SolarWinds Hack May be Tip of Iceberg, Evidence of Multiple Hacks Found

The United States' cybersecurity agency says it has evidence of multiple ways in which a massive, months-long software supply chain attack might have infiltrated a wide range of public and private sector systems, in addition to known malware that infected software company SolarWinds.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a statement Thursday updating their assessment of the recently uncovered cyber incident perpetrated by a yet unidentified adversary labeled simply as an "advanced persistent threat (APT) actor."

The announcement identified some of the Orion IT products believed to have been infected with hidden Trojans that found their way into the likes of the U.S. Treasury Department and the Department of Commerce, among other U.S. federal agencies.

CISA warned, however, that there may be even more compromised products.

"CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated," the statement said. "CISA will update this Alert as new information becomes available."

While the scope of the hack is currently being assessed, CISA said it's already "determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations."

The perpetrators of the cyber attack have yet to be named, though CISA said the actor has "has demonstrated patience, operational security, and complex tradecraft in these intrusions," which date back as early as March of this year. Routing these infiltrations "will be highly complex and challenging," CISA said.

"This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks," the statement continued. "It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available."

cyber, national, guard, air, force
The 175th Cyberspace Operations Group of the Maryland Air National Guard monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Maryland, June 3, 2017. J.M. EDDINS JR/AIRMAN MAGAZINE/U.S. AIR FORCE

Leading cybersecurity firm FireEye, which was affected by the hack, and top tech company Microsoft, which denied a Reuters report claiming some of its products were infected, have blamed the incident on a nation-state due to the size and sophistication of the operation. Unnamed U.S. officials cited in major media outlets point the blame to Russia.

Moscow's embassy in Washington has rejected what it called "unfounded attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies."

"We declare responsibly: malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations," the embassy said in a statement reiterated to Newsweek on Tuesday. "Russia does not conduct offensive operations in the cyber domain."

The following day, the Office of the Direction of National Intelligence announced in a statement sent to Newsweek that it had formed a joint body alongside CISA and the FBI to investigate the hack and mitigate the damage done to private and public networks.

The U.S. military has also stepped up, as all five branches of the armed forces utilize SolarWinds software. Also on Wednesday, the Pentagon's information technology and communications support agency said it was taking active measures to address the issue.

"We are aware of the wide-spread and evolving cyber incident," Navy Vice Admiral Nancy Norton, director of the Defense Information Systems Agency and commander of Joint Force Headquarters - Department of Defense Information Network (DODIN), said.

"We continue to assess our DOD Information Networks for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day," the statement said.

And while SolarWinds, the affected software company, is used by all five branches of the U.S. military, Norton noted that no evidence of illicit entry to the DODIN has yet been detected.

"To date, we have no evidence of compromise of the DODIN," the statement added. "We will continue to work with the whole-of-government effort to mitigate cyber threats to the nation."

A spokesperson for the Pentagon's cyberwarfare force, U.S. Cyber Command, told Newsweek on Monday it "is postured for swift action should any defense networks be compromised," and an official for the NATO Western military alliance said Tuesday that the coalition is "assessing the situation" as "cyber defence is a core part of our collective defence."

This is a developing news story. More information will be added as it becomes available.