Technology Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach
Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources
Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sourcesWASHINGTON (Reuters) - Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.
After infiltrating US government computer networks early last year as part of the SolarWinds data breach,then turned their attention to the very people whose job was to track them down.
Over the course of a few months, as US officials remained unaware of the breach, hackers identified a handful of key cyber security officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts, according to two sources familiar with the matter.
SolarWinds products had three serious security flaws, researchers find
Now patched, the flaws could have let attackers access systems running programs made by the beleaguered software maker.Researchers at Trustwave, the cybersecurity firm that discovered the new vulnerabilities, didn't go into technical detail about how the hackers would have exploited the flaws. Hackers have likely been looking for ways to exploit SolarWinds software, which is installed on hundreds of systems run by federal, state and local government agencies, as well as private companies, since the initial breach was discovered.
While it is unclear if any of those accounts were compromised, sources say the fact that the hackers knew which working-level cybersecurity analysts at the Department of Homeland Security to go after suggests they were able to develop a much deeper understanding of US cyberdefenses than was previously known.
"It appears as if the Russian SolarWinds hackers possess granular information on personnel and who among them is likely to be involved in investigating the SolarWinds hack," said Cedric Leighton, a former NSA official and CNN military analyst. "This could mean that networks have been penetrated to a degree we've not known before. If that's true, we need a complete housecleaning of all our defensive cyberoperations."
Langevin hopeful new Armed Services panel will shine new spotlight on cybersecurity
Rep. Jim Langevin (D-R.I.), the newly minted chairman of the House Armed Services Committee's new cybersecurity subcommittee, is looking to bring a new spotlight to the nation's defensive cyber capabilities and international cyber diplomacy. Langevin, a long-time House leader on cybersecurity issues, told The Hill during a phone interview that his aim is to support a 21st century defense posture, and expressed confidence that after the biggest cyber espionage event in U.S. history, the level of focus on cybersecurity from both sides of the aisle would remain high.
The assessment that hackers deliberately targeted DHS threat hunters, which has not been previously reported, underscores how the SolarWinds attack was among the most sophisticated cyberoperations ever conducted against the US, according to current and former officials.
By keeping tabs on these cyber first responders, sources and experts tell CNN the hackers could have been able to monitor in real-time as US officials began to discover the attack, allowing them to tailor their actions accordingly and remain hidden for as long as possible.
"What this does is it shows a level of sophistication in terms of targeting those who are working actively to prevent the attacks from either occurring or expanding. And so that is different than what you're seeing in past cyberattacks," former acting DHS acting undersecretary Chris Cummiskey told CNN.
"The level of sophistication is problematic because they're actually going after people that they see as more valuable, so it shows a sense of prioritization," he added.
The Cybersecurity 202: Investigations into Russian, North Korean hackers are shaping Biden's foreign policy
An investigation into a Russian hack of nine federal agencies could take months, a top intelligence official warned. The Biden administration is plunging ahead in a pair of high-profile cybersecurity investigations into North Korean and Russian hackers, shedding light on how it plans to crack down on foreign hackers after the Trump administration downplayed the issue in the 2016 election and its aftermath.
While emails belonging to the senior-most cyber officials, including Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, do not appear to have been accessed, sources told CNN that the hackers deliberately targeted other top cyberofficials at the agency in addition to lower-level threat hunters.
Hackers infiltrated email account of top Trump official
Initial reports briefed to the Hill showed that around 30 email accounts at DHS were infiltrated as part of the SolarWinds breach, including that of former acting secretary Chad Wolf and former DHS Chief Information Officer Karen Evans, according to a Capitol Hill aide. There was no indication that classified information was accessed in the hack, the aide added.
The Associated Pressthat suspected Russian hackers gained access to Wolf's account and cybersecurity staff who were hunting threats from foreign countries.
After the hack, senior staff at DHS headquarters received new phones, a former department official told CNN, indicating the impact was significant at DHS.
What is cyber insurance? Everything you need to know about what it covers and how it works
Cyber insurance is becoming increasingly popular. But what does it cover, what doesn't it cover and what should you be looking for when deciding on a policy?Business woman showing insurance document over white desk at office
Wolf and Evans declined to comment. Other federal agencies.
At a hearing last month, GOP Rep. Pat Fallon of Texas said he was "alarmed" by the fact that "the Secretary of Homeland Security's own email had been compromised."
"This attacker stayed laser focused on stealing specific information," said cybersecurity firm FireEye's CEO Kevin Mandia at the same hearing. "They showed, arguably, restraint and they didn't do anything destructive."
FireEye, also a victim of the hack,to the breach in early December.
CISA has still not publicly acknowledged if it was impacted in the SolarWinds breach and a DHS spokesperson declined to say so again Wednesday when asked if email accounts belonging to members the threat hunter team were targeted.
The spokesperson did, however, confirm that a "small number of employees' accounts were targeted in the breach," referring to DHS more broadly. The department no longer sees "indicators of compromise in its networks," the spokesperson added.
The targeting of department emails didn't interrupt operations, according to a senior CISA official who said private sector partners helped DHS and CISA evict the hackers from the department's networks.
Microsoft breach ramps up pressure on Biden to tackle cyber vulnerabilities
The Biden administration is coming under increasing pressure to address U.S. cybersecurity vulnerabilities following the Microsoft breach that has quickly been viewed as a massive threat to the U.S.Officials are still trying to wrap their heads around the extent of the cyberattack more than two weeks after the U.S. tech giant announced it was hit.Complicating matters is the fact that the breach comes as the administration continues to gauge the widening fallout of what has become known as the SolarWinds hack. The two incidents, likely linked to nation-state activity, are painting a grim picture of the cybersecurity threats facing U.S.
"That response resulted in a conclusion that after remediation steps were taken the adversary had been removed from the network," the official told reporters in a briefing call earlier this week, adding that operations were able to continue.
A DHS spokesperson also told CNN that the agency's operational cybersecurity teams utilize various communications methods to continue executing their mission under all circumstances, and that they were able to do so in this instance.
How will the Biden administration respond against Russia?
The Biden administrationand send vague messages about its plans to hold Russia accountable. In February, the White House began a 60-day review of the hack and has since outlined responses it plans to level against Russia but offered few specifics.
The National Security Council, which is leading the effort, reiterated this week that a response consisting of "seen and unseen" actions will be coming in a matter of "weeks not months." That timeframein February by national security adviser Jake Sullivan.
What that response will look like remains unclear but it is expected to include sanctions, cyberoperations and an executive order to make improvements to national cybersecurity.
An executive order with initiatives designed to shore up the government's cyberdefenses is expected sooner, according to administration officials.
Deputy national security adviser Anne Neuberger, the White House's top cyberofficial, has been tapped to lead the sprawling effort that spans multiple government agencies.
Officials say executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches
Officials at the Department of Homeland Security (DHS) on Tuesday said that the Biden administration is working on "close to a dozen" action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. "We continue to work urgently to make the investments necessary, and the administration is working on close to a dozen actions for an upcoming executive order," a senior DHS"We continue to work urgently to make the investments necessary, and the administration is working on close to a dozen actions for an upcoming executive order," a senior DHS official told reporters during a phone call.
"That EO will be released shortly and it will make fundamental improvements to national cybersecurity; many of these measures are long overdue," Neuberger said in a statement to CNN on Tuesday. "We are working closely across the federal government, Congress, and the private sector to continue making the necessary investments to defend the nation against malicious cyber activity."
While Neuberger is the most senior cyberofficial ever appointed in an administration, the unprecedented Russian breach and the massive Chinese hack of Microsoft Exchange servers underscore that two key, senior cyberpositions remain unfilled: the newly-created role of National Cyber Director, a position that is supposed to the President's top adviser on all cyber issues, and the director of CISA inside DHS. Both require Senate confirmation.
The National Cyber Director position was created by Congress but has not been funded and questions remain over how it will work alongside the NSC and CISA. Administration officials argue that though a CISA Director is needed and expected soon, the agency is being run by a deeply experienced staff, both career and newly-appointed officials.
Krebs, the first and only permanent CISA director, argued Thursday that Neuberger's appointment "addressed many of the concerns that prompted the creation of the [National Cyber Director]."
"If we're talking about nominees, I'd prefer to see my successor [at CISA] named ASAP!" he tweeted. "Need to round out the team!"
Top Biden cyber official: SolarWinds breach could turn from spying to destruction 'in a moment' .
President Biden’s top cybersecurity adviser says the “likely Russian” hackers who breached the popular IT monitoring software SolarWinds could use their access to “degrade” or “destroy” networks rather than simply spy on them “in a moment.” Speaking Wednesday evening during a digital panel discussion hosted by the Council on Foreign Relations, Anne Neuberger, the deputy national security adviser on cyber and emerging technology on the National Security Council, said, “Even if it’s routine espionage,” the action is “still counter to our interests,” and requires the U.S. government to find ways to force the perpetrators to reconsider their actions in the future.