CISA orders U.S. agencies to search their networks for compromises; Commerce dept. confirms data breach
Dec. 14 (UPI) — The cybersecurity arm of the Department of Homeland Security has issued an emergency directive for all federal civilian executive branch agencies to search their networks for indications they were compromised after the Commerce Department confirmed it was hacked.
The Cybersecurity and Infrastructure Security Agency issued the directive late Sunday, stating cybersecurity products by Austin-based SolarWinds “are currently being exploited by malicious actors.”
“CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk,” it said, stating the impact of a successful attack could be “grave.”
SolarWinds products are used by more than 300,000 customers, including more than 400 of the U.S. Fortune 500 companies, five branches of the U.S. military and the Departments of Defense, State and Justice as well as the office of the president, according to its website.
The company described the attack in a statement as “highly sophisticated” and likely conducted by an outside nation state that targeted specific entities.
Though the extent of the intrusion is unknown, the Commerce Department confirmed in a statement to CNN that it was one of the federal agencies breached.
“We can confirm there has been a breach in one of our bureaus,” it said without specifying which one. “We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”
John Ullyot, the spokesman for the National Security Council, said in a statement that the U.S. government was aware of the reports and was “taking all necessary steps to identify and remedy any possible issues related to the situation.”
The breach comes less than a week after leading U.S. cybersecurity firm FireEye, which works with both government and private-sector clients, announced on Tuesday it had been hacked by “a nation with top-tier offensive capabilities” who stole tools it uses to mimic the behavior of malicious cyberactors to test security systems.
On Sunday, the company said its investigation uncovered the “global campaign” targeting the networks of public and private organizations that was delivered through updates to the network-monitoring products developed by SolarWinds.
“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” Kevin Mandia, the chief executive officer of FireEye, said in a statement.
The company said it has identified multiple organizations that have indictions they were breached as far back as the spring, stating each attack required “meticulous planning and manual interaction.”
SolarWinds said the updates in question were released between March and June.
The attack comes a week after the National Security Agency issued a warning that “Russian state-sponsored malicious cyberactors” were exploiting vulnerabilities in software used by departments in the U.S. government.
Russia responded to speculation it was behind the attack revealed on Sunday, stating “malicious activities in the information space” contradict its foreign policy, national interests and understanding of interstate relations.
“Russia does not conduct offensive operations in the cyber domain,” the Embassy of Russia in the United States said in a statement published on Facebook.
CISA said in the emergency directive that agencies operating SolarWinds products have until noon Monday to provide it with a complete report of its analysis of potential compromises.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation,” Brandon Wales, CISA acting director, said in a statement.