Hack of Federal Government Larger Than Previously Thought, Warns CISA

December 17, 2020 Updated: December 17, 2020

The federal Cybersecurity and Infrastructure Security Agency (CISA) said Thursday that the hacking campaign that targeted the federal government is larger than what was previously known.

The alleged foreign actors gained backdoor access in more ways than through the SolarWinds software, which was publicly disclosed by the FBI and Department of Homeland Security (DHS) earlier this week.

“One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products. CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” CISA said in a statement on Thursday.

But it stressed that the “SolarWinds Orion supply chain compromise is not the only initial infection vector this advanced persistent threat actor leveraged.”

The agency also furthermore warned that the threat “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities” as well as the private sector.

Foreign hackers, whose country of origin is not known, compromised “government agencies, critical infrastructure entities, and private sector organizations” starting in March 2020 or before, according to CISA.

The cybersecurity agency noted that it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,” adding: “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”

CISA said that it will continue to investigate incidents that “exhibit adversary TTPs consistent with this activity, including … were victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”

On Sunday night, CISA issued a federal government-wide directive to purge all agency networks of possibly compromised servers after finding out that the U.S. Departments of Treasury and Commerce were breached. Other federal government agencies are also said to have been compromised.

Furthermore, SolarWinds acknowledged in a Sunday statement that its systems were compromised by hackers, saying its Orion software update was the means by which the hackers exploited. The malign actors then distributed malware to its customers’ computers, the Texas-based firm said.

The incident drew the attention of members of Congress. Several senators sent a letter (pdf) to FBI Director Christopher Wray asking for the “scope and details” of the hacking—and its impact on the operations of the federal government.

Security researcher Vinoth Kumar told Reuters this week that he told SolarWinds in 2019 that its update server could be accessed easily by using the simple password, “solarwinds123.”

“This could have been done by any attacker, easily,” Kumar told the news outlet. Kumar first notified the company of the security problem on Nov. 19, 2019, and SolarWinds responded to him several days later.

Kumar told Newsweek later that the password security problem appeared to be present back in June 2018.