The scale of a sophisticated cyberattack on the U.S. government that was unearthed this week is much bigger than first believed. The Cybersecurity and Infrastructure Security Agency said in a summary Thursday that the threat “poses a grave risk to the federal government.” CISA added that “state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations” are also at risk.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” CISA said. “Removing the threat actor from compromised environments will be highly complex and challenging.” CISA has not said who it thinks is the “advanced persistent threat actor” behind the “significant and ongoing” campaign, but many experts are pointing to Russia.
The FBI said Wednesday it is “investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.”
CISA said those behind the attack used network management software made by SolarWinds, a Texas-headquartered IT firm, to breach the government networks. As many as 18,000 SolarWinds Orion customers downloaded a software update that contained a backdoor, which the hackers used to gain access to the networks. CISA issued an “emergency directive” this week instructing federal civilian agencies to “immediately disconnect or power down affected SolarWinds Orion products from their network.” But the perpetrators may have used other means to access the networks. CISA said Thursday is investigating “evidence of additional access vectors, other than the SolarWinds Orion platform.”
Suspected Russian hackers accessed the systems of a U.S. internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to an analysis of publicly-available web records.
The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organizations.
SolarWinds, which disclosed its unwitting role at the centre of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
As the fallout continued to roil Washington on Thursday, with a breach confirmed at the U.S. Energy Department, U.S. officials warned that the hackers had used other attack methods and urged organisations not to assume they were protected if they didn’t use recent versions of the SolarWinds software.
Microsoft, which was one of the thousands of companies to receive the malicious update, said it had currently notified more than 40 customers whose networks were further infiltrated by the hackers.
MacDailyNews Take: As we said on Monday of this cyberattack on U.S. government and others, “This sounds like just the tip of the iceberg.”
For more information, read FireEye’s blog post: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.