Hackers Break Into the US Treasury, Nuclear Agency, Microsoft, and 18,000 Companies

Mish

Sophisticated hackers broke into numerous government agencies and at least 18,000 US companies.

Sophisticated Cyberattacks

News of hack broke on December 8 when U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers.

FireEye said the attack compromised its software tools used to test the defenses of its thousands of customers.

This week we learn the hack did not start with FireEye, rather with SolarWinds, a trusted US security firm. The breach happened at least four years ago!

It was discovered only because of due diligence by a FireEye employee who took time to investigate an automated message regarding a login from an unknown device. 

That's a type of automated message routinely decarded by almost everyone.

The suspected Russian hack involving SolarWinds compromised parts of the U.S. government. The scale surprised even veteran security experts.

Hack Suggests New Scope, Sophistication for Cyberattacks

The Wall Street Journal reports Hack Suggests New Scope, Sophistication for Cyberattacks.

As the probe continues into the massive hack—which cast a nearly invisible net across 18,000 companies and government agencies—security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years.

The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.

Most devastatingly, they sneaked their malicious code into the legitimate software of a trusted software maker—an Austin-based company called SolarWinds Corp. and its software called Orion.

FireEye put more than 100 cyber sleuths on the job out of its roughly 3,400 total staff. Trained to investigate breaches at other companies, they now found themselves scouring the company’s own networks.

Security Breaches

  • US Treasury
  • Energy Department
  • Department of Homeland Security
  • State Department
  • At least 18,000 corporations who downloaded SolarWinds updates
  • While 80% of the victim companies were based in the U.S., Microsoft said that targets were also hit in the U.K., Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates.

New Techniques

Among the worrying signs, the attacker seemed to have an understanding of the red flags that typically help companies like FireEye find intrusions, and they navigated around them: They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence.

Once they noticed suspicious activity emanating from SolarWinds’ Orion product, the company’s malware analysts scoured some 50,000 lines of code in search for “a needle in a stack of needles,” Mr. Carmakal said, eventually spotting a few dozen lines of suspicious code that didn’t appear to have any reason to be there. Further analysis confirmed it as the source of the hack.

The Unknown

“It’s very broad in scope, and potentially very damaging to our economic security,” said J. Michael Daniel, chief executive of the Cyber Threat Alliance, an industry information-sharing group, and the former White House cybersecurity coordinator in the Obama administration. “It’s going to take a long time to figure out the full scope and extent of the damage, and it’s probably going to cost a lot of money to fix.” 

How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.

Inside the Hack

Inside the Hack

The above image from Solar Winds.

Microsoft and the US Nuclear Agency Exposed

Bloomberg reports Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed

The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber-attack that struck a number of federal government agencies, according to people with knowledge of the matter, indicating widening reach of one of the biggest cybersecurity breaches in recent memory.  

The Energy Department and its National Nuclear Security Administration, which maintains America’s nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn’t affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.

“At this point, the investigation has found that the malware has been isolated to business networks only,” Hynes said. The hack of the nuclear agency was reported earlier by Politico.

Microsoft spokesman Frank Shaw said the company had found malicious code “in our environment, which we isolated and removed.”

President-elect Joe Biden issued a statement Thursday on “what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities.”

“I want to be clear: My administration will make cybersecurity a top priority at every level of government -- and we will make dealing with this breach a top priority from the moment we take office,” Biden said, pledging to impose “substantial costs on those responsible for such malicious attacks.”

In the email notice, Bloomberg commented "President Donald Trump, who has been reluctant to criticize Russia or President Vladimir Putin throughout his four years in office, has said nothing."

Wow. 

What a pox on the Department of Homeland Security and the US National Security Agency.

Congrats to the FireEye employee who decided to investigate an automated message. 

Mish

Comments (146)
No. 1-41
Sechel
Sechel

Trump fired the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) first and only director and while the hack began under his watch Trump hasn't acte to replace him nor shown that he valued the role. If anything Trump's distrust of career officials and the deep state took priority over safeguarding national security.

Trump has been silent on this matter as well. He's made no public statements and valued a personal relationship with Putin that has never advanced any American interest.

The timing could not be worse. John Ratcliffe is holding up a report on national security to congress because its too hard on Russia and not hard enough on China. Nobody in the administration seems to get the irony. Previous intelligence officials who have testified to Congress have said that while both China and Russia pose threats Russia is the the larger one when it comes to hacking and espionage.

Sechel
Sechel

u.s. failed to follow its own reccomendations

The answer is part Russian skill, part federal government blind spot.

The Russians, whose operation was discovered this month by a cybersecurity firm that they hacked, were good. After initiating the hacks by corrupting patches of widely used network monitoring software, the hackers hid well, wiped away their tracks and communicated through IP addresses in the United States rather than ones in, say, Moscow, to minimize suspicions. The hackers also used novel bits of malicious code that apparently evaded the U.S. government’s multibillion-dollar detection system, Einstein, which focuses on finding new uses of known malware and detecting connections to parts of the Internet used in previous hacks.

But Einstein, operated by the Department of Homeland Security (DHS), was not equipped to find novel malware or Internet connections, despite a 2018 report from the Government Accountability Office suggesting that building such
capability might be a wise investment. Some private cybersecurity firms do this type of “hunting” for suspicious communications — maybe an IP address to which a server has never before connected — but Einstein does not.

“DHS spent billions of taxpayer dollars on cyber defenses and all it got in return was a lemon with a catchy name,” said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee. “Despite warnings by government watchdogs, this administration failed to promptly deploy technology necessary to identify suspicious traffic and catch hackers using new tools and new servers.”

njbr
njbr

A familiar response from our CIC..."He said he didn't meddle. He said he didn't meddle," Trump told reporters from Air Force One. "I asked him again. You can only ask so many times. I just asked him again. He said he absolutely did not meddle in our election. He did not do what they are saying he did."...

Asked whether or not he believed Putin's denial, Trump replied: "Every time he sees me he says, 'I didn't do that,' and I believe, I really believe that when he tells me that, he means it. But he says, 'I didn't do that.' I think he is very insulted by it, which is not a good thing for our country."

SyTuck
SyTuck

umm, "routinely discarded by almost everyone"?

how many messages like this do people get? And routinely discard it? If the login was successful!?

If you don't recognize the IP or time of the login, somebody has your password pure and simple. That's flip out time, not "meh I'm going to get another donut" time.

And btw if it's your email account, that means they have access to almost every other account you own because they very often use your email ONLY for password recovery. Ya I'm looking at you PayPal X(

KidHorn
KidHorn

From someone who has spent his entire career developing software, this looks like an inside job done by an employee. Every source control software keeps track of who did what and when. They should be able to easily identify who changed the code and when it was done. Almost certainly done by someone not born in the US.

Better PR to blame Russian hackers than acknowledge that our software is being developed by foreigners and we have no idea what their political ties are.

njbr
njbr

Our President is ignorant of virtually every thing to do with technology (remember his sharpie "correction" of a weather map (who did that)?). Of course he has no idea how to respond. Part of his agenda was to remove the layer of people who understood the critical tasks of each agency (his definition of deep state), and put people in place who would do what he wanted, and no more. This is the type of incompetence that is being built in from the top down.

And while this cannot be laid directly at his feet, the lack of planned response is what can be laid at his feet. There has to be a very direct response that tells the perpetrators that they screwed up by messing with our systems.

Sechel
Sechel

The hack was notice by Fireeye a private firm. The DHS was oblivious to it. The problem may have begun under Bush and Obama but the technology of espionage an counter-espionage is evolving so rapidly I have no doubt we lost a critical four years under Donald Trump attacking his own experts taske with guarding our secrets

Sechel
Sechel

Will DonaldTrump ever address the horrific Russian cyber attack on multiple U.S. agencies (including the Dept of Energy, Dept. of Defense, Dept. of Justice and Dept. of Homeland Security), or is he still busy trying to steal the election?

njbr
njbr

I find it quite interesting how TCS spreads into tech--"ooh, why do you think it was the Russians?"

magoomba
magoomba

This all could very well be yet another well orchestrated 'fake news' story to deflect attention away from the inside job that is being carried out on the entire system. Just another excuse made palatable to the minions of software dependent geekage that blindly putter on as the uncertainty, shutdowns, and eventual shortages of everything continue. It's the new logistics.

Dodge Demon
Dodge Demon

Microsoft hacked??? Must be some virus attacking their sh-tty OS. Need to vaccinate them off the face of the earth.

Eddie_T
Eddie_T

"They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence.”

I’m a 65 year old man, and I can barely use a keyboard as my bad typing attests....but none of that seems all that diabolically clever, really. It sounds like Hacking 101.

Realist
Realist

I am waiting for one of Trump's supporters to post something like this:

"Russia, Russia, Russia! Leave poor Russia alone. Trump's buddy Putin isn't behind any of this. This story is just another Democratic, left wing nut job, media hoax to distract people from the stolen election. Just like the pandemic hoax, which is being used to make you take a vaccine with a trojan horse code in it to control your mind and make you vote Democrat. Stop listening to the mainstream media and go to ZH, OAN, Fox, Skynews, and Epoch Times to get the real news. I hear that Hunter Biden is working with George Soros and aliens on Mars to take over the world. Don't let this hacking hoax distract you from what's really going on. Time to wake up people!"

AshH
AshH

FireEye and SolarWinds. Why do these company names sound like failed James Bond movie titles?

Lance Manly
Lance Manly

If this had been open source software it never would have happened. People would have been up in arms about the unexplained commits. That's why Linux is so rock solid.

Six000mileyear
Six000mileyear

And this is why I am firmly against digital fiat currencies.

AshH
AshH

Is switching to online voting a horrible idea? Could it ever be done 100% securely, with confidence that the results are accurate?

bradw2k
bradw2k

If it had been traced to Chinese hackers instead, would POTUS still be quiet?

Casual_Observer
Casual_Observer

All operating systems and software have holes in them. There is very little negative testing done on them even today. I do this for a living for embedded systems for new products. It is really easy to find ways to break into systems if you look long enough.

njbr
njbr

Nooooo, it can't be Russia. But, but, but, Russia is our friend. Why are you so mean to Russia? They've never done anything to us. It's all a conspiracy against the people's republic of Russia...

Roger_Ramjet
Roger_Ramjet

Interesting that the Pentagon suddenly cancelled any further briefings with the Biden administration today. Makes you wonder 1) are these events related and, if so, 2) just how much more serious could this be.

Eddie_T
Eddie_T

Trump said to be announcing pardons today.

Typically the sketchy pardons are done on the LAST day...that’s what happened with Bill Clinton and his infamous quid pro quo pardon of Marc Rich

My guess is he will retroactively pardon Jesus to curry support from his religious base.....

Not really, but I bet it’s somebody he thinks pardoning ......will garner huge support for Himself.

I hope Julian Assange is the lucky one. The usual unnamed sources say it won’t be Snowden.

LawrenceBird
LawrenceBird

And our congress critters want to mandate back doors in all encryption. Brilliant

bradw2k
bradw2k

Feeling vindicated in being paranoid about blindly depending on updates from open source projects like most software projects do.

Webej
Webej
  1. If cyber ‘attacks’ are so terrible, does this mean the USA will commit to not doing such things to other countries?

  2. How sophisticated this all was will only be known later. We know that for years the software updates for SolarWinds Orion used the password ‘Solarwinds123’ and this was known on back channels beyond the people involved.

Mr. Purple
Mr. Purple

Pardon me if this is obvious, but what are the practical effects of the hack? What consequences have there been? Is money missing? Has the US suffered yet in any material way?

I am not questioning the truth or seriousness of the matter, just asking what actual harm has resulted so far.

Eddie_T
Eddie_T

Good question...Looks to me like it’s more of an “oh shit” moment.....and one has to wonder what COULD be happening in some other proprietary security software that hasn’t been noticed yet. Is there another shoe somewhere that might drop?

Probably.

goldguy
goldguy

Sure looks like we are headed for war...with russia and china.

Casual_Observer
Casual_Observer

The cyberwar era started awhile back. If they truly got into Treasury and other departments, you have to wonder if transactions to foreign bank accounts in Russia were initiated. Trump has been the worst president in global history for national security.

Johnson1
Johnson1

Why is everyone assuming Russia. I bet it is China and with Biden's ties to China....nobody is saying anything.

If Putin and Trump are friends like the DEMs proclaim, why would Russia hack the Government while Trump is still in office. It it is the Russians, than it shows the Democrats assumptions are wrong and Putin has ill intentions towards Trump?

sebmurray
sebmurray

Apparently Solar Winds’ update server had the password “solarwinds123” and they were warned about it in 2019 already. Just having a password that weak is criminal negligence, not to mention being warned about it and doing nothing about it. That update server was the entry vector for the hackers. How on earth that got passed a security audit is a very interesting question

Lance Manly
Lance Manly

So, as far as anybody saying, how do we know its Russia? If uber toad Pompeo says it is clearly Russian, it probably is.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” said Pompeo in an interview with “The Mark Levin Show.”

Sechel
Sechel

At this point we just have to assume Donald Trump is compromised even if we don't know how it occurred

The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of....

ToInfinityandBeyond
ToInfinityandBeyond

It makes you wonder what the Russians are holding over Trump’s head given his reluctance to point any blame at Russia for any of their transgressions over the past 4 years. Evidence of Russian influence in the 2016 elections? Is it compromising video or photographs? Perhaps financial loans from Russian oligarchs? Or maybe a promise of a future lucrative business deal? He has cozied up to Putin for the past 4 years which would leave one to question why.

aqualech
aqualech

Anyone want to consider this to be an inside job? So quick to blame Russians, but the easier explanation is that the core software was infected by insiders at its inception for general use, and all these different agencies just happen to be users. Note that there is no specific mention of what might actually have been stolen from anywhere.

aqualech
aqualech

I think it was an inside job. Why expect the guys developing the software are all angels? It is in the core of general and widely used products and none of those agencies need to have been specific targets. As others have questioned, what specifically was stolen? I suspect money and in ways quite sophisticated and hard to unravel. Time to investigate the guys who compiled this.

Felix_Mish
Felix_Mish

Since everyone is having fun here, let me join in.

I'm voting for the most likely culprit on this one: A commercial outfit's automated exploit system that got lucky with a "social". :)

stacy flit
stacy flit

Did Trump kill JFK? When is the deadline for blaming Trump? I cannot wait to hear the griping when Biden screws up because of Trump. How convenient will that be for you losers and users... get a clue, they're free.


Global Economics

FEATURED
COMMUNITY