The US Treasury and Commerce departments have both suffered cyberattacks, with attackers able to access internal email traffic.
According to Reuters, individuals familiar with the matter have said that the attacks may be connected to Russia, although the US government has not confirmed this, with the US National Security Council meeting on Sunday to discuss the incident. Russia’s foreign ministry has said the allegations are “baseless”.
Details of the attack are currently limited, with National Security Council spokesman John Ullyot saying it is “taking all necessary steps to identify and remedy any possible issues related to this situation.”
It is believed that attackers may have gained access to federal networks through a vulnerability in a product belonging to software provider SolarWinds, whose customers include branches of the US military, the Pentagon, the State Department and the Office of the President of the United States.
Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA issued an emergency directive warning that SolarWinds Orion network management products were being exploited by malicious actors, instructing federal civilian agencies to disconnect all SolarWinds Orion products, as well as reviewing networks for signs that they have been compromised.
CISA acting director Brandon Wales said that the compromise of SolarWinds Orion products “poses unacceptable risks to the security of federal networks”.
Cyber criminals are believed to have carried out a supply chain attack, tampering with a software update for SolarWinds’ Orion product.
Stuart Reed, UK director at Orange Cyberdefense, said:
“While details of this incident are still emerging, a major security theme of this year has been vulnerabilities in leading perimeter security platforms – particularly those used to facilitate secure remote access for the instant army of remote workers the COVID-19 crisis presented us with. As a result of fast implementation and scaling, patches and upgrades for these are taking far too long, and this problem appears to be getting worse. State-backed and criminal hackers have noted this opportunity and pivoted dramatically to explore it, with devastating effect. Several major compromises and breaches exploited vulnerabilities in security products, including ransomware attacks, and these vulnerabilities are a popular constant in state-backed hackers’ arsenals.”
Last week, US cybersecurity company FireEye was hit by a “highly sophisticated” state-sponsored attack. According to Reuters, those familiar with the matter have said that the two attacks may be connected.
This is echoed by Kevin Bocek, VP security strategy and threat intelligence at Venafi, who said that hackers are able to get in by “abusing trust”:
“It should come as no surprise that sophisticated hackers like those from Russia are seeking to infiltrate the US government. What is shocking is that adversaries are now abusing the trust that powers software updates to attack broad swaths of the US government and economy. These attacks will escape detection from state-of-the-art defence because they come with trusted machine identities that give them extreme trust.”