the National Institutes of Health was also on the list.
Charles Armstrong, former assistant commissioner and chief information officer in the Office of Information and Technology at U.S. Customs and Border Protection, told HSToday that he believes “the forensics will be ongoing to determine what was compromised and what our adversaries were after.”
“Overall, this underscores the need to keep investing in cyber and for agencies to aggressively implement Zero Trust solutions,” added Armstrong, an HSToday editorial board member.
DHS spokesman Alexei Woltornist said Monday that DHS was “aware of cyber breaches across the federal government” and was “working closely with our partners in the public and private sector on the federal response.”
Woltornist said CISA would issue updates “as further remedies to these vulnerabilities are available,” and asked that “if anyone has further information related to cyber breaches, they should contact CISA at [email protected].”
SolarWinds President and CEO Kevin Thompson said in a Monday statement that the vulnerability was “believed to be related to updates which were released between March and June 2020 to our Orion monitoring products” and was thought to be a “highly sophisticated, targeted, and manual supply chain attack by a nation state.” Thompson said the company was working closely with FireEye, which discovered the SolarWinds breach while investigating a hack of their own company, in addition to the FBI and the intelligence community.
Touhill, now president at Appgate Federal and an HSToday editorial board member, said it should not be forgotten that FireEye and Solar Winds are victims themselves. “Let’s not waste our breath putting them in the pillory,” he said. “Let’s work together to find how to defeat the adversaries behind these breaches.”
“I’m very concerned that the malicious actors have ‘burrowed in’ to their victim networks and will be exceptionally difficult to find,” he said. “As an example, if they penetrated an enterprise leveraging the compromised SolarWinds Orion tool, chances are excellent one of their next steps would be to plant one or more other tools in the network to create other hidden backdoors, surveil the network, etc. Assuming they indeed were the same group that compromised the FireEye Incident Response, Hunt, and Pentesting group, they then know the tools that likely would be used to try to ferret them out. The advantage goes to the adversary.”
Touhill said that “the only way to ensure you get the adversary out of your network” may be “to burn it down and start over” — “a very expensive and unacceptable measure to nearly everyone except the adversary.”
In a Monday filing with the Securities and Exchange Commission, SolarWinds estimated about 18,000 customers may have been impacted by the attack.
“I’m very concerned about all of them yet particularly alarmed about any critical infrastructure and government entities who have had that code in place,” Touhill said, adding that “if you have had the compromised code installed, assume you have been breached.”
Former CISA Director Chris Krebs tweeted Sunday evening, “As news breaks about what looks to be a pretty large-scale hack, I have the utmost confidence in the @CISAgov team and other Federal partners. I’m sorry I’m not there with them, but they know how to do this. This thing is still early, I suspect. Let’s let the pros work it.”
“Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope,” he added.
Krebs, who was fired last month by President Trump for confirming that the presidential election was secure, was testifying today before the Senate Homeland Security and Governmental Affairs Committee.
The National Security Council announced Tuesday that, pursuant to a 2016 presidential policy directive, a Cyber Unified Coordination Group (UCG) was established in response to the breach “to ensure continued unity of effort across the United States Government in response to a significant cyber incident.”
“The UCG process facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate, and respond to this incident,” NSC spokesperson John Ullyot said in a statement posted on Twitter. “The highly-trained and experienced professionals across the government are working diligently on this matter.”
Touhill stressed that “now is the time for the cyber community and critical infrastructure providers to work together to minimize the risk of this bold attack” while taking quick action to “assess whether they too have been compromised.”
Former National Security Advisor John Bolton told CNN on Tuesday that the public may never know the “full dimensions” of the attack, as “there may be good reasons to conceal that.”
“But, from what’s been reported, it was very broad, very sophisticated, and very complex, and apparently very successful. So, this represents a major breach of cybersecurity defenses in a large number of agencies, many at the core of the national security,” Bolton said, adding that “it’s going to be a challenge for the incoming Biden administration to deal with.”
“But I think this goes to the core point that, unless we’re prepared to wage our own more offensive cyber-campaigns, we’re never going to have structures of deterrence that back the Russians, the Chinese and others off from doing this to begin with,” he said.
Former CIA Director John Brennan told CNN that the scope and duration of the attack could make it “possibly the most damaging in U.S. cyber history.” Brennan said Russia’s Foreign Intelligence Service (SVR), believed to be responsible for the attack, is one of the “most sophisticated cyber actors worldwide” and reportedly covered their tracks by extracting information using U.S. IP addresses.