The Department of Energy’s nuclear weapons office and the Federal Energy Regulatory Commission are the latest agencies swept up in a staggering hack of global computer networks.
DOE spokesperson Shaylyn Hynes said the breach "has not impacted the mission-essential national security functions" of the agency or its National Nuclear Security Administration, which manages the U.S. nuclear weapons stockpile.
But the intrusions at DOE and FERC add to fallout from a far-reaching Russia-linked hack of IT service provider SolarWinds. The departments of Homeland Security, Defense, Commerce, the Treasury and State are among the agencies reported to have been compromised in the hacking campaign.
"This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations," DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said in a rare alert yesterday.
The hacking campaign also hit DOE’s Sandia and Los Alamos national laboratories, Politico first reported yesterday. Sandia National Laboratories tests U.S. nuclear weapons, and Los Alamos National Laboratory works closely with NNSA, and both labs carry out research on a range of energy and computing technologies.
Spokespeople for NNSA, Los Alamos and Sandia deferred comment to Hynes’ statement.
"The Department of Energy is responding to a cyber incident related to the SolarWinds compromise in coordination with our federal and industry partners," Hynes said. "The investigation is ongoing and the response to this incident is happening in real time."
DOE disconnected vulnerable software from the agency’s network once the malware was identified, said Hynes, who added that the malware "has been isolated to business networks only."
Bryson Bort, founder and CEO of cybersecurity firm Scythe, pointed out that it’s too early to say what kind of nuclear or grid information hackers may have stolen. "SolarWinds provides an entry into unclassified networks, and it’s confirmed that happened," he told E&E News. "Anything further is conjecture. It’s highly unlikely they were able to jump to classified networks."
A FERC spokesperson did not respond to a request for comment. But FERC Commissioner Neil Chatterjee said yesterday that the independent energy agency has stopped using SolarWinds’ Orion software platform, which had been used to spread the "Sunburst" malware.
"At this time, we do not have any conclusive evidence that the malicious actors accessed our systems or exfiltrated any data," Chatterjee said. "We will continue working with our vendors and federal partners to comply with DHS guidance and ensure the security of our systems and data."
‘The problem is only getting worse’
But some U.S. intelligence officials and cybersecurity experts warned that the full scope of the hack was only starting to come into focus, with many more victims likely to emerge as organizations scoured their networks for signs of the suspected Russian hackers.
"This is bad. FERC has a lot of sensitive info on all of the biggest utilities," said Patrick Miller, managing partner at Archer Energy Solutions LLC and a former auditor for the North American Electric Reliability Corp., which oversees U.S. grid cybersecurity. "Really hoping none of that got compromised. Looks like the problem is only getting worse."
Reuters reported yesterday that tech giant Microsoft Corp. had also fallen victim to the attack, which hijacked SolarWinds’ widely used software to break into potentially thousands of organizations’ computer networks. A Microsoft spokesperson said all malicious tools had been isolated and removed.
"This is not ‘espionage as usual,’ even in the digital age," Microsoft President Brad Smith said in a sharply worded blog post that cited past "sophisticated attacks from Russia" without directly accusing Moscow of being responsible for the latest breach. "Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency."
The Washington Post has reported that the Russia-linked hacking group "Cozy Bear" is believed to be behind the SolarWinds hack, which dates back to at least this March. Cybersecurity experts have linked Cozy Bear to Russia’s SVR foreign intelligence service, though Russia has denied involvement in global cyberespionage campaigns.
Experts say the breaches at DOE and FERC will put further pressure on U.S. power utilities still reeling from the SolarWinds hack.
Norma Krayem, vice president and chair of Van Scoyoc Associates’ cybersecurity, privacy and digital innovation practice group, said that the FERC breach "also means that the attackers are going after key vulnerabilities that may [have] been reported to FERC to exploit them later."
"This attack goes beyond mere espionage, and we have been raising flags about cyber risks to the energy industry for some time," Krayem added. "This is most likely just the tip of the iceberg."
‘The keys to the kingdom’
While there have been no public reports of U.S. utilities being targeted by the campaign, SolarWinds’ Orion network monitoring tool is widely used in the energy sector, including to operate parts of the bulk power grid and oil and gas pipelines (Energywire, Dec. 15).
"The keys to the kingdom have been taken," Robert M. Lee, CEO of industrial cybersecurity firm Dragos Inc., said on CBS News last night. "It’s not as easy as flipping the light switch, but [hackers] absolutely did have access into many sensitive infrastructure sites."
Grant Geyer, chief product officer at industrial cybersecurity firm Claroty, said utilities are having trouble determining how badly they may have been hit because the full scope of the attack is still unknown.
"Operators need to be able to understand the breadth of a potential compromise in their environments, such that they can cleanse a hacker out of it," he said. "But at present, with the daily news coming in, the compromise is unclear."
Power companies’ cybersecurity teams should treat the campaign as a "worst-case scenario," Geyer added.
In a rare statement on cybersecurity, President-elect Joe Biden said yesterday that "we have learned in recent days of what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities."
"There’s a lot we don’t yet know, but what we do know is a matter of great concern," he said, adding that his administration "will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office."
President Trump has yet to comment publicly on the SolarWinds breach and Russia’s likely role in it. That has generated criticism from congressional Democrats and some Republicans who think the United States has a responsibility to respond to an attack of this scale.
Sen. Mitt Romney (R-Utah) took to Twitter to slam the "inexcusable silence and inaction from the White House" in response to the hack. He likened the cyberespionage campaign to "Russian bombers reportedly flying undetected over the entire country" while stopping short of dropping bombs.
"Our national security is extraordinarily vulnerable," Romney told SiriusXM radio. "And in this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really quite extraordinary."
The White House did not immediately respond to requests for comment.
The House Homeland Security Committee and Oversight and Reform Committee announced plans to launch an investigation into the cyberespionage campaign.
"Our Committees are seeking information related to the apparent, widespread compromise of multiple federal government, critical infrastructure, and private sector information technology networks," wrote Oversight and Reform Chairwoman Carolyn Maloney (D-N.Y.) and Homeland Security Chairman Bennie Thompson (D-Miss.).
Committee leaders also sent a letter to the directors of CISA, the FBI and the Office of the Director of National Intelligence asking for more information about the ongoing hacking campaign.
In a statement Wednesday, those agencies said that the hacking campaign "is significant and ongoing."
The House lawmakers wrote that "while investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for U.S. national security."
The Oversight and Homeland Security panels are set to receive a classified briefing on the SolarWinds campaign today, according to the letter.
SolarWinds has estimated that the breach could affect up to 18,000 of its customers worldwide. But cybersecurity officials at CISA warned in another alert that the cyberespionage campaign goes even deeper than first thought.
"The SolarWinds Orion supply chain compromise is not the only initial infection vector," the top civilian cybersecurity agency said. "CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations."
Tatyana Bolton, a former CISA official who is now managing senior fellow for cybersecurity at the R Street Institute, said the hack underscores the need to invest in U.S. digital defenses rather than kinetic warfare, which commands a much bigger share of the federal budget.
"If anything, this hack is a prime example of what happens when your risk calculus is skewed towards preparing for wars of the past instead of fights of the future," she said.
Reporter Arianna Skibell contributed.