U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

"U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’...

A group with foreign backing hacked into the U.S. Treasury and Commerce departments, according to a Sunday report by Reuters. The scope and severity of the alleged breach was not clear, but the hack was serious enough that the National Security Council had to be briefed...

The agency within the Commerce Department that was hacked was said to be the National Telecommunications and Information Administration, which is in charge of advising the president on telecommunications issues. According to Reuters, those briefed on the matter fear that other government agencies could have been hacked as well."

https://www.thedailybeast.com/us-tr...ked-by-foreign-government-reuters-report-says

 

Reuters Link -- More Extensive Info:

"...The hack is so serious it led to a National Security Council meeting at the White House on Saturday..."

https://www.reuters.com/article/us-...d-by-foreign-government-sources-idUSKBN28N0PG

 

"WASHINGTON (Reuters) - Hackers backed by a foreign government have been monitoring internal email traffic at the U.S. Treasury Department and an agency that decides internet and telecommunications policy...

The hack involves the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months...

The hackers ... have been able to trick the Microsoft platform’s authentication controls..."


https://www.reuters.com/article/us-...d-by-foreign-government-sources-idUSKBN28N0PG

 

"Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm

The Russian government hackers who breached a top cybersecurity firm are behind a much broader espionage campaign that also compromised the Treasury and Commerce departments and other government agencies, according to people familiar with the matter...

The FBI is investigating the campaign by a hacking group working for the Russian foreign intelligence service, SVR. The group, known among private-sector security firms as APT29 or Cozy Bear, also hacked the State Department and the White House during the Obama administration..."

https://www.washingtonpost.com/nati...a53b88-3d7d-11eb-9453-fc36ba051781_story.html

 

"WASHINGTON—Multiple federal government agencies, including the U.S. Treasury and Commerce departments, have had some of their computer systems breached as part of a widespread cyber espionage campaign linked to a foreign government...

...several government agencies in total have likely been compromised...

The apparent scope of the hacking operation and the suspected Russian involvement has alarmed national security officials in the Trump administration as well as executives at FireEye, some of whom view it as more significant than a routine foreign cyber espionage..."

https://www.wsj.com/articles/agencies-hacked-in-foreign-cyber-espionage-campaign-11607897866

 

- Perhaps that "foreign government" was using the same backdoors the NSA was using.

 

"Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect...

According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week [ https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE ACCESS_U_OO_195076_20.PDF ].

Most hacks involve stealing user names and passwords, but this was far more sophisticated. It involved the creation of counterfeit tokens, essentially electronic indicators that provide an assurance to Microsoft or Google about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access...

'There appear to be many victims of this campaign, in government as well as the private sector,' said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike..."

https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html

 

"This is looking very, very bad"

The hack of the Commerce and Treasure departments, along with other U.S. government agencies, was part of a global espionage campaign that stretches back months.

"...The FBI is investigating the campaign, which may have begun as early as spring, and had no comment Sunday. The victims have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached. All of the organizations were breached through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post Sunday. SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a 'highly-sophisticated, targeted . . . attack by a nation state.'

The scale of the Russian espionage operation appears to be large, said several individuals familiar with the matter. 'This is looking very, very bad,' said one person. SolarWinds products are used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.

Its clients also include the top 10 U.S. telecommunications companies..."

https://www.washingtonpost.com/nati...a53b88-3d7d-11eb-9453-fc36ba051781_story.html

 

This is what happens when the guts of the USA's 3letters are ripped out & replaced with political yes men & women.

 

"SolarWinds Security Advisory

SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.

We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal..."

https://www.solarwinds.com/securityadvisory

 

"Microsoft, FireEye confirm SolarWinds supply chain attack...

Hackers deployed SUNBURST malware via Orion update

SolarWinds published a press release late on Sunday admitting to the breach of Orion, a software platform for centralized monitoring and management, usually employed in large networks to keep track of all IT resources, such as servers, workstations, mobiles, and IoT devices.

The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.

FireEye named this malware SUNBURST and published a technical report earlier today, along with detection rules on GitHub.

Microsoft named the malware Solorigate and added detection rules to its Defender antivirus.

https://zdnet4.cbsistatic.com/hub/i...01-bc86980b9da1/solarwinds-hack-microsoft.png..."

https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

 

CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products

"WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors.

This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

'The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,'... and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation'..."

https://www.cisa.gov/news/2020/12/1...-mitigate-compromise-solarwinds-orion-network

 

"SolarWinds’ Customers..."

SolarWinds' customers include over 425 of US Fortune 500, all branches of military, the NSA, State, Office of the President, top US accounting firms, defense titans like Lockheed, hundreds of universities.

Some notables: US Dept. Of Defense, Office of The US President, US Postal Service, US Secret Service, Visa USA, US Dept. of Justice, Lockheed, Blue Cross Blue Shield, Booz Allen Hamilton, Credit Suisse, Dow Chemical, Federal Express, Federal Reserve Bank, U.S. Air Force, The CDC, Microsoft, MasterCard, Johns Hopkins University, Kennedy Space Center, NOAA.

https://www.solarwinds.com/company/customers

 

"FireEye said it had confirmed infections in North America, Europe, Asia and the Middle East, including in the health care and oil and gas industry...

It said that malware that rode the SolarWinds update did not seed self-propagating malware — like the NotPetya malware blamed on Russia that caused more than $10 billion in damage globally — and that any actual infiltration of an infected organization required 'meticulous planning and manual interaction.'

That means it’s a good bet only a subset of infected organizations were being spied on by the hackers..."

https://apnews.com/article/malware-...urope-russia-328b4936f2535418b27cb90afa858489

 

"Microsoft Security Response Center

Customer Guidance on Recent Nation-State Cyber Attacks

This post contains technical details about the methods of the actor we believe was involved in Recent Nation-State Cyber Attacks, with the goal to enable the broader security community to hunt for activity in their networks and contribute to a shared defense against this sophisticated threat actor..."

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

 

"SolarWinds disclosed [Today, in an SEC 8K filing]...

...SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000...

SolarWinds is also preparing a second hotfix update to further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020..."

https://www.streetinsider.com/Corporate+News/SolarWinds+(SWI)+says+it+was+made+aware+of+cyberattack+that+inserted+a+vulnerability+within+its+Orion+monitoring+products/17715164.html

 

SolarWinds has deleted its Customer Page.

https://www.solarwinds.com/company/customers

Web Archive:

https://web.archive.org/web/20201213230906/https://www.solarwinds.com/company/customers

 

From Brian Krebs:

"Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions..."

https://krebsonsecurity.com/2020/12...e-depts-hacked-through-solarwinds-compromise/

 

Department of Homeland Security BREACHED

"Suspected Russian hackers breached U.S. Department of Homeland Security

Reuters - A team of sophisticated hackers believed to be working for the Russian government won access to internal communications at the U.S. Department of Homeland Security, according to people familiar with the matter. The breach was part of the campaign reported Sunday that penetrated the U.S. departments of Treasury and Commerce.

DHS is a massive bureaucracy responsible for border security, cybersecurity and most recently the secure distribution of the COVID-19 vaccine..."

https://www.devdiscourse.com/articl...es-capture-arrest-of-two-men-later-found-dead

Reuters Cyber Reporter:

https://twitter.com/Bing_Chris/status/1338552048342753288

 

Additional info re: SolarWinds customers:

The Naval Information Warfare Systems Command, and the FBI are current SolarWinds customers.

https://www.bloomberg.com/news/arti...ed-by-hackers-in-software-update?srnd=premium

 

"DHS is third federal agency hacked in major Russian cyberespionage campaign

DHS spokesman Alexei Woltornist said that DHS is aware of reports of a breach and is currently investigating the matter...

The fact that the department charged with safeguarding the country from physical and cyber attack was victimized underscores the campaign’s significance and calls into question the adequacy of federal cybersecurity efforts...

The nature of the attacks indicated the attackers were focused on high-value targets,..

'It’s not about quantity, it’s about quality' of targets, said John Hultquist, manager of analysis at FireEye..."

https://www.washingtonpost.com/nati...f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html

 

"Backdoored Orion binary still available on SolarWinds website...

Andrew Morris, the founder of Grey Noise Intelligence, said in a tweet that he had just downloaded 'the infected installer from the SolarWinds website and extracted the installer/various CABs and found that the backdoor'd DLL is definitely still contained in the installer on the website literally right now'...

Morris is the second person to note that SolarWinds has not removed the malicious DLL from its site...

Earlier, Kyle Hanslovan, the chief executive of Huntress Labs, another security firm, tweeted that SolarWinds had yet to revoke the digital certificate it had used to sign the backdoored DLL..."

https://www.itwire.com/security/backdoored-orion-binary-still-available-on-solarwinds-website.html

 

"State Department, National Institutes of Health join growing list of U.S. agencies hacked by Russians

The Department of Homeland Security, the State Department and the National Institutes of Health on Monday joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia whose damage remains uncertain but is presumed to be extensive, experts say..."

https://www.washingtonpost.com/nati...f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html

 

"GAO Highlights Supply Chain Practices Amid SolarWinds Hack

A new report from the Government Accountability Office (GAO) finds that most large agencies had not implemented any supply chain risk management practices from the National Institute of Standards and Technology (NIST) – publicly acknowledging weaknesses on the heels of the attack on SolarWinds’ software that led to breaches at multiple Federal agencies.

The report**, released publicly today, compares agency policies against seven “foundational practices” for supply chain risk management (SCRM) in different NIST guidance documents, and finds that most CFO Act agencies aren’t taking them into account. The identified practices include executive oversight of SCRM activities, an agency-wide strategy, organizational requirements for the supply chain, and procedures to detect compromised products prior to deployment..."

https://www.meritalk.com/articles/gao-highlights-supply-chain-practices-amid-solarwinds-hack/

**GAO Report -- "Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks"

https://www.gao.gov/assets/720/711266.pdf

 

"Hackers at center of sprawling spy campaign turned SolarWinds' dominance against it...

...Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

'This could have been done by any attacker, easily,' Kumar said..."

https://www.reuters.com/article/glo...solarwinds-dominance-against-it-idUSKBN28P2N8