[German]The hack of several U.S. agencies via the SUNBURST backdoor in SolarWinds Orion software is growing. The networks of the National Nuclear Security Administration (NNSA) and the US Department of Energy (DOE) have also been hacked. The attackers used multiple strategies and the cleanup may take months.
Attack on NNSA and DOE
State sponsored hackers have also managed to penetrate the networks of the National Nuclear Security Administration (NNSA) and the US Department of Energy (DOE). The NNSA is a semi-autonomous government agency responsible for maintaining and securing the US nuclear arsenal. The hack was leaked to Politico magazine, which published the whole thing here.
Security specialists found suspicious activity on networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos National Laboratories in New Mexico and Washington, NNSA's Office of Secure Transportation and DOE's Richland Field Office.
The hackers were able to do more damage at FERC than at the other agencies, and staff found evidence of highly malicious activity there, without going into details. On Thursday, DOE and NNSA staff briefed their congressional oversight committees after being instructed by DOE Chief Information Officer Rocky Campione.
Previously unknown tactics used by hackers
The Washington Post reports in this article that the attackers used previously unknown tactics to establish and spread themselves in the victims' network. At the very least, signs to that effect have been found during forensic examination of the affected systems.
It has been clear for days that compromised software patches from the Texas-based company SolarWinds has a backdoor called SUNBURST on the victims' systems. This allows the suspected Russian hackers to gain access to U.S. government computer systems.
An alert from the Cybersecurity and Infrastructure Security Agency (CISA), based at the Department of Homeland Security, states that evidence suggests other malware was used to initiate the attack. CISA investigates incidents where the victims were either not using SolarWinds Orion monitoring software. Or, a SolarWinds Orion installation was present, but no activity was observed that exploited the SolarWinds SUNBURST backdoor.
Security vendor Volexity also described a case where the attackers used a secret key that it had previously stolen. This could be used to generate a cookie that could be used to bypass Outlook Web App's (OWA) two-factor authentication (MFA). Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise.
This observation suggests that there are other original access vectors besides SolarWinds Orion, and there may be others that are not yet known. Identifying the affected systems, analyzing them, and cleaning the software of the infections is likely to take months.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
Cookies helps to fund this blog: Cookie settings