Cyber hackers perpetrating the espionage operation against U.S. government agencies exploited other entry points beyond the SolarWinds Orion platform, the Cybersecurity Infrastructure and Security Agency (CISA) said in an updated alert.
“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform,” the alert, dated Wednesday, December 23, 2020, said. CISA pointed specifically to exploits involving Security Assertion Markup Language tokens “consistent with this adversary’s behavior,” where no similar evidence in the SolarWinds infiltration had been found. The agency did not identify the additional attack vectors.
The espionage is believed to be the handiwork of Russian state-sponsored operatives. On December 13, 2020, CISA, in a rare emergency alert, directed all federal agencies to immediately power down SolarWinds Orion management tools to protect against the worldwide, active exploit.
In a separate post on its website dated December 24, 2020, CISA said the hack also hit state and local governments and private sector organizations. The agency didn't identify specific state and local governments it is tracking but warned officials to take "measures to identify and address this threat."
Meanwhile, Defense Department officials confirmed that the cyber spies have been able to climb into the networks of the U.S. Energy Department (DOE) and the National Nuclear Security Administration (NNSA), leaving behind evidence but uncertainty remains on what data may have been accessed or stolen.
Hackers reportedly left clues to their network infiltration of the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE, Politico reported. The NNSA is the guardian of the nation’s nuclear weapons stockpile.
Late last week, DOE and NNSA officials informed congressional oversight committees following a briefing by Rocky Campione, the chief information officer at DOE, Politico said. None of the agencies disclosed the footprints the cyber spies left in their wake. It may take weeks to assess the full extent of the damage, officials said.
Cyber damage at the FERC was apparently more substantial than what was unleashed on the other agencies, officials reportedly said. The FERC regulates the transmission and wholesale sale of electricity and natural gas in interstate commerce and regulates the transportation of oil by pipeline in interstate commerce.
As for CISA, the nation’s cyber central told FERC that it lacked the resources to investigate the hacking operation but that DOE will fill in the gaps, officials said, as Politico reported. In a joint statement, CISA, the Federal Bureau of Investigation and the Director of National Intelligence said that U.S. officials believe Russia is behind the attack. “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the statement said.
A DOE spokesperson said that investigators believe that the hackers were unable to access or steal critical security information at the DOE and the NNSA. "At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration," the DOE spokesperson said in a statement. "When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”