Skip to main content

Feds call 'nine-month long undetected' Russian hack that breached US nuclear agencies, Microsoft, 'most of the Fortune 500' and State Department a 'grave threat' - as Senate Whip demands 'a response'

A massive suspected Russian cyber campaign is being called the biggest breach in American history and a 'grave threat' to the government and private companies, with the Senate's No. 2 Democrat demanding a 'response in kind.'

The sprawling attack, which targeted critical government infrastructure using a Trojan horse hidden in network management software from SolarWinds Corp, also compromised broad swathes of the private sector, including Microsoft and likely most of the Fortune 500, it emerged on Thursday. 

Officials say the attack went undetected for nearly nine months, allowing the hackers free range in the affected networks, including at the Pentagon, FBI, Treasury, State Department and nuclear security agencies, and that the true scale of the stolen information may never be known.

'There will be a price to pay for this,' vowed Senate Minority Whip Dick Durbin, an Illinois Democrat, in a floor speech on Thursday. 'This is nothing short of a virtual invasion by the Russians into critical accounts of the federal government.'

'When adversaries such as Russia torment us, tempt us, breach the security of our nation, we need to respond in kind,' said Durbin, though noting he was not calling for 'all-out war'.

President-elect Joe Biden also vowed a tough response, saying in a statement: 'Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.'

Biden vowed to 'disrupt and deter' future cyber attacks by 'imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.' 

The White House has not yet commented on the breach. The attack, if authorities can prove it was carried out by Russia as experts believe, creates a fresh foreign policy problem for President Donald Trump in his final days in office. 

Scroll down for video 

'There will be a price to pay for this,' vowed Senate Minority Whip Dick Durbin in a floor speech on Thursday. 'This is nothing short of a virtual invasion by the Russians'

'There will be a price to pay for this,' vowed Senate Minority Whip Dick Durbin in a floor speech on Thursday. 'This is nothing short of a virtual invasion by the Russians'

President-elect Joe Biden also vowed a tough response, saying in a statement: 'Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults'

President-elect Joe Biden also vowed a tough response, saying in a statement: 'Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults'

WHO'S KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR

Pentagon

Treasury

FBI 

Department of State 

Department of Homeland Security 

Commerce Department

National Institutes of Health

Department of Energy

National Nuclear Security Administration 

Los Alamos National Laboratory 

Federal Energy Regulatory Commission

Office of Secure Transportation 

Officially, the U.S. Cybersecurity and Infrastructure Security Agency has not publicly identified Russia as the source of the attack, and Russia denies involvement. But private security companies say that all signs point to the Kremlin. 

Asked whether Russia was behind the attack, a U.S. official said: 'We believe so. We haven't said that publicly yet because it isn't 100 percent confirmed.' 

CISA warned the sophisticated attack was hard to detect and will be difficult to undo. 'This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,' the agency said in a flash bulletin.

The agency said that the intrusion, which it dubbed SUNBURST, posed a 'grave risk' to 'critical infrastructure' in both the public and private sector, and at all levels of government. 

In a statement to DailyMail.com on Thursday, a Microsoft spokesperson confirmed that the company had detected and removed malicious code from the SolarWinds attack within the company, but denied that any of its products were affected.

Microsoft is one of the world's largest technology companies, with clients across the public and private sector, and last year was awarded the $10 billion JEDI contract to run the Department of Defense's cloud computing system. 

'We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,' the spokesperson said.  

As well, the two agencies responsible for maintaining America's nuclear weapons stockpile have evidence they were compromised in the attack, which also breached the Pentagon, FBI, Treasury and State Department.

'This is looking like it's the worst hacking case in the history of America,' one U.S. official said on condition of anonymity. 'They got into everything.' 

Microsoft was breached in the massive suspected Russian campaign that has hit multiple U.S. government agencies, according to people familiar with the matter

Microsoft was breached in the massive suspected Russian campaign that has hit multiple U.S. government agencies, according to people familiar with the matter

Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached

Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached

Hacked: The Los Alamos National Laboratory in New Mexico conducts the government's most sensitive and advanced nuclear research

Hacked: The Los Alamos National Laboratory in New Mexico conducts the government's most sensitive and advanced nuclear research

How hackers used legitimate software updates as camouflage for the 'SUNBURST' attack

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in U.S. history.

CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products. 

Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.

The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.

Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.

The initial contact domain would often direct the malware to a new internet protocol address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target's home country to make detection of the traffic more difficult.

'Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,' CISA said in the alert.

CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.

Without offering further details, the agency warned that the hackers used 'other initial access vectors beyond SolarWinds Orion,' meaning even groups that do not use the network software could be compromised.

Advertisement

How hackers used legitimate software updates as camouflage for the 'SUNBURST' attack

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in U.S. history.

CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products. 

Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.

The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.

Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.

The initial contact domain would often direct the malware to a new internet protocol address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target's home country to make detection of the traffic more difficult.

'Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,' CISA said in the alert.

CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.

Without offering further details, the agency warned that the hackers used 'other initial access vectors beyond SolarWinds Orion,' meaning even groups that do not use the network software could be compromised.

The Department of Energy confirmed on Thursday that it was among those that had been hacked. 

The DOE and the National Nuclear Security Administration have begun to warn Congress that their breached networks may include the Los Alamos National Laboratory, which conducts the government's most sensitive and advanced nuclear research, Politico reported.

The FBI was scheduled to deliver a classified briefing to Congress on Friday and the House Homeland Security Committee has launched an investigation.

The Department of Justice, FBI and Defense Department, among others, have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.

They are assuming that the non-classified networks have been accessed.

The government also warned that network software company SolarWinds was not the only breached technology vendor that the hackers used as an attack vector, meaning agencies and companies that do not use SolarWinds are now at risk too.

Another major tech supplier was also compromised by the same attackers and used to get into high-value final targets, according to two people briefed on the matter. 

DHS's Cybersecurity and Infrastructure Security Agency urged investigators not to assume their organizations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they did gain access to.

Denial: Russia's president Vladimir Putin's government has said it is not behind the massive hack - but experts said its precision, cunning and expertise points directly to the Kremlin

Denial: Russia's president Vladimir Putin's government has said it is not behind the massive hack - but experts said its precision, cunning and expertise points directly to the Kremlin

'Cozy Bear': The Russian hacker cell suspected in attack 

Russia denies involvement in the SUNBURST attack, and US officials have not yet identified the nation they believe is behind the 'Advanced Persistent Threat' that carried out the audacious breach.

However, sources say that the top suspect is APT29, the Kremlin-linked group also known as Cozy Bear. 

Cozy Bear is best known as the group said to be responsible for the 2016 breach of the Democratic National Committee's servers.

Experts believe that Cozy Bear operates as part of one of Russia's intelligence agencies. 

As many as 18,000 SolarWinds customers downloaded the updates that contained a back door. Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers.

But the attackers might have installed additional ways of maintaining access in what some are calling the biggest cyber breach in at least a decade.

'This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,' CISA said in an alert. 

CISA said it was continuing to analyze the other avenues used by the attackers. So far, the hackers are known to have at least monitored email or other data within the U.S. departments of Defense, State, Treasury, Homeland Security and Commerce. 

At the Pentagon the acting defense secretary Chris Miller - standing in after Mark Esper was fired by Donald Trump - acknowledged he was 'very concerned' and told CBS News: 'We have standard operating procedures in place that are very refined when an intrusion is noted, or a potential intrusion, so that we can monitor our networks.'

The most damaging revelation so far is that evidence of the attack was found in the networks of the Federal Energy Regulatory Commission, known as FERC, and the Office of Secure Transportation which is responsible for moving nuclear materials.

The U.S. has an estimated 5,800 nuclear warheads, some of which are on missiles and bombs ready for launch from submarines, airplanes and land-based missiles, while others are held in storage. Most however are in storage, retired, or being decommissioned. 

Their status is one of the government's most closely-guarded secrets, as are efforts to create new weapons, which are part of the Los Alamos National Laboratory's work. 

Another attack was found in a field office of the Energy Department in Richland, Washington state, which Politico reported could have been an effort to gather information on how to disrupt the national electricity grid. 

The Energy Department said in a statement that it initial investigation revealed that malware injected into its networks via a SolarWinds update has been found only on its business networks and has not affected national security operations. 

Members of the House and Senate were set to be briefed by the Energy Department on the breach, Politico reported.  

Closely-guarded secrets: The federal government does not provide information about the deployment or location of nuclear warheads so the possibility of Russia having access to that knowledge would be a major crisis

Closely-guarded secrets: The federal government does not provide information about the deployment or location of nuclear warheads so the possibility of Russia having access to that knowledge would be a major crisis

The dramatic escalation of the danger of the hack came as the federal government's computer safety agency warned it poses a 'grave' risk to government and private networks. 

The Cybersecurity and Infrastructure Security Agency said in its most detailed comments yet that the intrusion has compromised government agencies as well as 'critical infrastructure' in a sophisticated attack that was hard to detect and will be difficult to undo.

CISA did not say which agencies or infrastructure were breached or what information taken in an attack that it previously said appeared to have begun in March.    

'This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,' the agency said in an unusual alert

'CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.'

The agency previously said that the perpetrators had used network management software from Texas-based SolarWinds to infiltrate computer networks. Its new alert said the attackers may have used other methods as well.

The alert was issued after the former homeland security adviser to Donald Trump warned Thursday that a massive hack of federal computers may have put Russian spies in control of hundreds of government networks - and that nothing is being done to remove them.

The cybercriminals are almost certainly in the vast majority of the Fortune 500's computer networks and can steal secrets at will, he warned. 

Thomas Bossert, writing in the New York Times, said the attack, which experts say is almost certainly by Russian state hackers, was one of the worst imaginable threats to security and world stability and needed action by Trump and Joe Biden to prevent it causing catastrophe.

The one-time aide warned 'the magnitude of this ongoing attack is hard to overstate' and said it appeared that Russians could be 'in control' of hundreds of computer networks. 

Vladimir Putin's government has denied they are behind the hack but that has been discounted by other experts, who say that the scale and precision of the hack points directly to the Kremlin.

'It will take years to know for certain which networks the Russians control and which ones they just occupy,' he said.

'The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.'

Bossert warned that Russia could use the secrets it knows to sow division, spread disinformation, destroy or alter data and even impersonate real people.

Additionally, he warned, they probably have access to the networks of as many as 425 of the Fortune 500, America's largest companies.

The warning was echoed by Thomas Rid, a Johns Hopkins cyberconflict expert, who said the campaign's likely efficacy can be compared to Russia's three-year 1990s 'Moonlight Maze' hacking of U.S. government targets, including NASA and the Pentagon.

A U.S. investigation determined the height of the documents stolen - if printed out and piled up - would triple the height of the Washington Monument.

Russian attack: Thomas Bossert, who was Trump's national security adviser in 2017 and 2018, says that Vladimir Putin's cyber spies are lodged in hundreds of federal computer networks and those of many of the largest companies

Russian attack: Thomas Bossert, who was Trump's national security adviser in 2017 and 2018, says that Vladimir Putin's cyber spies are lodged in hundreds of federal computer networks and those of many of the largest companies

In this case 'several Washington Monument piles of documents that they took from different government agencies is probably a realistic estimate,' Rid said.

'How would they use that? They themselves most likely don't know yet.'

The Trump administration has not said which agencies were hacked. And so far no private-sector victims have come forward. 

Traditionally, defense contractors and telecommunications companies have been popular targets with state-backed cyber spies, Rid said.   

The suspected Russian cyber-attack on the US government remains 'ongoing' and may have hit as many as 12 federal agencies after a software breach allowed the hackers to read government emails for months. 

Security officials said that the attack was 'significant and ongoing' and said the FBI was working to 'pursue and disrupt' the hackers. 

The breach of SolarWinds software - used by federal agencies and major companies - was uncovered by a cyber security firm and government contractor called FireEye, which noticed a suspicious log-in on its network. 

According to Politico, FireEye representatives told lawmakers that an employee had apparently been duped into revealing his two-factor authentication details - although company officials denied the account given by congressional staffers. 

FireEye says a 'nation with top-tier offensive capabilities' was behind the attack, which inserted malicious code into a SolarWinds software update. 

As many as 18,000 customers are thought to have downloaded the corrupted update, affecting officials at the Treasury, State and Defense departments among others, it is believed. 

The hackers are feared to have had access to government emails as far back as June, although the full extent of the damage is not yet clear. 

FireEye says the hackers had 'primarily sought information related to certain government customers' who use the cyber security firm. 

The California-based firm says the attackers stole some of its 'red team' software which mimics cyber-attacks to test the security of its clients' computers. 

However, the foreign hackers eventually got caught after trying to register a new device on FireEye's systems, tipping the company off to the wider cyber-attack. 

According to the two aides reporting on the congressional hearing, a FireEye employee is said to have been tricked into away their login details. 

But the company denied this, saying that the SolarWinds attack, rather than a separate security breach, was the source of the intrusion into FireEye. 

The SolarWinds attack is thought to have begun in March and continued for months until federal officials were told to 'disconnect or power down' the software. 

The Pentagon (pictured) is thought to be one of a dozen victims of a cyber-attack which officials suspect was directed by the Russian governmentThe FBI (right) was targeted and has moved routine communication onto classified networks that are believed not to have been breached

The Pentagon and the FBI were targets. Both have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.

On Wednesday the FBI, Cybersecurity and Infrastructure Security Agency and Office of the Director of National Intelligence said in a joint statement that the 'full extent' of the attack was still becoming clear. 

'This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,' they said. 

'As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. 

'The FBI is engaging with known and suspected victims, and information gained through FBI's efforts will provide indicators to network defenders and intelligence to our government partners to enable further action. 

'As the lead for intelligence support and related activities, ODNI is helping to marshal all of the intelligence community's relevant resources to support this effort and share information across the United States Government.'   

The agencies have created a coordination unit and emergency talks are being held at the White House on a daily basis to discuss the government's response.

US national security adviser Robert O'Brien cut short a trip to the Middle East and Europe this week to deal with the fallout from the hack. 

SolarWinds and FireEye have both pointed the finger at hackers linked to the Russian government. 

Mike Pompeo also pointed to Moscow on Monday, saying the Russian government had made repeated attempts to breach US government networks.

MYSTERY SECOND TECH SUPPLIER WAS HACKED TOO - PUTTING EVEN MORE AT RISK OF HAVING SECRETS HARVESTED BY PUTIN 

The massive hacking campaign disclosed by U.S. officials this week and tentatively attributed to the Russian government extended beyond users of pervasive network software that had been compromised.

Another major technology supplier was also compromised by the same attack team and used to get into high-value final targets, according to two people briefed on the matter.

The FBI and other agencies have scheduled a classified briefing for members of Congress Friday.

The Department of Homeland Security said in a bulletin on Thursday the spies had used other techniques besides corrupting updates of network management software by SolarWinds, which is used by hundreds of thousands of companies and government agencies.

'The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,' said DHS's Cybersecurity and Infrastructure Security Agency, referring to 'advanced persistent threat' adversaries.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter (stock image)

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter (stock image)

CISA urged investigators not to assume their organizations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they did gain access too.

CISA said it was continuing to analyze the other avenues used by the attackers. 

As many as 18,000 Orion customers downloaded the updates that contained a back door. Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers.

But the attackers might have installed additional ways of maintaining access in what some have called the biggest hack in a decade.

For that reason, officials said that security teams should communicate through special channels to ensure that their own detection and remediation efforts are not being monitored.

CISA and private companies including FireEye, which was the first to discover and reveal it had been hacked, have released a series of clues for organizations to look for to see if they have been hit.

But the attackers are very careful and have deleted logs, or electronic footprints or which files they have accessed. That makes it hard to know what has been taken.

Some major companies have issued carefully worded statements saying that they have 'no evidence' that they were penetrated, but in some cases that may only be because the evidence was removed.

In most networks, the attackers would also have been able to create false data, but so far it appears they were interested only in obtaining real data, people tracking the probes said.

Meanwhile, members of Congress are demanding more information about what may have been taken and how, along with who was behind it. The House Homeland Security Committee and Oversight Committee announced an investigation Thursday, while senators pressed to learn whether individual tax information was obtained.

In a statement, President-elect Joe Biden said he would 'elevate cybersecurity as an imperative across the government' and 'disrupt and deter our adversaries' from undertaking such major hacks. 

Popular posts from this blog

Study Abroad USA, College of Charleston, Popular Courses, Alumni

Thinking for Study Abroad USA. School of Charleston, the wonderful grounds is situated in the actual middle of a verifiable city - Charleston. Get snatched up by the wonderful and customary engineering, beautiful pathways, or look at the advanced steel and glass building which houses the School of Business. The grounds additionally gives students simple admittance to a few major tech organizations like Amazon's CreateSpace, Google, TwitPic, and so on. The school offers students nearby as well as off-grounds convenience going from completely outfitted home lobbies to memorable homes. It is prepared to offer different types of assistance and facilities like clubs, associations, sporting exercises, support administrations, etc. To put it plainly, the school grounds is rising with energy and there will never be a dull second for students at the College of Charleston. Concentrate on Abroad USA is improving and remunerating for your future. The energetic grounds likewise houses various

Best MBA Online Colleges in the USA

“Opportunities never open, instead we create them for us”. Beginning with this amazing saying, let’s unbox today’s knowledge. Love Business and marketing? Want to make a high-paid career in business administration? Well, if yes, then mate, we have got you something amazing to do!   We all imagine an effortless future with a cozy house and a laptop. Well, well! You can make this happen. Today, with this guide, we will be exploring some of the top-notch online MBA universities and institutes in the USA. Let’s get started! Why learn Online MBA from the USA? Access to More Options This online era has given a second chance to children who want to reflect on their careers while managing their hectic schedules. In this, the internet has played a very crucial in rejuvenating schools, institutes, and colleges to give the best education to students across the globe. Graduating with Less Debt Regular classes from high reputed institutes often charge heavy tuition fees. However onl

Sickening moment maskless 'Karen' COUGHS in the face of grocery store customer, then claims she doesn't have to wear a mask because she 'isn't sick'

A woman was captured on camera following a customer through a supermarket as she coughs on her after claiming she does not need a mask because she is not sick.  Video of the incident, which has garnered hundreds of thousands of views on Twitter alone, allegedly took place in a Su per Saver in Lincoln, Nebraska according to Twitter user @davenewworld_2. In it, an unidentified woman was captured dramatically coughing as she smiles saying 'Excuse me! I'm coming through' in the direction of the customer recording her. Scroll down for video An unidentified woman was captured dramatically coughing as she smiles saying 'Excuse me! I'm coming through' in the direction of a woman recording her A woman was captured on camera following a customer as she coughs on her in a supermarket without a mask on claiming she does not need one because she is not sick @chaiteabugz #karen #covid #karens #karensgonewild #karensalert #masks we were just wearing a mask at the store. ¿ o