A devastating cyber attack believed to be tied to Russia continues to pose a “grave risk” to government networks and the private sector, according to an ominous warning issued Thursday by the Department of Homeland Security.
The bulletin from DHS’ Cybersecurity and Infrastructure Security Agency (CISA), represented the most striking assessment yet of a cascading threat to federal, state and local networks.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the bulletin stated.
“This… actor has demonstrated patience, operational security, and complex trade-craft in these intrusions,” CISA said of the hackers, adding that the ongoing effort to eliminate the threat would “will be highly complex and challenging.”
Networks at the Department of Energy and the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, also may have been compromised according to reports by the Washington Post and Politico.
The attackers penetrated federal computer systems through a popular piece of server software offered through a company called SolarWinds.
The threat apparently came from the same cyberespionage campaign that has afflicted cybersecurity firm FireEye, foreign governments and major corporations.
The system is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which will now be scrambling to patch up their networks.
The sophisticated attack breached the Treasury and Commerce departments and potentially other agencies. The Commerce Department said in a statement that it asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI to investigate.
The Department of Homeland Security is also reviewing a possible breach at the agency, spokesman Alexei Woltornist said.
Cyber attack under investigation:When a top cybersecurity firm gets hacked, what is the takeaway for the average netizen?
US government agencies hacked:Russia a possible culprit
But the full extent of the damage is not yet clear.
“Think of it like a health virus that manages to get into your body,” said Mathieu Gorge, a cybersecurity expert and author of the forthcoming book “The Cyber Elephant in the Boardroom.” “Once it’s in your body, it multiplies, using all of the organs and all of the arteries and all the liquids in your body. Everything is interconnected.”
Here’s what you need to know so far.
It’s too early to say since the attack was only recently discovered but appears to have exploited what SolarWinds called a “potential vulnerability” related to updates released between March and June for Orion, which helps monitor networks for problems.
But early indications suggest the attackers were seeking information on American hacking capabilities and defenses. Call it the latest phase in what could be a cyber-era cold war.
“It appears the attackers may have taken our own tools for finding vulnerabilities in foreign networks,” said Matthew Schmidt, a professor in the national security department of the University of New Haven’s Henry C. Lee College of Criminal Justice and Forensic Sciences. “They hacked our hacking capability. It’s very early, but the level of immediate reaction suggests a very, very serious intrusion.”
National Security Council spokesman John Ullyot said authorities are working with cyber units at DHS and FBI to “coordinate a swift and effective, whole-of-government recovery and response to the recent compromise.”
Yes. The federal agencies targeted in the attack have a storehouse of personal information about Americans, of course. But comprehensive details on the motivations of the attackers remain unclear.
“The initial sense is that the attack left the updating system for many key security systems open to exploitation, meaning it’s possible they could have attained root access to many agency’s systems,” Schmidt said in an email interview. “If that’s true, and we don’t know yet, it could mean the most important systems are compromised – personnel data, including foreign agents, planning, operations, etc. If anything near the worst is true, it will mean months of work to determine whether it’s safe to use these systems.”
Americans, just like the agencies targeted in the attack, should take a consistent approach to protecting themselves.
Use complex and different passwords for your digital accounts. Monitor your finances closely. Use two-factor authentication for critical accounts like email and social media. Don’t click on links from any source that you haven’t authenticated as legitimate.
“People need to change any passwords they’ve used on (U.S. government) sites like Social Security, IRS, Small Business Administration,” Schmidt said.
Unfortunately, there may be little people can do to protect themselves when the governments, companies and organizations that have their personal information fall prey to attacks.
“The challenge is that the criminals only need to get it right once, whereas the government and companies need to get right all the time,” Gorge said.
Gorge urged Americans to look out for notifications from government agencies or corporations that their information has been compromised. In many previous cyber breaches, affected consumers are offered identity theft monitoring services for free.
The government’s first focus should be on ousting the intruders, Gorge said.
“You need to be in the mode that allows you to contain the hack as much as possible as you investigate,” he said.
The attackers likely breached other agencies or organizations in addition to those already identified, which simply makes it more urgent to root out the infiltrators. FireEye’s Mandia said the attacks appears to have started in the spring.
“This might be a domino effect,” Gorge said. “It’s a coordinated attack. It’s a sophisticated attack and I don’t think we’ve seen the end of it.”
The government is organizing its response to the intrusion without its top cybersecurity protection official. Last month, President Donald Trump fired Christopher Krebs, director of DHS’ CISA, after he declared that the election was the most secure in American history.
“The Russians have had access to a considerable number of important and sensitive networks for six to nine months,” Bossert said in column published in the New York Times, adding that Russian intelligence officials have likely gained “administrative control over the networks it considered priority targets.”
“For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call ‘persistent access,’ meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.”
Bossert said it could take years to learn the depth of the damage.
When it comes to cybersecurity attacks, there’s a degree of inevitability in the air, despite everyone’s best attempts to protect themselves – particularly when a motivated and sophisticated nation-state poses a threat.
“There’s a saying in the industry that there are only two types of companies – those that have been breached and those that don’t know they’ve been breached,” Gorge said. “Everybody has security incidents. How they deal with the breach will decide whether the public trusts them or not.”
Ilia Sotnikov, vice president of product management at cybersecurity software provider Netwrix, said companies’ cybersecurity teams should “immediately take advantage of countermeasures offered by FireEye” and be on the alert for additional security updates.
“This attack is another evidence that a motivated hacker will be able to compromise any organization, no matter how well it is protected,” Sotnikov said. “Our new normal right now is to be open about a data breach and own the message as FireEye did.”
Gorge agreed that FireEye has taken the right steps by providing regular updates to the public and is widely respected in the cybersecurity industry.
“FireEye extremely good at what they’re doing and they are pioneers,” he said. “They are ahead of the pack.”
Contributing: Mike Snider, and Associated Press
Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey.