There has been a significant cyber warfare attack carried out against every branch of the U.S. military, the pentagon (DoD), Department of State, Department of Justice, NASA, and the National Security Agency.
The move was apparently in the works for months, and is being blamed on a ‘nation state,’ but mainstream media has been quick to blame Russia.
Everything that happened overnight seems strangely timed. In another weirdo event, Google and its satellites all mysteriously went done this morning.
A Commerce Department spokesperson told NBC News, “We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”
Josh Lederman, a national political reporter for NBC wrote on Twitter Sunday, “The National Security Council also confirms that it is working to identify and remedy potential issues after a reported foreign government-linked hack of Treasury and a Commerce Department unit’s email systems.”
The National Security Council also confirms that it is working to identify and remedy potential issues after a reported foreign government-linked hack of Treasury and a Commerce Department unit’s email systems
— Josh Lederman (@JoshNBCNews) December 13, 2020
Hackers broke into the networks of the Treasury and Commerce departments as part of a global cyberespionage campaign. They accessed those networks by slipping malware into a SolarWinds software update, according to the global cybersecurity firm FireEye, which was also compromised.
The first phases of this monthslong cyberespionage campaign started in the spring. The malware gave the hackers remote access to victims’ networks.
The FBI and the Department of Homeland Security’s cybersecurity arm are investigating what experts and former officials said appeared to be a large-scale penetration of U.S. government agencies. Industry experts said it bore the hallmarks of Russian tradecraft.
“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.
The hacks were revealed less than a week after FireEye disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia is responsible. FireEye’s customers include federal, state and local governments and top global corporations.
How and why hackers targeted SolarWinds
SolarWinds emailed its customers warning about the hack and recommending they upgrade immediately.
The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies who will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.
SolarWinds is headquarted in Austin with offices off of Southwest Parkway in Southwest Austin.
FireEye, without naming the breached agencies or other targets, said in a blog post that its investigation into the hack of its own network had identified “a global campaign” targeting governments and the private sector that, beginning in the spring, slipped malware into a SolarWinds software update.
The malware gave the hackers remote access to victims’ networks.
SolarWinds CEO reacts to the hack
SolarWinds said the “potential vulnerability” was related to updates released between March and June for software that helps organizations monitor their online networks for problems.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” said SolarWinds CEO Kevin Thompson in a statement.
The compromise is critical because SolarWinds would give a hacker “God-mode” access to the network, making everything visible, said Alperovitch.
SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability. More information is available at https://t.co/scsUhZJCk8
— SolarWinds (@solarwinds) December 14, 2020
FireEye said it had notified “multiple organizations” globally where it saw indications of compromise. It said that the hacks did not seed self-propagating malware — like the 2016 NotPetya malware blamed on Russia that caused more than $10 billion in damage globally — and that any actual infiltration of an infected organization required “meticulous planning and manual interaction.”
The U.S. government did not publicly identify Russia as the culprit behind the hacks, first reported by Reuters, and said little about who might be responsible. Cybersecurity experts said last week that they considered Russian state hackers to be the main suspect.
National Security Council spokesperson John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible issues related to this situation.”
Who are the SolarWinds customers who might be affected?
On its website, SolarWinds says it has 300,000 customers worldwide, including all five branches of the U.S. military, the Pentagon, the State Department, NASA, the NSA, the Department of Justice and the White House. It says the 10 leading U.S. telecommunications companies and top five U.S. accounting firms are also among customers.
The government’s Cybersecurity and Infrastructure Security Agency said it was working with other agencies to help “identify and mitigate any potential compromises.”
President Donald Trump last month fired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump’s claims of widespread electoral fraud.
In a tweet Sunday, Krebs said “hacks of this type take exceptional tradecraft and time,” adding that he believed that its impact was only beginning to be understood.
[Of course, he apparently did nothing while this was being carried out.]
Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope.
— Chris Krebs (@C_C_Krebs) December 13, 2020
CISA warns companies to update networks by 11 a.m. CT Monday
Late Sunday, CISA released a rare emergency directive asking all federal civilian agencies to update their networks by 11 a.m. on Monday and then send in a “completion report.”
This is just the fifth time CISA has issued an emergency directive since 2015.
JUST RELEASED: Emergency Directive 21-01 calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. Read more: https://t.co/VFZ81W2Ow7
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 14, 2020
Federal government agencies have long been attractive targets for foreign hackers.
Hackers linked to Russia were able to break into the State Department’s email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.
Reuters earlier reported that a group backed by a foreign government stole information from Treasury and a Commerce Department agency responsible for deciding internet and telecommunications policy.
The Treasury Department deferred comment to the National Security Council. A Commerce Department spokesperson confirmed a “breach in one of our bureaus” and said “we have asked CISA and the FBI to investigate.” The FBI had no immediate comment.
“I suspect that there’s a number of other (federal) agencies we’re going to hear from this week that have also been hit,” former NSA hacker Jake Williams said.
The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.
Here’s where it gets weird… the timing of these events do not seem coincidental.
— Tracy Beanz (@tracybeanz) December 14, 2020
Dec 18 is the *final day* for DNI to issue the 2018EO report to Trump's team. The report could have already been issued…
The timing of today's SolarWinds hack that affects nearly the entire US govt is quite interesting.
Paving the way for an announcement?
— Ron (@CodeMonkeyZ) December 14, 2020
He was right again.. pic.twitter.com/Qrni7Q0Jmt
— Wong Do Mein (@wong_do_mein) December 14, 2020
• @ODNIgov announces in early Dec of significant attempts by China to compromise members of Congress
• revelations of last few days of 2 million CCP agents embedded in the West
• @ODNIgov goes w/Trump 2 Army-Navy game
* US Gov't hacked via Solarwinds
• all b4 Dec 18 deadline
— Victor Trombettas 🇺🇸 (@vgttrom) December 14, 2020
Is this how the US TREASURY got hacked?
The timing matches.. https://t.co/MSgJ7yxoFY
— Ron (@CodeMonkeyZ) December 14, 2020
Lots of heads should also roll as a result of election fraud which has now been established by massive, indisputable evidence.
Joey “Bribes” Biden & his cronies cheated on an unfathomable scale. He will never be allowed on White House grounds. He is a felon. https://t.co/kAvImThtvw
— Lin Wood (@LLinWood) December 14, 2020