US OFFICIALS SCRAMBLE TO DEAL WITH SUSPECTED RUSSIAN HACK OF GOVERNMENT AGENCIES

Washington (CNN )US officials
suspect that Russian-linked
hackers were behind the
recent data breach of multiple
federal agencies, including
the Departments of Homeland
Security, Agriculture and
Commerce, but are continuing
to investigate the incident,
multiple sources told CNN
Monday.

While the exact scope and
scale of the hack still remain to
be seen, it is already becoming
clear that this marks one of the
most significant breaches of
the US government in years.
It also shows that Russia and
other foreign actors continue to
exploit US cyber vulnerabilities
— an issue that will likely present
a challenge for the incoming
Biden administration.

Officials suspect a breach
may have also occurred to
the computer systems at the
Treasury Department and US
Postal Service, according to a
senior administration official,
who noted those investigations
are ongoing.

Asked whether USPS system
was breached, a spokesman
for the Postal Service told
CNN, “The U.S. Postal Service
was made aware of the cyber
incident at SolarWinds by
the Department of Homeland
Security (DHS) on Dec. 13, 2020.
As with any notification of this
nature, USPS is conducting a
thorough review of its systems
and processes to safeguard its
network and ensure the integrity
of its systems.”

If any defense networks were
compromised, US Cyber
Command “is postured for
swift action,” a spokesperson
said, adding that they “are in
close coordination with our
interagency, coalition, industry,
and academic partners to assess
and mitigate this issue.”

As part of its response, the
government put into effect
Presidential Policy Directive
41, an Obama-era plan for
executing a Federal Government
response to any cyber incident,
whether involving government
or private sector entities. For
significant cyber incidents, the
directive also establishes a plan
for coordinating a response
between the agencies and it
requires the Departments of

Justice and Homeland Security
to assist entities affected by cyber
incidents.

Russia suspected

While US officials believe that a
Russia-linked entity or Russian
individuals are responsible for the
attacks, they have not yet finalized
their designation on which
actors are responsible, a senior
administration official said.
A meeting scheduled for later
Monday aims to determine
which government agencies
were compromised. So far, only
the Commerce Department has
said publicly that it experienced
a breach but other agencies
appeared to have been targeted
as well.

“We have a hunch about who is
behind the breaches,” another
administration official said, also
confirming Monday’s Emergency
Cyber Response Group meeting.
“But forensics like this take time
to nail down, unless they were
sloppy about it.”

“It’s too early to understand
the depth and scale of the
recent breach affecting the
Commerce Department and other
government agencies,” said Tony
Lawrence, CEO and founder
of VOR Technology and Light
Rider. “The Russians have very
advanced cyber programs and it’s
likely there have been footholds
in these systems that have gone
undetected and unchallenged.
In 2008, the Russians executed a
cyberattack using thumb drives,
commonly known as Buckshot
Yankee, and it’s possible this
breach is related to that previous
attack.”

Linked to previous
breach?

But despite the embassy’s claim
that “Russia does not conduct
offensive operations in the
cyber domain,” Moscow has
been linked to several recent
breaches, including last week’s
hack of FireEye, an attack that
compromised the so-called “Red
Team” tools it uses to protect
clients, including government
customers.

In two blog posts Sunday, the
cybersecurity firm tied the

SolarWinds vulnerability directly
to its own announced breach,
which a source familiar with the
matter previously told CNN was
likely carried out by a Russianaffiliated group known as APT29.
FireEye described a “global
intrusion campaign” that
takes advantage of a critical
flaw in a network monitoring
product sold by SolarWinds,
an IT network management
company. The victims have
included government, consulting,
technology, telecom and
extractive entities in North
America, Europe, Asia and the
Middle East, the second blog post
says, adding that they anticipate
there are additional victims in
other countries and verticals.
A source familiar with the attacks
on both FireEye and those
reported Sunday also told CNN
that “it’s all related.”

“These sorts of attacks leveraging
trusted relationships are
extraordinarily difficult to detect
and defend against in real-time,”
the person said, adding that while
the Commerce and Treasury
Departments are the victims that
have so far been identified, “there
will no doubt be more.”
The US Commerce Department
was the first agency to confirm it
was the victim of a data breach
in an attack that is believed to be
linked to Russia.
“We can confirm there has been
a breach in one of our bureaus,”
the Commerce Department said
in a statement to CNN Sunday.
“We have asked CISA and the
FBI to investigate, and we cannot
comment further at this time.”

A firm that helps protect
businesses and cities from
cyberattacks just got hit by one
CISA also confirmed the data
security incident, though
did not immediately reveal it
experienced a breach, telling
CNN in a statement, “We have
been working closely with our
agency partners regarding
recently discovered activity on
government networks.”
“CISA is providing technical
assistance to affected entities as
they work to identify and mitigate
any potential compromises,” the
statement continued.

CISA issued a directive late
Sunday that tech company
SolarWinds was compromised
and it posed “unacceptable
risks to the security of federal
networks,” said CISA acting
Director Brandon Wales.
SolarWinds Orion products are
used by a number of federal
civilian agencies for network
management and CISA is urging
the agencies to review their
networks for any possible signs of
a data breach. This is only the fifth
emergency directive issued since
2015, when CISA was created by
Congress in the Cybersecurity
Act.
SolarWinds said in a statement
Sunday night that the breach

of their system was “was likely
conducted by an outside nation
state and intended to be a narrow,
extremely targeted, and manually
executed attack, as opposed to a
broad, system-wide attack.”

‘Massive national
security failure’

On Monday, the technology
company said it believes “fewer
than 18,000” customers could
have been affected by the
software vulnerability.
In a new financial filing,
SolarWinds said that out of a
total of 300,000 customers, the
company “believes the actual
number of customers that may
have had an installation of the
Orion products that contained
this vulnerability to be fewer than
18,000.”
SolarWinds has released a
software update addressing the
flaw and anticipates providing
a second software update by
December 15 to “further address”
the security gap, the company
added.

Russian hackers targeting state
and local governments have
stolen data, US officials say
Microsoft also responded to the
hack in a blog post overnight,
telling customers that it has
updated its anti-spyware
program to detect the SolarWinds
vulnerability.

“We believe this is nation-state
activity at significant scale,
aimed at both the government
and private sector… We also
want to reassure our customers
that we have not identified any
Microsoft product or cloud
service vulnerabilities in these
investigations,” the post said.

Sen. Ron Wyden, a Democrat from
Oregon who serves on the Senate
Intelligence Committee, warned
Monday that the damage caused
by the breach may be “far more
significant than currently known.”
“If reports are true and statesponsored hackers successfully
snuck malware-riddled software
into scores of federal government
systems, our country has suffered
a massive national security failure
that could have ramifications
for years to come,” he said in a
statement to CNN. “I’m pressing
the government for more
information about the full scope
of this breach and the steps that
agencies are taking to mitigate it.
I fear that the damage is far more
significant than currently known.”
“I have warned for years that
the government was falling
down on the basics of securing
federal systems, and this breach
unfortunately proves me right.

To start, it’s high time to scrap the
lax practice of allowing agencies
to install high-risk software on
government systems without
subjecting it to a thorough
security review,” Wyden added