The U.S. government confirmed Wednesday that several of its networks were affected by a recent hacking campaign widely suspected to be led by the Russian government, calling the attack “significant and ongoing.”
The hack targeted users of the software company SolarWinds, using its platform to peer into computer networks for various U.S. government agencies and Fortune 500 companies.
The U.S. Department of Homeland Security and the federal Treasury and Commerce departments were among the agencies affected.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” said a joint statement issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI).
Officials widely suspect Russia is behind the attack, although the joint statement does not say who investigators believe is responsible. It also doesn’t specifically mention which agencies were impacted.
SolarWinds said up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy unnoticed on businesses and agencies for almost nine months. The company says the attack was directed by an “outside nation state,” but has also not named Russia.
“Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign,” the joint statement said.
“The FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors,” the statement said.
The FBI, CISA and ODNI have formed a Cyber Unified Coordination Group to coordinate the U.S. government’s response, it said.
How did SolarWinds get impacted?
The company on Sunday began alerting about 33,000 of its customers that a malicious code was injected into some updated versions of its premier product, Orion. The ubiquitous software tool, which helps organizations monitor the performance of their computer networks and servers, had become an instrument for spies to steal information undetected.
One of SolarWinds’ customers, the prominent cybersecurity firm FireEye, was the first to detect the hacking operation, and began notifying other victims.
The compromised product accounts for nearly half the company’s annual revenue, which totalled $753.9 million over the first nine months of this year. Its stock has plummeted 23 per cent since the beginning of the week.
Moody’s Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs.”
SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. The SolarWinds board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on Dec. 7, according to a financial filing, a day before FireEye first publicly revealed the hack on its own system and two days before the change of CEOs was announced.
It was also on Dec. 7 that the company’s two biggest investors, Silver Lake and Thoma Bravo, which control a majority stake in the publicly traded company, sold more than $280 million in stock to a Canadian public pension fund. The two private equity firms in a joint statement said they “were not aware of this potential cyberattack” at the time they sold the stock. FireEye disclosed the next day that it had been breached.
The hacking operation began at least as early as March when SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have. FireEye described the malware’s dizzying capabilities — from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its reconnaissance forays as Orion activity.
FireEye said Wednesday that it had identified a “killswitch” that prevents the malware used by the hackers from operating. But while that disables the original backdoor, it won’t remove intruders from systems where they created different ways of remotely accessing victimized networks.
SolarWinds executives declined interviews through a spokesperson, who cited an ongoing investigation into the hacking operation that involves the FBI and other agencies.
How is the U.S. government responding?
The Department of Homeland Security directed all federal agencies to remove the compromised software on Sunday night and thousands of companies were expected to do the same.
The Pentagon said in a statement Wednesday that it had so far found “no evidence of compromise” on its classified and unclassified networks from the “evolving cyber incident.”
The NSA, DHS and FBI briefed the House Intelligence Committee Wednesday on what was widely considered a serious intelligence failure. Democratic Sen. Dick Durbin told CNN “this is virtually a declaration of war by Russia on the United States, and we should take that seriously.”
Yet the Trump administration has been largely silent publicly about exactly what agencies were breached, causing other members of Congress to express concerns.
“Stunning,” tweeted Sen. Richard Blumenthal, a Connecticut Democrat. He said a Senate Armed Services Committee classified briefing Tuesday “on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on.”
“Declassify what’s known & unknown,” he demanded.
Beyond the agencies believed to have been impacted, SolarWinds has boasted of its other contracts with the White House, Secret Service, NASA and other government departments. A company web page listing those contracts and others was taken down earlier this week.
Canada eyeing potential threat
Canadian cybersecurity officials have not yet publicly identified any domestic networks that have been impacted by the hacking operation.
“(The Communications Security Establishment) and its Canadian Centre for Cyber Security (Cyber Centre) are aware of media reporting about a major cyber incident affecting the U.S. Government,” Evan Koronewski, spokesperson for the CSE, told Global News Tuesday.
“We are assessing the situation and continue to work with government partners, including Shared Services Canada, to ensure that our networks remain secure and no information has been compromised.”
Koronewski said the CSE’s Cyber Centre has issued both an alert to the public and bulletins privately to government and non-government partners advising of the incident.
It is also advising anyone using SolarWinds’ Orion platform to upgrade to a newer version, following the company’s guidance.
Global News has asked SolarWinds for a list of any Canadian clients that use the Orion software, including government agencies and businesses.
—With files from Global’s Amanda Connolly, the Associated Press and Reuters