Pentagon Not Compromised by SolarWinds, Microsoft Exchange Hacks, Official Says

The Department of Defense has observed no indication of compromise from cyber intrusions related to SolarWinds or Microsoft Exchange servers, DOD Senior Information Security Officer David McKeown told senators.

McKeown testified along with National Security Agency Cybersecurity Directorate Director Rob Joyce and Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy Rear Adm. William Chase III before the Senate Armed Services’ subcommittee on cybersecurity Wednesday.

“Senator, that’s correct,” McKeown said when Sen. Richard Blumenthal, D-Conn., asked him to confirm an understanding that the DOD had concluded there was no compromise from either of the major hacking campaigns. 

After initial disclosure from cybersecurity firm FireEye that the IT management company SolarWinds had inadvertently unleashed a trojanized update to its customers with malware that could give command and control of their systems to the adversary—a back door they could exploit—The New York Times reported that the Pentagon was among the agencies “infiltrated.” 

McKeown said the department counted how many copies of SolarWinds were compromisable within the department and found 560 out of a total 1,500 SolarWinds instances “did have the back door.” But, he said, “We looked through all of our sensors. We found no indications of compromise, and in a few instances we sent out hunt teams to do a more thorough examination to make sure, and to date, no compromise.”

The same thing applied to the hack of on-premises Microsoft Exchange servers, McKeown said. 

“We quickly enumerated that, focusing on those servers that were public-facing, there were very few that were, but we quickly patched those and found no indicators of compromise,” McKeown said. 

Asked whether U.S. systems were still susceptible after the SolarWinds compromise, McKeown said subsequent attacks on the software, even if it wasn’t patched, are unlikely to be successful. That is not the case with the Microsoft Exchange incident, he said, referring to the campaign perpetrated by hackers Microsoft referred to as Hafnium. 

“As far as SolarWinds goes all of the capability to beacon out to their command and control system has been severed,” he said. “So, even if that is vulnerable at this time, it is unlikely that that attack would be successful, but definitely, on the Hafnium, patching needs to continue.”