Several U.S. government agencies, including the Treasury and Commerce Departments as well as corporations were targeted in a massive cyber-espionage campaign.
The Department of Homeland Security’s cybersecurity unit issued an emergency directive to all federal agencies to remove compromised software. On December 15, the Pentagon ordered an emergency shutdown of a classified internal communications network, Just the News reported. It is unclear if the Pentagon’s shutdown was related to the hacking.
FireEye, a cybersecurity firm, drew attention to the cyberattack on December 13 after it was hacked and alerted foreign governments and corporations who had also been compromised.
The breach came through SolarWinds a network-management company whose clients include all five branches of the military, the National Security Agency, the Secret Service, Booz Allen Hamilton, Lockheed Martin, the Federal Reserve, NASA, the Department of Justice and the White House, among others. Hackers implanted malware on a software update, infecting 18,000 SolarWinds users who updated their software between March and June 2020.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state,” a spokesman for SolarWinds said.
Supply chain attacks attach to a trusted third-party software already installed on a device. It is extremely difficult to for the target to detect and prevent these attacks, and they have total access to infected networks. The hackers were highly disciplined, and only accessed high value targets, knowing that because each time the tool was activated, the likelihood of detection increased.
Hackers would have been able to access e-mails, files – anything and everything on compromised devices.
FireEye stated the attack was carried out by a nation-state but did not identify it. The Washington Post cited anonymous sources that identified Russia as the culprit.
“I can’t say much other than it’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses,” Secretary of State Pompeo said. “We see this even more strongly from the Chinese Communist Party, from the North Koreans as well. It’s an ongoing battle, an ongoing struggle to keep our systems safe, and I’m very confident the United States Government will keep our classified information out of the hands of these bad actors.”
Microsoft and a coalition of tech companies worked together to seize and “sink hole” the command and control server for the malware, transferring the domain into Microsoft’s possession. “Sinkholing” allows Microsoft to build a list of all the infected victims.