Jump to content

2020 United States federal government data breach: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
done
rv WP:QUOTEFARM and MOS:SURNAME. Thanks for the good intentions, though.
Line 121: Line 121:
On December 18, [[U.S. Secretary of State]] [[Mike Pompeo]] said Russia was "pretty clearly" responsible for the massive attack.<ref name="gu-2020-12-19">{{Cite web|date=December 19, 2020|title=Trump downplays government hack after Pompeo blames it on Russia|url=http://www.theguardian.com/us-news/2020/dec/19/mike-pompeo-we-can-say-pretty-clearly-russia-behind-hack-us-agencies|website=the Guardian}}</ref><ref name="hill-2020-12-18">{{Cite web|last=Byrnes|first=Jesse|date=December 19, 2020|title=Pompeo: Russia 'pretty clearly' behind massive cyberattack|url=https://thehill.com/homenews/administration/530962-pompeo-russia-pretty-clearly-behind-massive-cyberattack|website=The Hill}}</ref><ref name="dw-2020-12-19">{{Cite web|date=December 19, 2020|title=Trump downplays massive US cyberattack, points to China|url=https://www.dw.com/en/trump-downplays-massive-us-cyberattack-points-to-china/a-55996519|work=Deutsche Welle}}</ref>
On December 18, [[U.S. Secretary of State]] [[Mike Pompeo]] said Russia was "pretty clearly" responsible for the massive attack.<ref name="gu-2020-12-19">{{Cite web|date=December 19, 2020|title=Trump downplays government hack after Pompeo blames it on Russia|url=http://www.theguardian.com/us-news/2020/dec/19/mike-pompeo-we-can-say-pretty-clearly-russia-behind-hack-us-agencies|website=the Guardian}}</ref><ref name="hill-2020-12-18">{{Cite web|last=Byrnes|first=Jesse|date=December 19, 2020|title=Pompeo: Russia 'pretty clearly' behind massive cyberattack|url=https://thehill.com/homenews/administration/530962-pompeo-russia-pretty-clearly-behind-massive-cyberattack|website=The Hill}}</ref><ref name="dw-2020-12-19">{{Cite web|date=December 19, 2020|title=Trump downplays massive US cyberattack, points to China|url=https://www.dw.com/en/trump-downplays-massive-us-cyberattack-points-to-china/a-55996519|work=Deutsche Welle}}</ref>


On December 19, U.S. president [[Donald Trump]] publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible.<ref name="ap-2020-12-19"/><ref name="hill-2020-12-19">{{Cite web|last=Axelrod|first=Tal|date=December 19, 2020|title=Trump downplays impact of hack, questions whether Russia involved|url=https://thehill.com/homenews/administration/530982-trump-downplays-impact-of-government-hack-in-first-public-remarks|website=The Hill}}</ref><ref name="dw-2020-12-19"/><ref name="cnn-2020-12-19">{{Cite web|last=Stracqualursi|first=Veronica|last2=Liptak|first2=Kevin|last3=Hansler|first3=Jennifer|date=19 December 2020|title=Trump downplays massive cyber hack on government after Pompeo links attack to Russia|url=https://www.cnn.com/2020/12/19/politics/pompeo-us-government-hack-russia/index.html|url-status=live|archive-url=|archive-date=|access-date=19 December 2020|website=CNN}}</ref> The same day, Republican senator [[Marco Rubio]], acting chair of the [[United States Senate Select Committee on Intelligence|Senate Intelligence Committee]], said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."<ref name="bloomberg-2020-12-19-200"/><ref name="bbc-2020-12-20">{{Cite web|url=https://www.bbc.com/news/world-us-canada-55386947|title=US cyber-attack: Around 50 firms 'genuinely impacted' by massive breach|date=December 20, 2020|accessdate=December 21, 2020|via=www.bbc.com}}</ref>
On December 19, Trump publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible.<ref name="ap-2020-12-19"/><ref name="hill-2020-12-19">{{Cite web|last=Axelrod|first=Tal|date=December 19, 2020|title=Trump downplays impact of hack, questions whether Russia involved|url=https://thehill.com/homenews/administration/530982-trump-downplays-impact-of-government-hack-in-first-public-remarks|website=The Hill}}</ref><ref name="dw-2020-12-19"/><ref name="cnn-2020-12-19">{{Cite web|last=Stracqualursi|first=Veronica|last2=Liptak|first2=Kevin|last3=Hansler|first3=Jennifer|date=19 December 2020|title=Trump downplays massive cyber hack on government after Pompeo links attack to Russia|url=https://www.cnn.com/2020/12/19/politics/pompeo-us-government-hack-russia/index.html|url-status=live|archive-url=|archive-date=|access-date=19 December 2020|website=CNN}}</ref> The same day, Republican senator [[Marco Rubio]], acting chair of the [[United States Senate Select Committee on Intelligence|Senate Intelligence Committee]], said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."<ref name="bloomberg-2020-12-19-200"/><ref name="bbc-2020-12-20">{{Cite web|url=https://www.bbc.com/news/world-us-canada-55386947|title=US cyber-attack: Around 50 firms 'genuinely impacted' by massive breach|date=December 20, 2020|accessdate=December 21, 2020|via=www.bbc.com}}</ref>


On December 20, Democratic senator [[Mark Warner]], briefed on the incident by intelligence officials, said "all indications point to Russia."<ref name="la-2020-12-20">{{Cite web|url=https://www.latimes.com/world-nation/story/2020-12-20/lawmakers-experts-baffled-trump-brushes-off-suspected-russian-hack|title=Trump finds himself isolated in refusal to blame Russia for big cyberattack|date=December 20, 2020|website=Los Angeles Times|accessdate=December 21, 2020}}</ref>
On December 20, Democratic senator [[Mark Warner]], briefed on the incident by intelligence officials, said "all indications point to Russia."<ref name="la-2020-12-20">{{Cite web|url=https://www.latimes.com/world-nation/story/2020-12-20/lawmakers-experts-baffled-trump-brushes-off-suspected-russian-hack|title=Trump finds himself isolated in refusal to blame Russia for big cyberattack|date=December 20, 2020|website=Los Angeles Times|accessdate=December 21, 2020}}</ref>
Line 127: Line 127:
Russia reiterated its denial of involvement.<ref name="time-2020-12-15"/>
Russia reiterated its denial of involvement.<ref name="time-2020-12-15"/>


On December 21, 2020, [[William Barr | Attorney General William Barr]] said, "From the information I have, I agree with Secretary Pompeo’s assessment. It certainly appears to be the Russians but I’m not going to discuss it beyond that."<ref name="bloomberglikely">{{cite web |last1=Strohm|first1=Chris |title=Barr Says Russia Likely to Blame in Hacking, Breaking With Trump |url=https://www.bloomberg.com/news/articles/2020-12-21/barr-says-russia-likely-to-blame-for-massive-cyber-attack |website=bloomberg.com |publisher=[[Bloomberg News]]|access-date=22 December 2020 |date=21 December 2020}}</ref><ref name="nyt-2020-12-21">{{Cite web|url=https://www.nytimes.com/2020/12/21/us/politics/russia-hack-treasury.html|title=Treasury Department’s Senior Leaders Were Targeted by Hacking|first1=David E.|last1=Sanger|first2=Alan|last2=Rappeport|date=December 22, 2020|via=NYTimes.com}}</ref>
On December 21, 2020, [[William Barr | Attorney General William Barr]] stated that he believes that the [[SolarWinds]] hack appears to have been perpetrated by Russia, contradicting statements from [[Donald Trump | President Donald Trump]].<ref>{{cite web |last1=Wilkie |first1=Christina |title=Attorney General Barr breaks with Trump, says SolarWinds hack ‘certainly appears to be the Russians’ |url=https://www.cnbc.com/2020/12/21/barr-says-solarwinds-hack-certainly-appears-to-be-the-russians-.html |website=CNBC |publisher=NBCUniversal News Group |access-date=22 December 2020 |ref=CNBC "Attorney General Barr breaks with Trump, says SolarWinds hack ‘certainly appears to be the Russians’" |language=en |date=21 December 2020}}</ref><ref name="nyt-2020-12-21">{{Cite web|url=https://www.nytimes.com/2020/12/21/us/politics/russia-hack-treasury.html|title=Treasury Department’s Senior Leaders Were Targeted by Hacking|first1=David E.|last1=Sanger|first2=Alan|last2=Rappeport|date=December 22, 2020|via=NYTimes.com}}</ref>


==Impact==
==Impact==

Revision as of 07:51, 25 December 2020

2020 United States federal government data breach
U.S. federal institutions reportedly breached. From top, clockwise: Defense,[1] Energy,[2] State,[3] National Institutes of Health,[4] Commerce,[3] Homeland Security,[3] Treasury,[3] Agriculture[5]
Date
  • Before October 2019 (start of supply chain compromise)[6]
  • March 2020 (possible federal breach start date)[7][8]
  • December 13, 2020 (breach acknowledged)[7][8]
DurationAt least 8 months[9] or 9 months[10]
LocationUnited States, United Kingdom, Spain, Israel, United Arab Emirates, Canada, Mexico, others[11]
TypeCyberattack, data breach
ThemeMalware, backdoor, advanced persistent threat, espionage
Cause
TargetU.S. federal government, possibly others
First reporter
Suspects

In 2020, a major cyberattack by a group backed by a foreign government penetrated multiple parts of United States federal government, leading to a data breach.[1][23] The hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR, was identified as the cyberattackers.[22][21] The cyberattack and data breach were reported to be among the worst cyber-espionage ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (six to nine months) in which the hackers had access.[29] Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches.[1][30][31]

The attack, which had gone undetected for months, was first publicly reported on December 13, 2020,[20][21] and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce.[36] In the following days, more departments and private organizations reported breaches.[1][4][30]

The cyberattack that led to the federal breaches began no later than March 2020.[7][8] The attackers exploited software from at least three U.S. firms: Microsoft, SolarWinds, and VMware.[37][16] A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided the initial entry point.[10][38] Flaws in Microsoft and VMWare products allowed the attackers to access emails and other documents,[18][19][12][13] and to perform federated authentication across victim resources via single sign-on infrastructure.[16][39][40]

In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution.[41][42] U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war.[43][3] President Donald Trump was silent for days after the attack, before spuriously suggesting that China, not Russia, might have been responsible for it, and that "everything is well under control".[44][45]

Background

In June 2019, the New York Times reported that American hackers from the United States Cyber Command planted malware potentially capable of disrupting the Russian electrical grid.[46] According to Wired senior writer Andy Greenberg, "The Kremlin warned that the intrusions could escalate into a cyberwar between the two countries."[46]

The federal data breach occurred over the course of at least 8 or 9 months during the final year of the presidency of Donald Trump.[9][10] Throughout this time the White House lacked a cybersecurity coordinator, Trump having eliminated the post itself in 2018.[47][48] When the breach was discovered, the U.S. also lacked a Senate-confirmed Director of CISA, the nation's top cybersecurity official, responsible for coordinating incident response.[49][34][35] (The incumbent, Chris Krebs, had been fired by Trump on November 18, 2020.[50][51][52]) Also at that time, the DHS, which manages CISA, lacked a Senate-confirmed Secretary, Deputy Secretary, General Counsel, Undersecretary for Intelligence and Analysis, and Undersecretary for Management; and Trump had recently forced out the Deputy Director of CISA.[53][54][55]

SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.[56][57] SolarWinds did not employ a chief information security officer or senior director of cybersecurity.[3][58] Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017.[57][56] SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software.[56] In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers.[59][56][60][57] And SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.[61][62]

On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired.[63][64] That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds.[63] The firms denied insider trading.[63][65]

Methodology

Multiple attack vectors were used.[66][67] On December 17, 2020, additional attack vectors were reported to have been found.[66][67]

SolarWinds exploit

This is classic espionage. It's done in a highly sophisticated way ... But this is a stealthy operation.

— Thomas Rid, The Washington Post[10]

The attackers used a supply chain attack.[68] The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point.[69][56][61][62]

The attackers established a foothold in SolarWinds's software publishing infrastructure no later than October 2019.[6] In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion.[70] The first known modification, in October 2019, was merely a proof of concept.[6] Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.[6]

In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them.[10][38][71][72][73] These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).[7][74] If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers.[75][76][77][78] The communications were designed to mimic legitimate SolarWinds traffic.[69][79] If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilise if they wished to exploit the system further.[78][80] The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.[81][78]

The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets.[75][10] Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components,[82][79] and seeking additional access.[69][1] Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents.[83] This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory.[83][69][84] Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network.[4][85][86] Having accessed data of interest, they encrypted and exfiltrated it.[68][1]

The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others.[87] By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).[77][3][88]

Microsoft exploits

If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.

— Sami Ruohonen, F-Secure[18]

"Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.[18][19] This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.[18][19]

Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.[12][13][89]

Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months.[7][33][50] This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems.[33][90][91] The presence of single sign-on infrastructure increased the viability of the attack.[40]

VMware exploits

Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.[16][17] As of December 18, 2020, while it was definitively known that the Sunburst trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.[16][17]

Discovery

SolarWinds exploit

On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.[92][93][94] FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service.[22][95] FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.[96][97]

After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks.[1] The NSA is not known to have been aware of the attack before being notified by FireEye.[1] The NSA uses SolarWinds software itself.[1]

Some days later, on December 13, when breaches at the Treasury and Department of Commerce breaches were publicly confirmed to exist, sources said that the FireEye breach was related.[7][22] On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.[59][98]

The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020.[71][82] FireEye named the malware SUNBURST.[14][15] Microsoft called it Solorigate.[56][15]

Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.[6]

Microsoft exploits

During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.[99][100][12] The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication.[12] Later, in June and July 2020, Volexity observed the attacker utilising the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals.[12] Volexity said it was not able to identify the attacker.[12]

Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol.[18][19] This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.[18][101] Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.[18]

VMware exploits

Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager.[16] VMware released patches on December 3, 2020.[16] On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.[16][102]

Suspects

On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.[18]

SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation.[7][8] Russian-sponsored hackers were suspected to be responsible.[103][7][20] According to The Washington Post, the specific groups responsible were probably the SVR or Cozy Bear (aka APT29).[22][21] FireEye gave the suspects the placeholder name "UNC2452";[69][12] incident response firm Volexity called them "Dark Halo".[12][100] On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR.[104]

Statements by U.S. government

On December 15, 2020, Democratic U.S. Senator Richard Blumenthal confirmed that the U.S. government believed Russia was responsible for the attack.[3] The executive branch had yet to publicly confirm this.[3]

On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the massive attack.[105][106][107]

On December 19, Trump publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible.[44][108][107][45] The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."[31][109]

On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."[110]

Russia reiterated its denial of involvement.[111]

On December 21, 2020, Attorney General William Barr stated that he believes that the SolarWinds hack appears to have been perpetrated by Russia, contradicting statements from President Donald Trump.[112][113]

Impact

This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.

— U.S. government source[7]

Discovery of the breaches at the Treasury and the Department of Commerce immediately raised concerns that the attackers would attempt to breach other departments, or had already done so.[90][20] Further investigation proved these concerns to be well-founded.[1] Within days, additional federal departments were found to have been breached.[1][114][5]

SolarWinds said that of its 300,000 customers, 33,000 use Orion.[1] Of these, around 18,000 government and private users downloaded compromised versions.[1][4][115]

Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies.[1] Other prominent U.S. organisations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies.[1][116] Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca.[4][30] FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.[4]

Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted.[1][117] These investigations were complicated by: the fact that the attackers had in some cases removed evidence;[66] the need to maintain separate secure networks as organizations' main networks were assumed to be compromised;[66] and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks.[68] As of mid-December 2020, those investigations were ongoing.[1][4]

As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.[7][118] Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come.[61][119][78] Possible future uses could include attacks on hard targets like the CIA and NSA,[how?][3] or using blackmail to recruit spies.[120] Cyberconflict professor Thomas Rid said the stolen data would have myriad uses.[118] He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.[118]

Even where data was not exfiltrated, the impact was significant.[42] The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset.[121] Anti-malware companies additionally advised searching log files for specific indicators of compromise.[122][123][124]

However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review.[66][125] Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.[41] Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.[126][127]


List of confirmed connected data breaches

U.S. federal departments

Department Affected part(s) include Sources
Department of Agriculture [5][128][84][129][130]
Department of Commerce National Telecommunications and Information Administration [131][1][132][133][76][78][134][129][135][136][130][137]
Department of Defense Parts of The Pentagon [1][138][137]
Department of Energy National Nuclear Security Administration [2][139][140][141][142][135][136][130][137][143]
Department of Health and Human Services National Institutes of Health [138][134][136][130]
Department of Homeland Security Cybersecurity and Infrastructure Security Agency [133][132][76][78][134][1][129][136][130]
Department of State [1][138][134][136][130]
Department of the Treasury [1][132][138][131][76][78][134][129][135][136][130][40]

U.S. state and local governments

Department Affected part(s) include Sources
Arizona Pima County [144][145]
Texas Austin City [18]

Private sector

Organization Sources
Cisco Systems [146][147][148][136][145]
Cox Communications [144][6][149][145]
Equifax [148]
FireEye [133][138][76][134]
Microsoft [37][141][150][151][152][153][154][2][155][156][148][136][137]
SolarWinds [133][138][76][156][155]
A think tank (unnamed as of December 15, 2020) [12][117][100][13][89]

Responses

Technology companies and business

On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.[95][157]

On December 15, 2020, Microsoft announced that Sunburst, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.[158][134]

GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the Sunburst malware, and to discover which SolarWinds customers were infected.[59]

On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks.[1] On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to Solarwinds software.[159]

SolarWinds unpublished its featured customer list after the hack,[160] although as of December 15, the founder of the cybersecurity firm GreyNoise Intelligence said that SolarWinds had not removed the infected software updates from its distribution server.[59]

U.S. government

On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.[70]

Investigations and response by security agencies

On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations.[7] On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks.[1][121] Russia denied involvement in the attacks.[161]

On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate.[7][22][162] The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group.[163][47] The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.[164]

The Federal Energy Regulatory Commission (FERC) helped to compensate for a staffing shortfall at CISA.[139][68][140] The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.[165]

On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.[166]

Investigations and response by Congress

The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials.[86] The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation.[37] Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain.[167] The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.[168]

Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.[133][129]

On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials.[40][113] Senatory Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".[40][113]

On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.[169][170]

Trump comments and response to Trump

President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".[171] On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election.[108][107][105][172][173] He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible.[1][173][174] Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest,[175] calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."[173]

Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.[24][176][41] Russell Brandom, policy editor for The Verge, called the U.S. ill-prepared for the hack, and criticized Trump for having consistently "treated the federal cybersecurity effort as one more partisan battleground, with attacks and vulnerabilities embraced or rejected largely on the basis of their value as a political cudgel"; Brandom wrote that "this is no way to run the world’s most powerful intelligence apparatus."[49] Fred Kaplan, writing in Slate, criticized Trump for promoting fake claims of election fraud while "ignoring a real cybersecurity crisis," writing: "For all of Trump's wailing about fictitious hacks that stole the election, he has been otherwise notably uncurious about the nation's cybersecurity."[47] Esquire commentator Charles P. Pierce criticized the Trump administration for being "asleep at the switch" and termed Trump a "crooked, incompetent agent of chaos."[177]

President-elect Biden

President-elect Joe Biden said that, "A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place. I will not stand idly by in the face of cyberassaults on our nation."[178] Biden said he has instructed his transition team to study the breach, will make cybersecurity a priority at every level of government, and will identify and penalize the attackers.[67][2] Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.[179]

On December 22, 2020, Biden said that, "I see no evidence that it's under control," and reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.[180][181]

Rest of world

NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks."[30] On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.[182] The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.[111]

On December 23, 2020, the UK Information Commissioner's Office - a national privacy authority - told UK organizations to check immediately whether they were impacted.[104][183]

On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.[184][185]

Classification of the hack

The attack prompted a debate on whether the hack should be treated as cyber-espionage, or as a cyberattack constituting an act of war.[186] Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).[187] Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.[188] Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks."[189] Law professor Michael Schmitt concurred, citing the Tallinn Manual.[190]

By contrast, Microsoft president Brad Smith termed the hack a cyberattack,[187] stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."[191][192] U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.[43][3]

Debate on possible U.S. responses

Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).[188]

Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."[189]

Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.[193]

In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements.[194]

In Slate, Fred Kaplan argued that the structural problems that enable computer network intrusions like this had been public knowledge since 1967 and that successive U.S. governments had failed to implement the structural defenses repeatedly requested by subject experts.[195] He pointed out that an escalatory response to espionage would be counterproductive for U.S. interests, whereas finally strengthening the defenses and drawing clear red lines in the gray areas of cyber-conflict policy would be more fruitful strategies.[196]

See also

References

  1. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z Sanger, David E.; Perlroth, Nicole; Schmitt, Eric (December 15, 2020). "Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit". The New York Times. Archived from the original on December 18, 2020. Retrieved December 15, 2020.
  2. ^ a b c d "Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed". Bloomberg L.P. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  3. ^ a b c d e f g h i j k Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (December 16, 2020). "Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack". The New York Times. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  4. ^ a b c d e f g Stubbs, Jack; Satter, Raphael; Menn, Joseph (December 15, 2020). "U.S. Homeland Security, thousands of businesses scramble after suspected Russian hack". Reuters. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  5. ^ a b c Fung, Brian. "Why the US government hack is literally keeping security experts awake at night". CNN. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
  6. ^ a b c d e f "SolarWinds Likely Hacked at Least One Year Before Breach Discovery". SecurityWeek.com.
  7. ^ a b c d e f g h i j k l Bing, Christopher (December 14, 2020). "Suspected Russian hackers spied on U.S. Treasury emails – sources". Reuters. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  8. ^ a b c d O'Brien, Matt; Bajak, Frank (December 15, 2020). "EXPLAINER: How bad is the hack that targeted US agencies?". Houston Chronicle. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
  9. ^ a b "SolarWinds Orion: More US government agencies hacked". BBC. December 15, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  10. ^ a b c d e f "Russian hack was 'classic espionage' with stealthy, targeted tactics". The Washington Post. December 14, 2020. Archived from the original on December 14, 2020. Retrieved December 18, 2020.
  11. ^ Cook, James (December 18, 2020). "Microsoft warns UK companies were targeted by SolarWinds hackers" – via www.telegraph.co.uk.
  12. ^ a b c d e f g h i j "Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank". SecurityWeek.com. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  13. ^ a b c d Goodin, Dan (December 15, 2020). "SolarWinds hackers have a clever way to bypass multi-factor authentication". Ars Technica. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  14. ^ a b "Microsoft, FireEye confirm SolarWinds supply chain attack". ZDNet. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  15. ^ a b c "Sunburst Trojan – What You Need to Know". Deep Instinct. December 16, 2020. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  16. ^ a b c d e f g h i "VMware Flaw a Vector in SolarWinds Breach?". Krebs on Security. December 7, 2020. Retrieved December 18, 2020.
  17. ^ a b c "VMware Falls on Report Its Software Led to SolarWinds Breach". Bloomberg. December 18, 2020. Retrieved December 18, 2020.
  18. ^ a b c d e f g h i j k l Hvistendahl, Mara; Lee, Micah; Smith, Jordan (December 17, 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
  19. ^ a b c d e "CISA orders agencies to quickly patch critical Netlogon bug". CyberScoop. September 21, 2020. Archived from the original on October 30, 2020. Retrieved December 18, 2020.
  20. ^ a b c d Bing, Christopher (December 13, 2020). "REFILE-EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government – sources". Reuters. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  21. ^ a b c d e f g Nakashima, Ellen (December 13, 2020). "Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm". The Washington Post. Archived from the original on December 13, 2020. Retrieved December 14, 2020.
  22. ^ a b c d e f g "Federal government breached by Russian hackers who targeted FireEye". NBC News. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  23. ^ "US cyber-attack: Russia 'clearly' behind SolarWinds operation, says Pompeo". BBC. December 19, 2020. Retrieved December 19, 2020.
  24. ^ a b Bossert, Thomas P. (December 17, 2020). "Opinion | I Was the Homeland Security Adviser to Trump. We're Being Hacked". The New York Times. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  25. ^ "U.S. Agencies Exposed in Attack by Suspected Russian Hackers". Bloomberg L.P. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  26. ^ "Cyber attack may be 'worst hacking case in the history of America'". Las Vegas Review-Journal. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  27. ^ "US under major active cyberattack from Russia, Trump's former security adviser warns". The Independent. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  28. ^ "What we know – and still don't – about the worst-ever US government cyber-attack". The Guardian. December 18, 2020.
  29. ^ [24][25][26][27][28]
  30. ^ a b c d "U.K. Government, NATO Join U.S. in Monitoring Risk From Hack". Bloomberg L.P. December 14, 2020. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
  31. ^ a b "At Least 200 Victims Identified in Suspected Russian Hacking". December 19, 2020 – via www.bloomberg.com.
  32. ^ Macias, Amanda (December 13, 2020). "White House acknowledges reports of cyberattack on U.S. Treasury by foreign government". CNBC. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  33. ^ a b c Sanger, David E. (December 13, 2020). "Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect". The New York Times. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  34. ^ a b Rosenberg, Adam. "Russian government-backed hackers breached the U.S. Treasury, Commerce departments". Mashable. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  35. ^ a b Wade, Peter (December 13, 2020). "Treasury, Commerce, Other Agencies Hacked by Russian Government Spies, Report Says". Rolling Stone. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  36. ^ [21][32][33][34][35]
  37. ^ a b c Menn, Joseph (December 18, 2020). "Microsoft says it found malicious software in its systems". Reuters. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  38. ^ a b Wolff, Josephine (December 16, 2020). "What We Do and Don't Know About the Massive Federal Government Hack". Slate. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  39. ^ Cimpanu, Catalin (December 18, 2020). "NSA warns of federated login abuse for local-to-cloud attacks". Zero Day. Ziff-Davis. Retrieved December 19, 2020.
  40. ^ a b c d e Satter, Raphael (December 22, 2020). "'Dozens of email accounts' were hacked at U.S. Treasury -Senator Wyden" – via uk.reuters.com.
  41. ^ a b c "It could take years to evict Russia from the US networks it hacked, leaving it free to destroy or tamper with data, ex-White House official warns". MSN.
  42. ^ a b "Here are the critical responses required of all businesses after SolarWinds supply-chain hack". SC Media. December 15, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  43. ^ a b Gould, Joe (December 17, 2020). "No. 2 Senate Democrat decries alleged Russian hack as 'virtual invasion'". Defense News.
  44. ^ a b Colvin, Jill; Lee, Matthew (December 19, 2020). "Trump downplays Russia in first comments on hacking campaign". Associated Press. Retrieved December 20, 2020.
  45. ^ a b Stracqualursi, Veronica; Liptak, Kevin; Hansler, Jennifer (December 19, 2020). "Trump downplays massive cyber hack on government after Pompeo links attack to Russia". CNN. Retrieved December 19, 2020.{{cite web}}: CS1 maint: url-status (link)
  46. ^ a b "How Not To Prevent a Cyberwar With Russia". Wired. June 18, 2019.
  47. ^ a b c Kaplan, Fred (December 15, 2020). "Trump Has Been Whining About Fake Fraud—and Ignoring a Real Cybersecurity Crisis". Slate. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  48. ^ Perlroth, Nicole; Sanger, David E. (May 16, 2018). "White House Eliminates Cybersecurity Coordinator Role (Published 2018)". The New York Times. Archived from the original on December 13, 2020. Retrieved December 16, 2020.
  49. ^ a b Brandom, Russell (December 14, 2020). "Trump's chaos made America a sitting duck for cyberattacks". The Verge. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
  50. ^ a b "Russian government hackers behind breach at US treasury and commerce departments". The Independent. December 13, 2020. Archived from the original on December 13, 2020. Retrieved December 14, 2020.
  51. ^ Nakashima, Ellen; Miroff, Nick (November 17, 2020). "Trump fires top DHS official who refuted his claims that the election was rigged". The Washington Post. Archived from the original on November 18, 2020. Retrieved November 18, 2020.
  52. ^ Bowden, John (December 13, 2020). "Hackers backed by foreign government breach Treasury, Commerce departments: reports". The Hill. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  53. ^ Cobb, Adrienne (December 15, 2020). "Forensic News Roundup: Russia hacks U.S. government, Trump silent". Forensic News. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  54. ^ "Leadership". Department of Homeland Security. September 7, 2006. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  55. ^ Miller, Maggie (November 12, 2020). "Senior DHS cybersecurity official to step down at end of week". The Hill. Archived from the original on November 28, 2020. Retrieved December 17, 2020.
  56. ^ a b c d e f "The SolarWinds Perfect Storm: Default Password, Access Sales and More". threatpost.com. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  57. ^ a b c "Hackers used SolarWinds' dominance against it in sprawling spy campaign". Reuters. December 16, 2020. Archived from the original on December 17, 2020. Retrieved December 16, 2020.
  58. ^ "SolarWinds Adviser Warned of Lax Security Years Before Hack". December 21, 2020. Retrieved December 22, 2020 – via www.bloomberg.com.
  59. ^ a b c d "SolarWinds Hack Could Affect 18K Customers". Krebs on Security. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  60. ^ Varghese, Sam. "SolarWinds FTP credentials were leaking on GitHub in November 2019". itwire.com. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
  61. ^ a b c McCarthy, Kieren. "SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks". The Register. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  62. ^ a b Claburn, Thomas. "We're not saying this is how SolarWinds was backdoored, but its FTP password 'leaked on GitHub in plaintext'". The Register. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  63. ^ a b c Novet, Jordan (December 16, 2020). "SolarWinds hack has shaved 23% from software company's stock this week". CNBC. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  64. ^ McCarthy, Kieren. "SolarWinds' shares drop 22 per cent. But what's this? $286m in stock sales just before hack announced?". The Register. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  65. ^ "SolarWinds falls under scrutiny after hack, stock sales". MarketWatch. Associated Press. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  66. ^ a b c d e Menn, Joseph (December 18, 2020). "Microsoft says it found malicious software in its systems". Reuters. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  67. ^ a b c Sanger, David E.; Perlroth, Nicole (December 17, 2020). "More Hacking Attacks Found as Officials Warn of 'Grave Risk' to U.S. Government". The New York Times. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  68. ^ a b c d "No One Knows How Deep Russia's Hacking Rampage Goes". Wired. Archived from the original on December 17, 2020. Retrieved December 16, 2020.
  69. ^ a b c d e Goodin, Dan (December 14, 2020). "~18,000 organizations downloaded backdoor planted by Cozy Bear hackers". Ars Technica. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  70. ^ a b Sharwood, Simon; Editor, APAC. "Trump administration says Russia behind SolarWinds hack. Trump himself begs to differ". www.theregister.com. {{cite web}}: |last2= has generic name (help)
  71. ^ a b Cimpanu, Catalin. "Microsoft to quarantine SolarWinds apps linked to recent hack". ZDNet. Archived from the original on December 17, 2020. Retrieved December 16, 2020.
  72. ^ Lyons, Kim (December 13, 2020). "Hackers backed by Russian government reportedly breached US government agencies". The Verge. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
  73. ^ "CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products". CISA. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  74. ^ "U.S. Government Agencies Hit by Hackers During Software Update". MSN. Archived from the original on December 18, 2020. Retrieved December 14, 2020.
  75. ^ a b Cimpanu, Catalin. "Microsoft and industry partners seize key domain used in SolarWinds hack". ZDNet. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  76. ^ a b c d e f "DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries – Report". threatpost.com. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  77. ^ a b Timberg, Craig; Nakashima, Ellen (December 16, 2020). "Russians outsmart US government hacker detection system — but Moscow denies involvement". The Independent. Archived from the original on December 18, 2020. Retrieved December 16, 2016.
  78. ^ a b c d e f g "SolarWinds: Why the Sunburst hack is so serious". BBC. December 16, 2020. Archived from the original on December 16, 2020. Retrieved December 18, 2020.
  79. ^ a b "SolarWinds Orion and UNC2452 – Summary and Recommendations". TrustedSec. December 14, 2020. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
  80. ^ "FireEye, Microsoft create kill switch for SolarWinds backdoor". BleepingComputer. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
  81. ^ "Trend data on the SolarWinds Orion compromise". The Cloudflare Blog. December 16, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  82. ^ a b "After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation". SC Media. December 14, 2020. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
  83. ^ a b "Mitigating Cloud Supply-chain Risk: Office 365 and Azure Exploited in Massive U.S Government Hack". CipherCloud. December 18, 2020. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  84. ^ a b "Massive hack of US government launches search for answers as Russia named top suspect". ABC57. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  85. ^ Dorfman, Zach. "What we know about Russia's sprawling hack into federal agencies". Axios. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
  86. ^ a b "Schiff calls for 'urgent' work to defend nation in the wake of massive cyberattack". MSN. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  87. ^ "Unraveling Network Infrastructure Linked to the SolarWinds Hack". DomainTools. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  88. ^ "The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it". The Seattle Times. Archived from the original on December 18, 2020. Retrieved December 16, 2020.
  89. ^ a b "How the SolarWinds Hackers Bypassed Duo's Multi-Factor Authentication – Schneier on Security". schneier.com. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  90. ^ a b "US treasury hacked by foreign government group – report". The Guardian. December 13, 2020. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  91. ^ "Foreign government hacked into US Treasury Department's emails – reports". Sky News. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  92. ^ "Hackers backed by foreign government reportedly steal info from US Treasury". The Times of Israel. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  93. ^ Sanger, David E.; Perlroth, Nicole (December 8, 2020). "FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State". The New York Times. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  94. ^ "US cybersecurity firm FireEye says it was hacked by foreign government". The Guardian. December 9, 2020. Archived from the original on December 16, 2020. Retrieved December 15, 2020.
  95. ^ a b "Russia's FireEye Hack Is a Statement—but Not a Catastrophe". Wired. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  96. ^ "Suspected Russia SolarWinds hack exposed after FireEye cybersecurity firm found "backdoor"". Newsweek. December 15, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  97. ^ "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor". FireEye. December 13, 2020. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  98. ^ Paul, Kari (December 15, 2020). "What you need to know about the biggest hack of the US government in years". The Guardian. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  99. ^ "Dark Halo Leverages SolarWinds Compromise to Breach Organizations". Volexity.
  100. ^ a b c Tarabay, Jamie (December 15, 2020). "Hacking Spree by Suspected Russians Included U.S. Think Tank". Bloomberg L.P. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  101. ^ "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets". CISA.
  102. ^ Goodin, Dan (December 7, 2020). "NSA says Russian state hackers are using a VMware flaw to ransack networks". Ars Technica. Retrieved December 19, 2020.
  103. ^ Bing, Christopher (December 14, 2020). "Russian-sponsored hackers behind broad security breach of U.S. agencies: sources". The Japan Times. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
  104. ^ a b Katz, By Justin; Dec 23, 2020. "50 orgs 'genuinely impacted' by SolarWinds hack, FireEye chief says -". Defense Systems. {{cite web}}: |first2= has numeric name (help)CS1 maint: numeric names: authors list (link)
  105. ^ a b "Trump downplays government hack after Pompeo blames it on Russia". the Guardian. December 19, 2020.
  106. ^ Byrnes, Jesse (December 19, 2020). "Pompeo: Russia 'pretty clearly' behind massive cyberattack". The Hill.
  107. ^ a b c "Trump downplays massive US cyberattack, points to China". Deutsche Welle. December 19, 2020.
  108. ^ a b Axelrod, Tal (December 19, 2020). "Trump downplays impact of hack, questions whether Russia involved". The Hill.
  109. ^ "US cyber-attack: Around 50 firms 'genuinely impacted' by massive breach". December 20, 2020. Retrieved December 21, 2020 – via www.bbc.com.
  110. ^ "Trump finds himself isolated in refusal to blame Russia for big cyberattack". Los Angeles Times. December 20, 2020. Retrieved December 21, 2020.
  111. ^ a b "U.S. Agencies and Companies Secure Networks After Huge Hack". Time. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  112. ^ Wilkie, Christina (December 21, 2020). "Attorney General Barr breaks with Trump, says SolarWinds hack 'certainly appears to be the Russians'". CNBC. NBCUniversal News Group. Retrieved December 22, 2020.
  113. ^ a b c Sanger, David E.; Rappeport, Alan (December 22, 2020). "Treasury Department's Senior Leaders Were Targeted by Hacking" – via NYTimes.com.
  114. ^ Richards, Zoë (December 15, 2020). "Report: Massive Russian Hack Effort Breached DHS, State Department And NIH". Talking Points Memo. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
  115. ^ Cimpanu, Catalin. "SEC filings: SolarWinds says 18,000 customers were impacted by recent hack". ZDNet. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  116. ^ Jankowicz, Mia; Davis, Charles. "These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia". Business Insider. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  117. ^ a b "SolarWinds: The Hunt to Figure Out Who Was Breached". bankinfosecurity.com. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  118. ^ a b c "Hack may have exposed deep US secrets; damage yet unknown". The Independent. December 15, 2020. Archived from the original on December 18, 2020. Retrieved December 16, 2020.
  119. ^ "US agencies, companies secure networks after huge hack". AP NEWS. December 14, 2020. Archived from the original on December 18, 2020. Retrieved December 16, 2020.
  120. ^ "Deep US institutional secrets may have been exposed in hack blamed on Russia". The Guardian. December 16, 2020. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  121. ^ a b "Emergency Directive 21-01". cyber.dhs.gov. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
  122. ^ "How Russian hackers infiltrated the US government for months without being spotted". MIT Technology Review. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  123. ^ "SolarWinds advanced cyberattack: What happened and what to do now". Malwarebytes Labs. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  124. ^ "Overview of Recent Sunburst Targeted Attacks". Trend Micro. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
  125. ^ "Hackers' Monthslong Head Start Hamstrings Probe of U.S. Breach". Bloomberg. December 18, 2020. Retrieved December 18, 2020.
  126. ^ "Hacked networks will need to be burned 'down to the ground'". The Independent. December 18, 2020.
  127. ^ Satter, Raphael (December 24, 2020). "Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer" – via uk.reuters.com.
  128. ^ "Biden taps trusted figures to lead US climate fight; FDA says Moderna vaccine is highly protective; SolarWinds hack fallout spreads". The World from PRX. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  129. ^ a b c d e "What Matters: The suspected Russian hack of the US government, explained". MSN. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  130. ^ a b c d e f g Geller, Eric; Rayasam, Renuka; Ward, Myah (December 17, 2020). "The Big Hack: What we know, what we don't". Politico. Retrieved December 19, 2020.
  131. ^ a b Bing, Christopher (December 13, 2020). "EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government – sources". Reuters. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
  132. ^ a b c Nakashima, Ellen; Timberg, Craig. "DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign". The Washington Post. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  133. ^ a b c d e Cohen, Zachary; Salama, Vivian; Fung, Brian. "US officials scramble to deal with suspected Russian hack of government agencies". CNN. Archived from the original on December 16, 2020. Retrieved December 18, 2020.
  134. ^ a b c d e f g Cimpanu, Catalin. "Microsoft to quarantine SolarWinds apps linked to recent hack". ZDNet. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  135. ^ a b c "US nuclear agency a target in 'massive' cyber attack on federal government by suspected Russian hackers". Sky News.
  136. ^ a b c d e f g h "The SolarWinds cyberattack: The hack, the victims, and what we know". BleepingComputer.
  137. ^ a b c d Dozier, Kimberly (December 18, 2020). "U.S. Cyber Experts Scramble to Assess the Scope of the 'Hack of a Decade'". Time. Retrieved December 19, 2020.
  138. ^ a b c d e f Stubbs, Jack; Satter, Raphael; Menn, Joseph (December 15, 2020). "U.S. Homeland Security, thousands of businesses scramble after suspected Russian hack". Reuters. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
  139. ^ a b "Nuclear weapons agency breached amid massive cyber onslaught". Politico. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  140. ^ a b "Nuclear Weapons Agency Hacked in Widening Cyberattack – Report". threatpost.com. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  141. ^ a b Goodin, Dan (December 17, 2020). "Microsoft is reportedly added to the growing list of victims in SolarWinds hack". Ars Technica. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  142. ^ "Department of Energy says it was hacked in suspected Russian campaign". NBC News. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  143. ^ "Security experts warn of long-term risk tied to Energy Department breach". SC Media. December 21, 2020.
  144. ^ a b Stubbs, Jack; McNeill, Ryan (December 18, 2020). "SolarWinds hackers broke into U.S. cable firm and Arizona county, web records show". Reuters.
  145. ^ a b c Stubbs, Jack (December 19, 2020). "Hackers' broad attack sets cyber experts worldwide scrambling to defend networks". Reuters.
  146. ^ "Cisco Latest Victim of Russian Cyber-Attack Using SolarWinds". Bloomberg. December 18, 2020. Retrieved December 19, 2020.
  147. ^ "SolarWinds Supply Chain Hit: Victims Include Cisco, Intel". Bankinfosecurity.com. December 17, 2020. Retrieved December 19, 2020.
  148. ^ a b c Brewster, Thomas. "SolarWinds Hack: Cisco And Equifax Amongst Corporate Giants Finding Malware... But No Sign Of Russian Spies". Forbes.
  149. ^ Schmaltz, Trey (December 18, 2020). "La. retirement system warned it may have been target of Russian hack; Cox also investigating". WBRZ.
  150. ^ Menn, Joseph (December 18, 2020). "Exclusive: Microsoft breached in suspected Russian hack using SolarWinds – sources". Reuters. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  151. ^ Cimpanu, Catalin. "Microsoft confirms it was also breached in recent SolarWinds supply chain hack". ZDNet. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  152. ^ Bass, Dina. "Microsoft Says Its Systems Were Exposed to SolarWinds Hack". Bloomberg L.P. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  153. ^ Novet, Jordan (December 17, 2020). "Microsoft was reportedly swept up in SolarWinds hack". CNBC. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  154. ^ Thomson, Iain. "US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor". The Register.
  155. ^ a b "Microsoft acknowledges it was hacked via SolarWinds exploit". SlashGear. December 18, 2020.
  156. ^ a b Robles, C. J. (December 17, 2020). "Microsoft, SolarWinds Hacking Can Be a National Security Issue?". Tech Times.
  157. ^ "fireeye/red_team_tool_countermeasures". GitHub. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  158. ^ "Microsoft to quarantine compromised SolarWinds binaries tomorrow". BleepingComputer. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
  159. ^ "Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are". CyberScoop. December 23, 2020.
  160. ^ Brandom, Russell (December 15, 2020). "SolarWinds hides list of high-profile customers after devastating hack". The Verge. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  161. ^ "Potentially major hack of government agencies disclosed". CBS News. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
  162. ^ "US government agencies, including Treasury, hacked; Russia possible culprit". WTVD. December 14, 2020. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
  163. ^ Geller, Eric. "'Massively disruptive' cyber crisis engulfs multiple agencies". Politico. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  164. ^ "US vows 'swift action' if defense networks hit by alleged Russia hack". Newsweek. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
  165. ^ "FBI, CISA, ODNI Describe Response to SolarWinds Attack". SecurityWeek.com. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
  166. ^ Satter, Raphael (December 24, 2020). "U.S. cyber agency says SolarWinds hackers are 'impacting' state, local governments" – via uk.reuters.com.
  167. ^ Daugherty, Alex (December 18, 2020). "Intel chairman Rubio says 'America must retaliate' after massive cyber hack". Miami Herald.
  168. ^ Dwyer, Colin (December 19, 2020). "Pompeo Says Russia 'Pretty Clearly' Behind Cyberattack, Prompting Pushback From Trump". NPR. Retrieved December 20, 2020.
  169. ^ "Lawmakers want more transparency on SolarWinds breach from State, VA". CyberScoop. December 23, 2020.
  170. ^ "Veterans Affairs Officials Inexplicably Blow Off Briefing on SolarWinds Hack". Gizmodo.
  171. ^ "Hacking campaign targeted US energy, treasury and commerce agencies". The Guardian. December 17, 2020. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
  172. ^ Jill Colvin & Matthew Lee, Trump downplays Russia in first comments on hacking campaign, Associated Press (December 19, 2020).
  173. ^ a b c Justin Sink, Trump Downplays Huge Hack Tied to Russia, Suggests China, Bloomberg News (December 19, 2020).
  174. ^ Canales, Katie (December 19, 2020). "Former US cybersecurity chief Chris Krebs warned not to 'conflate' voting system security with SolarWinds hack despite Trump's claim". Business Insider. Retrieved December 20, 2020.
  175. ^ Bing, Christopher; Landay, Jonathan (December 19, 2020). "Trump downplays impact of massive hacking, questions Russia involvement". Reuters.
  176. ^ "Russia Could Fake Government Emails After SolarWinds Hack: Ex-Trump Adviser Thomas Bossert". MSN. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
  177. ^ Pierce, Charles P. (December 15, 2020). "Somebody Was Asleep at the Switch Here". Esquire. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
  178. ^ 'They potentially have the capacity to cripple us': Romney raises alarm about cyberattack tied to Russia, USA Today (December 20, 2020).
  179. ^ Satter, Raphael (December 20, 2020). "Biden chief of staff says hack response will go beyond 'just sanctions'". Reuters. Retrieved December 20, 2020.
  180. ^ "Biden Says Hack of U.S. Shows Trump Failed at Cybersecurity". December 22, 2020 – via www.bloomberg.com.
  181. ^ Lewis, Simon (December 23, 2020). "Trump must blame Russia for cyber attack on U.S., Biden says". Reuters.
  182. ^ Corera, Gordon (December 18, 2020). "SolarWinds: UK assessing impact of hacking campaign". BBC News. Retrieved December 18, 2020.
  183. ^ "UK organisations using SolarWinds Orion platform should check whether personal data has been affected". ico.org.uk. December 23, 2020.
  184. ^ "CSE warns companies to check IT systems following SolarWinds hack - CBC News". CBC. December 19, 2020. Retrieved December 25, 2020.
  185. ^ Security, Canadian Centre for Cyber (August 15, 2018). "Canadian Centre for Cyber Security". Canadian Centre for Cyber Security.
  186. ^ Wolfe, Jan; Pierson, Brendan (December 19, 2020). "Explainer-U.S. government hack: espionage or act of war?". Reuters. Retrieved December 19, 2020.
  187. ^ a b Dilanian, Ken (December 18, 2020). "Suspected Russian hack: Was it an epic cyber attack or spy operation?". NBC News. Retrieved December 19, 2020.
  188. ^ a b "Russia's Hack Wasn't Cyberwar. That Complicates US Strategy". Wired. Archived from the original on December 18, 2020. Retrieved December 17, 2020. {{cite web}}: Unknown parameter |authors= ignored (help)
  189. ^ a b Goldsmith, Jack. "Self-Delusion on the Russia Hack". thedispatch.com.
  190. ^ "Russia's SolarWinds Operation and International Law". Just Security. December 21, 2020.
  191. ^ "Microsoft president calls SolarWinds hack an 'act of recklessness'". Ars Technica. December 18, 2020. Retrieved December 18, 2020.
  192. ^ "US cyber-attack: US energy department confirms it was hit by Sunburst hack". BBC News. December 18, 2020. Retrieved December 18, 2020.
  193. ^ Schneier, Bruce (December 23, 2020). "The US has suffered a massive cyberbreach. It's hard to overstate how bad it is | Bruce Schneier" – via www.theguardian.com.
  194. ^ Kolbe, Paul R. (December 24, 2020). "Opinion | With Hacking, the United States Needs to Stop Playing the Victim" – via NYTimes.com.
  195. ^ Kaplan, Fred (December 18, 2020). "The Government Has Known About the Vulnerabilities That Allowed Russia's Latest Hack for Decades—and Chose Not to Fix Them". Slate Magazine.
  196. ^ Kaplan, Fred (December 23, 2020). "Should the U.S. Retaliate for Russia's Big Hack?". Slate Magazine.
Retrieved from "https://en.wikipedia.org/w/index.php?title=2020_United_States_federal_government_data_breach&oldid=996226249"