- The U.S. government issued a cybersecurity alert during the weekend
- The latest attack is thought to be the work of state-sponsored actors
- Russia on Monday said the U.S. is wrong to point the finger at the Kremlin
SolarWinds, an IT company that counts top U.S. departments and defense contractors among its clients, said it was the latest target of a state-sponsored cyberattack on American tech companies and government agencies.
The U.S. Cybersecurity and Infrastructure Security Agency during the weekend called on all federal civilian agencies to disconnect or power down from any SolarWinds products if reviews found they were compromised by “malicious actors.”
In a statement, CISA Acting Director Brandon Walls said the agency’s emergency directive “is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
A report filed late Sunday by The Wall Street Journal indicated that “multiple” government agencies, including the U.S. Commerce Department, were breached in a cyberespionage campaign believed to have originated from the Russian government.
A person familiar with the breach told the Journal on condition of anonymity that the Commerce Department’s National Telecommunications and Information Administration, a division that handles tech policy, was the target of the breach.
SolarWinds, whose clients include Lockheed Martin Corp., the Secret Service and the U.S. Federal Reserve, said in a statement emailed to the newspaper that updates earlier this year to its Orion management software may have been vulnerable to attack.
“We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state,” a spokesperson stated.
SolarWinds added it was working with cybersecurity firm FireEye, federal law enforcement and members of the intelligence community on its investigation.
FireEye last week confirmed its own defenses were breached by sophisticated attackers who stole “Red Team” tools used to test computer systems. From its investigations, FireEye Chief Executive Kevin Mandia said its initial analysis supported the “conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.”
The hackers primarily sought information related to government customers, according to FireEye.
Separate reporting from the Reuters news service over the weekend added the Treasury Department to the list of targets. The report said this may be the tip of the iceberg given that large-scale cyberattacks like these can take years to resolve.
“This is a much bigger story than one single agency,” a person familiar with the matter told Reuters on condition of anonymity. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”
The latest breach came from a so-called supply-chain attack, a hack that inserts malicious codes into otherwise harmless and legitimate updates. Chris Krebs, a former cybersecurity director at the Department of Homeland Security, was quoted by the Journal as saying wolf-in-sheep’s-clothing attacks like these are “really hard to stop.”
Russia has long since been accused of targeting U.S. networks with cyberespionage campaigns, including meddling in the 2016 election. On Monday, Russian presidential spokesman Dmitry Peskov disavowed claims that Moscow was behind the latest breach.
“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” he was quoted by Russian news agency Tass as saying. “We have nothing to do with this.”
It’s not yet clear if the brief global outages for many Google services such as email and YouTube on Monday were the result of cybermeddling.