SolarWinds Hackers Breach US Nuclear Weapons Agency
Department of Energy is responding to a cyber incident related to the SolarWinds compromise in coordination with our federal and industry partners. The investigation is ongoing and the response to this incident is happening in real-time. At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission-essential national security functions of the Department, including the National Nuclear Security Administration (NNSA). When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network. — Shaylyn Hynes, DOE Spokeswoman
Additional background: As part of its ongoing response, DOE has been in constant communication with our industry partners, including the leadership of the energy sector Subsector Coordinating Councils, and is also in regular contact with Electricity, Oil & Natural Gas (ONG), and Downstream Natural Gas (DNG) Information Sharing and Analysis Centers (ISAC).
Nation-state hackers have breached the networks of the National Nuclear Security Administration (NNSA) and the US Department of Energy (DOE).
NNSA is a semi-autonomous government agency responsible for maintaining and securing the US nuclear weapons stockpile.
The NNSA was established by the US Congress in 2000 and it is also tasked with responding to nuclear and radiological emergencies within the Unites States and abroad.
Officials familiar with the matter told Politico that federal investigators have found evidence of hackers gaining access to US DOE and NNSA networks as part of the ongoing US govt compromise campaign.
The Federal Energy Regulatory Commission (FERC), the Office of Secure Transportation, the Richland Field Office of the DOE, and Sandia and Los Alamos national laboratories were all hit according to the report.
The hackers have mainly focused their efforts at FERC according to the DOE officials, but they did not provide more details on the incident.
This series of attacks has led to the hacking of multiple US government networks as officially confirmed by the FBI, CISA, and the ODNI for the first time in a joint statement issued earlier today.
The list of US government targets compromised so far in this campaign also includes the US Treasury, the US Department of State, US NTIA, US NIH, DHS-CISA, and the US Department of Homeland Security.
The group behind this compromise campaign, suspected to be the Russian state-sponsored APT29 (aka Cozy Bear), was present on the networks of hacked organizations for long periods of time according to a CISA alert from earlier today.
“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the agency said.
“CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The backdoor used in these attacks, tracked as Solarigate or Sunburst, was distributed via SolarWinds’ auto-update mechanism onto the systems of roughly 18,000 customers.
SolarWinds’ customer list [1, 2] includes more than 425 US Fortune 500 companies, all top ten US telecom companies, as well as several government agencies including the US Military, the US Pentagon, the US Department of Justice, the State Department, NASA, NSA, Postal Service, NOAA, and the Office of the President of the United States.
However, CISA also said that it has “evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated.”
CISA has also issued an Emergency Directive following the string of confirmed US govt hacks asking federal civilian agencies to immediately disconnect or shut down affected SolarWinds Orion products on their networks.
Additionally, since the campaign was discovered, Microsoft, FireEye, and GoDaddy created a kill switch for the SolarWinds Sunburst backdoor that will terminate the infection on victims’ networks.
Courtesy of bleepingcomputer.com