A cyber attack believed to be tied to Russia continues to pose a “grave risk” to government networks and the private sector, according to an ominous warning issued Thursday by the Department of Homeland Security.
The bulletin from DHS’ Cybersecurity and Infrastructure Security Agency (CISA), represented the most striking assessment yet of a cascading threat to federal, state and local networks.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the bulletin stated.
“This … actor has demonstrated patience, operational security, and complex trade-craft in these intrusions,” CISA said of the hackers, adding that the ongoing effort to eliminate the threat would “will be highly complex and challenging.”
Officials also are reviewing compromises at the Department of Energy, including the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile.
“The investigation is ongoing and the response to this incident is happening in real time,” DOE spokesperson Shaylyn Hynes said. “At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA). When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
What you need to know: What you should be doing to protect yourself against cyberattack
The attacks, which have targeted major branches of the U.S. government, have put an untold number of Americans, agencies and government secrets at risk of compromise.
SolarWinds and FireEye
The attackers penetrated federal computer systems through a popular piece of server software offered through a company called SolarWinds.
The threat apparently came from the same cyberespionage campaign that has afflicted cybersecurity firm FireEye, foreign governments and major corporations.
The system is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which will now be scrambling to patch up their networks.
The attackers planted malware in computer networks after using what FireEye CEO Kevin Mandia has called “a novel combination of techniques not witnessed by us or our partners in the past.”
In its alert Thursday, CISA said that is “likely” that full scope of the campaign remains unclear as additional intrusions “have not yet been discovered.”
“Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings… should be considered very sensitive, and should be protected by operational security measures,” the CISA said.
Magnitude of hacking campaign ‘hard to overstate’
The agency also indicated that some of the intrusions may have occurred as early as March.
The White House did not comment Thursday, even as other government agencies outlined the possible extent of the damage.
Late Wednesday, the FBI, in a joint statement with CISA and the Director of National Intelligence, called the attack “a developing situation.”
“While we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the agencies said.
President-elect Joe Biden said Thursday that his transition team had been briefed on what he described on what “appears to be a massive cybersecurity breach affecting potentially thousands of victims.”
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Biden said in a statement.
Tom Bossert, a former homeland security adviser to President Donald Trump, said the “magnitude of this ongoing attack is hard to overstate.”
“The Russians have had access to a considerable number of important and sensitive networks for six to nine months,” Bossert said in column published in the New York Times, adding that Russian intelligence officials have likely gained “administrative control over the networks it considered priority targets.”
“For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call ‘persistent access,’ meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.”
Bossert said it could take years to learn the depth of the damage.
Contributing: Bart Jansen