Top cybersecurity officials are scrambling to assess the fallout from a far-reaching hack of U.S. federal agencies and global companies, with electric power utilities, at least two Energy Department national labs and thousands of other organizations potentially breached.
The Homeland Security, Treasury and Commerce departments have each had some networks hacked, Reuters first reported, though other agencies also likely fell victim to the cyber espionage campaign given its massive reach.
At the center of the intrusions is U.S. IT service provider SolarWinds. The Austin, Texas-based company said yesterday its widely used Orion software platform had been hit by a "highly sophisticated" cyberattack "likely conducted by an outside nation state." The Washington Post reported the Russia-backed hacking group nicknamed "Cozy Bear" is believed to be responsible, citing anonymous sources.
SolarWinds counts most U.S. Fortune 500 companies, the National Security Council, the Pentagon and the White House among its customers, according to its website.
"This is really a big deal," Joe Slowik, senior threat researcher at DomainTools, said in an interview. "A lot of people’s holidays are going to be ruined, because given the size, scope and duration of this activity, anyone who thinks that they might have been compromised is going to have to take a hard look at a lot of things," from email usernames and passwords to the sensitive operational networks used to manage parts of the power grid and oil and gas sector.
Slowik, who formerly led the cybersecurity emergency response team at DOE’s Los Alamos National Laboratory, said it was notable that both the Sandia and Oak Ridge national labs use SolarWinds products.
"And they’re just the ones that are publicly listed," Slowik said. "SolarWinds [Orion] is very popular software, particularly for very large and complex networks like the national labs."
Oak Ridge in Tennessee houses one of the world’s fastest supercomputers and leads nuclear fusion research, among other activities. Sandia, based in New Mexico, tests the reliability of the U.S. nuclear weapons stockpile and studies a range of energy and computing technologies.
Oak Ridge did not respond to an emailed request for comment about the SolarWinds compromise. Sandia deferred comment to DOE, which did not respond to questions about a potential breach.
"From a national lab perspective, this is an excellent ingress point to get access to potentially classified networks," Slowik said. "The implications here are pretty significant and can’t be slept on. Security teams at those institutions are probably very busy right now."
He called the Orion software tool "a bull’s-eye" for attackers — so effective that it could even crack into a publicly traded cybersecurity company like FireEye Inc., which disclosed it was breached last week (Cybersecurity Update, Dec. 10).
"It shows that no one is safe," Slowik said. "A major, well-equipped security company with lots of internal expertise can fall victim to these sorts of [attacks]."
Electric power industry leaders have taken note. The Electricity Subsector Coordinating Council, a group of energy industry CEOs that meets regularly with top government officials, held a "situational awareness call" yesterday morning about potential threats to the grid.
"The electric power industry takes all vulnerabilities and threats to the energy grid and our supply chains very seriously, including the latest SolarWinds Orion Platform vulnerability that cuts across many sectors," ESCC said in a statement. The group is co-chaired by Tom Fanning, CEO of Atlanta-based utility giant Southern Co.
The Electricity Information Sharing and Analysis Center, a hub for getting the word out about cyberthreats and vulnerabilities facing North American power networks, also alerted power producers and utility companies to the threat yesterday. "The E-ISAC is actively engaged with industry and government partners and is cascading information and mitigation steps to E-ISAC members as soon as available through its secure portal," said spokeswoman Kimberly Mielcarek.
It was not immediately clear how the global intrusion campaign could affect the operational technology that keeps the lights on and oil and gas facilities online. But experts said some critical infrastructure operators rely on Orion and had been hacked.
"Dragos is aware of industrial entities compromised in this campaign and advises [that] asset owners and operators first must assess their exposure in Operational Technology (OT) environments," Sergio Caltagirone, vice president of threat intelligence for industrial cybersecurity firm Dragos Inc., said in a statement yesterday. "Supply chain compromises, like SolarWinds, provide illicit and malicious access to OT environments facilitating possible disruption."
Suzanne Lemieux, manager of operations security and emergency response policy at the American Petroleum Institute, said oil and gas companies "work tirelessly to maintain and improve their defenses."
"Our members are aware of the escalating cyber threats facing the natural gas and oil industry, and API has continued to work closely with the government including the Transportation Security Administration, Cybersecurity and Infrastructure Security Agency, and the Department of Energy, sharing threat intelligence as it is disseminated," she said in a statement.
More victims to come?
DHS said it "is aware of cyber breaches across the federal government and working closely with our partners in the public and private sector on the federal response," according to a statement yesterday from agency spokesman Alexei Woltornist.
Sen. Maggie Hassan (D-N.H.), a member of the Senate Homeland Security and Governmental Affairs Committee, called for making the SolarWinds hack a top priority.
"We must quickly determine what data was compromised in this breach and assess whether these hackers still pose a threat," she said in a statement. "Once we understand the full scope of the damage, the administration must immediately work to eliminate the vulnerabilities that led to this attack and strengthen our cybersecurity systems to prevent future attacks."
A White House spokesman deferred comment to the National Security Council, where spokesman John Ullyot said the council is "working closely with CISA, FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise."
EPA declined to comment in time for publication, and an Interior Department spokesperson deferred comment to DHS.
SolarWinds said in a Securities and Exchange Commission filing that it believes "fewer than 18,000" users of its Orion monitoring tool were vulnerable to being hacked.
But the danger was severe enough for CISA to issue a rare emergency directive late Sunday requiring federal agencies to power down all SolarWinds Orion products, citing an "unacceptable risk" of compromise.
Dating back to at least March, hackers have hijacked software updates for Orion products, injecting them with malware dubbed "Sunburst." The hacked updates become a Trojan horse for the hackers to breach the networks of Orion’s clients. When a victim downloads a seemingly trustworthy Orion patch — much like updating apps on your phone — the hackers get a back door into the target computer system.
From there, they’ve been spotted "patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools," said FireEye CEO Kevin Mandia, who wrote in a blog post yesterday that the SolarWinds hack was the work of a "top-tier," likely state-sponsored group. "Each of the attacks require meticulous planning and manual interaction."
Jacob Williams, founder of the cybersecurity firm Rendition InfoSec, lauded FireEye for sharing details from its own breach so others could learn from it.
"FireEye has dealt a major blow to Russian intelligence with this," Williams said on a webinar yesterday hosted by the cyber educational and training nonprofit SANS Institute.
Williams pointed out that for IT professionals, Orion is a household name. "It’s like Kleenex to tissues," he said. "They really are one of the de facto network management systems: These folks are all over the federal government."
Williams said he’s "confident that we will learn about other government agencies breached by Cozy Bear over the coming weeks."