Massive Hack Roundup: Attorney General Pins Intrusion on Russia

Attorney General William Barr is the latest government official to join those blaming Russian actors for the sweeping breach that has rocked public and private information systems, including those of several federal agencies.   

Cybersecurity firm FireEye was the first victim to report it had been compromised by what CEO Kevin Mandia described as “a nation with top-tier offensive capabilities,” and while FireEye did not publicly make the Russia connection, The Washington Post, and Reuters cited anonymous U.S. officials who did. Since then, several members of Congress, and Secretary of State Mike Pompeo have expressed certainty about Russia’s involvement, and President-elect Joe Biden’s team is reportedly considering ways to retaliate. 

"This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity," Pompeo told a radio show host on Friday.  

But attributing cyber incidents is fraught with political implications, as demonstrated by tweets from President Donald Trump Saturday.

“The Cyber Hack is far greater in the Fake News Media than in actuality,” Trump wrote, tagging Pompeo and Director of National Intelligence John Ratcliffe. “I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)”

On Monday, Barr, who already had submitted his resignation and is set to leave office on Wednesday, weighed in.  

“From the information I have, you know, I agree with Secretary Pompeo’s assessment,” Barr said responding to a question about the hack during an unrelated press conference. “It certainly appears to be the Russians, but I’m not going to discuss it beyond that.”

Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs also pointed to Russia Monday on NPR’s Morning Edition and highlighted a specific unit, which U.S. intelligence officials have connected to previous high-profile breaches.

“What I understand, it is in fact the Russians,” Krebs said. “It's the Russian SVR, which is their foreign intelligence service. They are really the best of the best out there. They're a top-flight cyber intelligence team, and they used some very sophisticated techniques to really find the seams in our cyber defenses here in the United States and seem to be quite successful in penetrating some very sensitive places.”

A week after being named in press reports as a breached agency, Treasury Secretary Steven Mnuchin on Monday confirmed the department’s unclassified systems were affected “as a result of some third-party software.” Investigators are working to determine the full scope of the breach and the level of access the perpetrators might still have to sensitive information. “I will say the good news is there’s been no damage, nor have we seen any large amounts of information displaced,” he said on CNBC’s “Squawk on the Street.”

A Defense Department spokesperson reiterated to Nextgov in an email the Pentagon has found no evidence of compromise but confirmed the agency was exposed to the malware. 

“DOD was exposed to the malware but there is no evidence that the exposure has resulted in a compromise of data or systems,” Russell Goemaere, the DOD spokesperson, said. “We will continue to assess our DOD Information Network for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day. We will continue to work with the whole-of-government effort to mitigate cyber threats to the nation.”

Over the weekend, CISA issued supplemental guidance for the emergency directive ordering agencies to disconnect the SolarWinds Orion product. The new material includes more on indicators of compromise, mitigation measures, and information on using third-party service providers, including FedRAMP Authorized cloud service providers.

In response to frequently asked questions, the agency also defined “disconnect”: “By 'disconnected' we mean disconnected from the network and powered on if the agency has the capability- or is seeking a capable service provider- to collect forensics images (system memory, host storage, network) off of the host or virtual machine, or disconnected from the network and powered off if there is no such capability.”

Agencies should not install patches for Orion software, but the supplemental guidance states CISA is reviewing that stance.

The National Security Agency on Thursday issued an advisory on malicious actors abusing authentication mechanisms to access cloud resources. The new advisory builds on one it issued on Dec. 7 regarding a vulnerability in VMWare access and identity management products. Russian state-sponsored actors were exploiting that vulnerability and were able to access protected data through remote workspace platforms, the NSA said.

“The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access,” according to an NSA press release.

To mitigate against the exploitation of authentication mechanisms, NSA made recommendations specific to Microsoft Azure, while noting that the direction can mostly be adjusted for all cloud vendors.

The agency listed four chief mitigation activities —hardening Azure’s authentication and authorization configuration, hardening on-premises systems, detecting, and considering the use of Azure Active Directory as the authoritative identity provider—with specific instructions for each.