Federal government finds evidence hackers used multiple methods to access agency networks

The Department of Homeland Security’s (DHS) cybersecurity agency on Thursday warned of the “grave” threat posed to federal systems by a recent massive espionage attack by a nation state, warning that the hackers used multiple methods to access the systems for months.

The Cybersecurity and Infrastructure Protection Agency (CISA) put out an alert detailing the attack, widely reported to be carried out by a Russian military hacking group, on IT company SolarWinds. 

By infiltrating a vulnerability in the company’s Orion software, the group was able to access federal networks, with DHS, the Commerce, State and Treasury departments, and branches of the Pentagon among the agencies reportedly breached, with the hackers potentially having had access to the networks since March. 

The Washington Post reported Sunday that the group behind the attack is a Russian military group known as “Cozy Bear,” a prolific hacking group that previously targeted the State Department during the Obama administration and COVID-19 vaccine researchers earlier this year. 

“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the agency wrote in the alert. 

CISA, which put out an emergency directive earlier this week ordering all federal agencies to disconnect from SolarWinds software, warned that the hackers involved used other methods besides the SolarWinds vulnerability to access federal systems. 

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency wrote.

While the agency did not attribute the attack to any county or organization, it noted that the hackers had “demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”

CISA is among the agencies involved in standing up a Cyber Unified Coordination Group to respond to the incident, alongside the FBI and the Office of the Director of National Intelligence (ODNI).

“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the three agencies said in a joint statement on Wednesday night. 

President-elect Joe Biden on Thursday vowed to make cybersecurity and responding to the incident a “top priority” once in office, while the Democratic leaders of the House Homeland Security and Oversight and Reform committees announced they were opening an investigation into the ongoing incident. 

“Our Committees are seeking information related to the apparent, widespread compromise of multiple federal government, critical infrastructure, and private sector information technology networks,” the chairs of the committees wrote in a letter sent to CISA, the FBI, and the ODNI on Thursday.  “While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for U.S. national security.”