The Hack Roundup: USDA Denies Data Breach at Payroll Facility 

The U.S. Department of Agriculture has found “no evidence” of a data breach at a payroll processing center but is investigating, a spokesperson said in response to news reports to the contrary.

Reuters first reported on Tuesday that the department’s National Finance Center, which runs a payroll system serving over 600,000 federal employees across 160 agencies, was penetrated by suspected Chinese hackers exploiting a flaw in SolarWinds’ software.    

The intrusion is separate from earlier reports in December associated with a trojanized update SolarWinds distributed to about 18,000 of its customers, according to Reuters. In response to that hacking campaign, which a number of agencies acknowledged they were affected by, the Cybersecurity and Infrastructure Security Agency directed all agencies to remove certain SolarWinds products from their systems. Government officials have since publicly said Russia is likely behind that event, along with the abuse of authentication configurations in Microsoft’s Office 365 cloud service.

"In compliance with CISA’s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise,” the USDA spokesperson told Nextgov. “While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center."

SolarWinds told Reuters the company issued a patch in December for the flaw reportedly exploited by the Chinese actors. The company said it is aware of one instance where the bug enabled hackers to spread across an entity’s network, but that it is unclear how they gained initial access.   

A USDA spokesperson initially acknowledged a breach of their systems in the Reuters article, which has since been updated to reflect USDA’s denial of the incident.

Security researchers at the cybersecurity firm Trustwave on Wednesday revealed three other severe vulnerabilities in SolarWinds products. None are known to have been exploited in the wild, and SolarWinds released patches for them in a very timely manner, Trustwave said.

The Wall Street Journal on Tuesday reported hackers were present and undetected in SolarWinds’ email service—Microsoft Office 365—for at least nine months, according to SolarWinds CEO Sudhakar Ramakrishna. SolarWinds’ investigation over the last eight weeks showed hackers had accessed at least one of the company’s Office 365 accounts back in December of 2019, and made their way around the network from there, according to the report. 

The National Institute of Standards and Technology on Tuesday released a long-awaited tool for defending against nation-state actors.  

“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” Ron Ross, NIST fellow and chief architect of information security standards for the federal government, said. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.” 

The tool is the final version of a draft supplement to NIST Special Publication 800-171, which is at the core of the Defense Department’s new Cybersecurity Maturity Model Certification standard. 

“SolarWinds tells us that adversaries are capable of executing complex attacks that are difficult to detect even by the most sophisticated systems,” Robert Metzger, co-chair of the cybersecurity and privacy practice group at the firm Rogers Joseph O’Donnell, told Nextgov, in reaction to the NIST news.

NIST said the enhanced security requirements should be implemented in addition to those in SP 800-171, since that publication is not designed to address advanced persistent threats. The enhanced requirements call for “dual authorization” under access control, for example, while the basic requirements say to “limit system access to authorized users.” 

Metzger said now that the supplement—SP 800-172—is out, CMMC officials can start in earnest determining how to assess contractors requiring higher level certificates through the program in order to effectively protect against advanced persistent threats. 

Aaron Boyd contributed to this report.