Massive Hack Roundup: Attorney General Pins Intrusion on Russia

Attorney General William Barr

Attorney General William Barr Michael Reynolds/Pool via AP

Attorney General William Barr is the latest government official to join those blaming Russian actors for the sweeping breach that has rocked public and private information systems, including those of several federal agencies.   

Cybersecurity firm FireEye was the first victim to report it had been compromised by what CEO Kevin Mandia described as “a nation with top-tier offensive capabilities,” and while FireEye did not publicly make the Russia connection, The Washington Post, and Reuters cited anonymous U.S. officials who did. Since then, several members of Congress, and Secretary of State Mike Pompeo have expressed certainty about Russia’s involvement, and President-elect Joe Biden’s team is reportedly considering ways to retaliate. 

"This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity," Pompeo told a radio show host on Friday.  

But attributing cyber incidents is fraught with political implications, as demonstrated by tweets from President Donald Trump Saturday.

“The Cyber Hack is far greater in the Fake News Media than in actuality,” Trump wrote, tagging Pompeo and Director of National Intelligence John Ratcliffe. “I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)”

On Monday, Barr, who already had submitted his resignation and is set to leave office on Wednesday, weighed in.  

“From the information I have, you know, I agree with Secretary Pompeo’s assessment,” Barr said responding to a question about the hack during an unrelated press conference. “It certainly appears to be the Russians, but I’m not going to discuss it beyond that.”

Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs also pointed to Russia Monday on NPR’s Morning Edition and highlighted a specific unit, which U.S. intelligence officials have connected to previous high-profile breaches.

“What I understand, it is in fact the Russians,” Krebs said. “It's the Russian SVR, which is their foreign intelligence service. They are really the best of the best out there. They're a top-flight cyber intelligence team, and they used some very sophisticated techniques to really find the seams in our cyber defenses here in the United States and seem to be quite successful in penetrating some very sensitive places.”

A week after being named in press reports as a breached agency, Treasury Secretary Steven Mnuchin on Monday confirmed the department’s unclassified systems were affected “as a result of some third-party software.” Investigators are working to determine the full scope of the breach and the level of access the perpetrators might still have to sensitive information. “I will say the good news is there’s been no damage, nor have we seen any large amounts of information displaced,” he said on CNBC’s “Squawk on the Street.”

A Defense Department spokesperson reiterated to Nextgov in an email the Pentagon has found no evidence of compromise but confirmed the agency was exposed to the malware. 

“DOD was exposed to the malware but there is no evidence that the exposure has resulted in a compromise of data or systems,” Russell Goemaere, the DOD spokesperson, said. “We will continue to assess our DOD Information Network for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day. We will continue to work with the whole-of-government effort to mitigate cyber threats to the nation.”

Over the weekend, CISA issued supplemental guidance for the emergency directive ordering agencies to disconnect the SolarWinds Orion product. The new material includes more on indicators of compromise, mitigation measures, and information on using third-party service providers, including FedRAMP Authorized cloud service providers.

In response to frequently asked questions, the agency also defined “disconnect”: “By 'disconnected' we mean disconnected from the network and powered on if the agency has the capability- or is seeking a capable service provider- to collect forensics images (system memory, host storage, network) off of the host or virtual machine, or disconnected from the network and powered off if there is no such capability.”

Agencies should not install patches for Orion software, but the supplemental guidance states CISA is reviewing that stance.

The National Security Agency on Thursday issued an advisory on malicious actors abusing authentication mechanisms to access cloud resources. The new advisory builds on one it issued on Dec. 7 regarding a vulnerability in VMWare access and identity management products. Russian state-sponsored actors were exploiting that vulnerability and were able to access protected data through remote workspace platforms, the NSA said.

“The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access,” according to an NSA press release.

To mitigate against the exploitation of authentication mechanisms, NSA made recommendations specific to Microsoft Azure, while noting that the direction can mostly be adjusted for all cloud vendors.

The agency listed four chief mitigation activities —hardening Azure’s authentication and authorization configuration, hardening on-premises systems, detecting, and considering the use of Azure Active Directory as the authoritative identity provider—with specific instructions for each.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.