This story has been updated.
Dozens of U.S. Treasury Department email accounts were breached as part of the massive SolarWinds supply chain attack, according to a senior Democratic senator.
“The hack of the Treasury Department appears to be significant,” says Sen. Ron Wyden, D-Ore., the top Democrat on the Senate Finance Committee, in a statement. “According to Treasury staff, the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”
He says an investigation into exactly what was accessed or stolen remains ongoing, but that “dozens of email accounts were compromised.”
Biden’s Latest Comments
On Tuesday, President-elect Joe Biden said of the attack: “I promise you there will be a response.”
“This attack constitutes a grave risk to our national security. It was carefully planned and carefully orchestrated. It was carried out by using sophisticated cyber tools. The attackers succeeded in catching the federal government off guard and unprepared,” Biden said during remarks in Wilmington, Delaware, according to The Hill. “The Trump administration failed to prioritize cybersecurity.”
Biden said that the attack “certainly fits Russia’s long history of reckless disruptive cyber activities, but the Trump administration needs to make an official attribution,” The Hill reports. “This assault happened on Donald Trump’s watch when he wasn’t watching. It’s still his responsibility as president to defend American interests for the next four weeks.”
The president-elect would not say whether he considered the breach an act of war, saying that the damage needed to be assessed. He said, however, that he saw “no evidence that it is under control,” contradicting Trump’s tweet over the weekend on the matter, The Hill reports.
Biden said that his administration would “probably respond in kind” after assessing the damage of the attack, though he declined to discuss specific response options. He also said that he wants the United States and its allies to agree on international rules of responsible behavior in cyberspace, according to The Hill.
The U.S. government continues to investigate the apparent cyberespionage campaign that implanted a backdoor in the Orion network monitoring software built by Texas-based SolarWinds. The company says that nearly 18,000 of its customers may have installed the Trojanized software.
Cybersecurity experts say the attackers appeared to be not just stealthy, but also focused and disciplined. Kevin Mandia, CEO of FireEye, which was a victim of the attacks and brought them to light, says the attackers appeared to have focused on only about 50 extremely high-value targets. Each of these targets would have been infected with second-stage malware, giving attackers the ability to execute code remotely on victims’ systems, steal data and potentially hack business partners.
On Thursday, Microsoft President Brad Smith said his company had notified more than 40 customers that they appeared to have been victims of the more advanced phase of the intrusion. He said 80% of those organizations are U.S.-based, and the others are in Canada, Mexico, Belgium, Britain, Spain, Israel and the United Arab Emirates.
SolarWinds Customers at Risk
SolarWinds’ customer list would have given attackers many potential targets from which to choose. Already, the list of businesses that were running the backdoored version of the software include U.S. technology firms Belkin, Cisco, Intel and Nvidia, as well as Microsoft and VMware.
The U.S. government is also a large SolarWinds customer. Government officials say that the National Institutes of Health, as well as the Commerce, Homeland Security, State and Energy departments were running Trojanized versions of Orion.
So too was the Treasury Department.
On Monday, Treasury Secretary Steven Mnuchin told CNBC that the hackers didn’t appear to have accessed any classified systems.
“We do not see any breaking into our classified systems,” he said. “Our unclassified systems did have some access. I will say the good news is there’s been no damage, nor have we seen any large amounts of information displaced.”
“Our unclassified systems did have some access,” said Treasury Secretary Steven Mnuchin. (Photo: U.S. Embassy Jerusalem, via Flickr/CC)
Mnuchin said remediation was well underway. “We are working with the National Security Council, we’re working with the intel agencies, and I can assure you, we are completely on top of this.”
‘Dozens of Email Accounts’ Compromised
Mnuchin’s upbeat-sounding assessment issued on Monday stood in stark contrast to Wyden’s warning later in the day that the agency had suffered what appeared to be a “significant” breach.
“Microsoft notified the agency that dozens of email accounts were compromised,” Wyden said. “Additionally the hackers broke into systems in the departmental offices division of Treasury, home to the department’s highest-ranking officials. Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen.”
On the upside, however, IRS officials told senators that “there is no evidence that IRS was compromised or taxpayer data was affected,” he said.
The U.S. government is a large user of cloud-based Office 365 – aka Microsoft 365 – and FireEye’s investigation has suggested that attackers were able to use the Orion backdoor to steal access tokens and gain access, via Azure Active Director, to Office 365.
An aide to Sen. Wyden told Reuters that attackers were able to access multiple Treasury email inboxes – although not Mnuchin’s – after stealing their single sign-on tokens.
Wyden says the SolarWinds attack was a stark demonstration of the importance of strong encryption for protecting all systems, including those used by the federal government.
“Finally, after years of government officials advocating for encryption backdoors and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers, the U.S. government has now suffered a breach that seems to involve skilled hackers stealing encryption keys from U.S. government servers,” he said.
Some US Officials Point to Russia
No evidence has yet been published to support the assertion that the Russian government, or its foreign intelligence service – the SVR – was responsible for the SolarWinds supply chain attack. But unnamed sources with knowledge of the investigation have said in media interviews that suspicion is centering on the SVR.
Russia denies any involvement.
Some top U.S. officials are also pointing to Russia. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Secretary of State Mike Pompeo said in a Friday radio interview.
On Saturday, President Donald Trump downplayed the severity of the SolarWinds supply chain attack and suggested that China – not Russia – might have been the culprit.
On Monday, however, Attorney General Bill Barr, who’s due to leave his job Wednesday, backed Pompeo’s assessment. “It certainly appears to be the Russians, but I am not going to discuss it beyond that,” Barr said at a press conference, Reuters reports.
Several news outlets have reported that White House officials had prepared a statement on Friday formally accusing Russia of perpetrating the SolarWinds Orion supply chain attack. But they were reportedly blocked from releasing the statement.
Efforts are continuing to attempt to identify all organizations that were running the backdoored software, as well as the subset that might have been subjected to second-stage hacking. Experts say the cleanup could take many months.
Location of some of the organizations that were exploited via second-stage attacks as part of the SolarWinds Orion supply chain attack, as identified by Microsoft
Ejecting attackers from the more deeply penetrated networks will be no easy task. “Given the presumed attribution of the attackers, it is highly likely they may still have hidden capabilities in their victims’ networks that will be extremely difficult to detect and eradicate,” retired Brig. Gen. Gregory Touhill, who served as the first CISO for the federal government, says in a blog post (see: SolarWinds Breach Response: ‘Shields Up’).
“That will likely force many to conclude that the only way to neutralize the threat is to ‘burn down’ their existing network and rebuild,” he says, perhaps by using more “as-a-service approaches,” as well as more of a “zero trust” approach.
“If this is indeed SVR, as we believe it is, those guys are incredibly hard to kick out of networks,” Dmitri Alperovitch, the former CTO of CrowdStrike and co-founder of the Silverado Policy Accelerator think tank, tells The Wall Street Journal.