San Francisco/ Washington | US cyber officials warned that the massive espionage campaign unearthed this week posed a “grave risk” to the government, critical infrastructure and private sector, as the US department of energy was the latest agency to confirm it had been breached.
Microsoft also admitted late on Thursday (Friday AEDT) that it had been hacked, making it the second tech company, after FireEye, to be caught up in what is quickly turning into the most sweeping cybersecurity crisis on record.
Thousands of businesses and government agencies may have been exposed after downloading compromised software from SolarWinds, a Texas-based IT group. Brad Smith, Microsoft president, said the software company had identified 40 customers that had been breached, and called it “an act of recklessness that created a serious technological vulnerability for the United States and the world”.
The energy department said on Thursday that it was “responding to a cyber incident” as part of an ongoing investigation.
However, a spokesperson for the agency said there was no evidence so far that the attack had any impact on national security functions, including the National Nuclear Security Administration, which is responsible for managing and safeguarding the US nuclear weapons arsenal. Politico first reported the energy department breach.
Earlier on Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the hackers had also gained access to systems using means other than the SolarWinds software, and of the difficulty involved in finding and removing hackers from compromised systems.
“Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”
— US President-elect Joe Biden
CISA said the hackers had “demonstrated sophistication and complex tradecraft in these intrusions” and that it would be “highly complex and challenging” to eject the perpetrators.
It added that it had “evidence” of “access vectors, other than the SolarWinds Orion platform” which were being investigated. Microsoft said that it had “found absolutely no indications that our systems were used to attack others”.
The agency cited a report published by cyber group Volexity detailing attacks by the same hackers against an unnamed US think-tank, including one that used new methods to bypass multi-factor authentication security.
FireEye, SolarWinds and some US officials have blamed “nation-state” hackers for the breach, which first came to light at the end of last week. Cyber security experts, plus several politicians, have singled out Russian intelligence as the culprit, although Russia has strongly denied any involvement.
“Today’s classified briefing on Russia’s cyber attack left me deeply alarmed, in fact downright scared,” Richard Blumenthal, Democratic senator from Connecticut wrote on Twitter on Wednesday. “Americans deserve to know what’s going on. Declassify what’s known & unknown.”
House committees for homeland security and oversight have launched probes into the hack and urged the FBI, the DHS and the intelligence agencies to share more information..
“While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for US national security,” the committees’ chairs said.
President-elect Joe Biden said in a statement that he had been briefed by US government officials on the attack and vowed to impose “substantial cost” on adversaries who penetrate US computer systems.
“We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” Mr Biden said. “Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”
Cisa warned that the hackers “demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks”.
The agency also confirmed reports that, once inside a victim’s networks, the hackers were able to pose as other accounts and gain privileged access to certain systems, such as email services, travel services and file storage services.