The SolarWinds Orion platform, which was compromised, is used by all five branches of the U.S. military and numerous government agencies.
Networks within the federal government were affected by the breach, which was done by inserting malware, or malicious code, into software updates for Orion.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the Office of the Director of National Intelligence said in a joint statement with the FBI and the Department of Homeland Security Agency’s cybersecurity agency, known as CISA.
“As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action,” the agencies added.
The Commerce Department previously confirmed to The Epoch Times that its systems were breached. The Treasury Department was reportedly affected as well.
CISA issued an emergency directive late Dec. 13 after news of the hack broke, ordering all government agencies using the vulnerable products to disconnect the affected devices from the internet.
“The compromise of SolarWinds’s Orion network management products poses unacceptable risks to the security of federal networks,” Brandon Wales, the agency’s acting director, said in a statement at the time. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
CISA is in regular contact with government agencies, private entities, and international partners, according to the new joint statement. The agency is providing technical assistance when asked and making information and resources available.
“CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises,” the statement said.
The Office of the Director of National Intelligence, meanwhile, is “helping to marshal all of the intelligence community’s relevant resources to support this effort and share information across the United States government.”
The vulnerable updates of the Orion platform were used by up to 18,000 companies, according to SolarWinds, a U.S.-based information technology firm.
According to a partial customer listing taken offline this week, Blue Cross Blue Shield, H&R Block, and Siemens are among the businesses that use SolarWinds technology. A Defense Department spokesperson told news outlets that the company uses Orion, but “for operational security reasons” will not comment on whether it was affected or what measures it took.
A security researcher said the company was warned last year that its software update server could be accessed using a simple password.
FireEye, a cybersecurity firm that was itself compromised this month, said in a blog post that the hack could date back to March. It also said the hacked networks were communicating with a malicious domain name, avsmcloud.com.
According to Brian Krebs, an online security expert, there were signs control of the domain was recently transferred to Microsoft, which referred questions to FireEye.
Microsoft has said it is monitoring the situation “surrounding the discovery of a sophisticated attack” that included compromised binaries from SolarWinds that “could be used by attackers to remotely access devices.” Customers were told to immediately isolate the affected device and investigate whether it was breached.
FireEye told Krebs the domain transfer was part of a response to the hack, a bid to try to stop networks that may have been affected by the vulnerable software from communicating with the attackers.
“FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections,” the company said. It said it identified a “kill switch” that blocks SUNBURST, the malware, and that the kill switch will affect both new and previous malware infections.
“This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST,” it said.
From The Epoch Times