Hackers tied to Russia hit US nuclear agency, 3 states; Microsoft breached

Microsoft was breached in the massive hacking campaign disclosed by US officials this week, according to people familiar with the matter, adding a top technology target to a growing list of vital government agencies.

SAN FRANCISCO (BLOOMBERG, REUTERS) - The US nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber attack that struck a number of federal government agencies.

Microsoft Corp was also breached, and its products were used to further attacks on others, Reuters reported.

The Redmond, Washington company said it detected a malicious version of software from SolarWinds inside the company but that its investigation so far showed no evidence hackers had used Microsoft systems to attack customers.

It is a user of Orion, the widely deployed networking management software from SolarWinds Corp, which was used in the suspected Russian attacks on US agencies and others. 

Microsoft also had its own products leveraged to attack victims, said people familiar with the matter.

The US National Security Agency issued a rare “cyber-security advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems.

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” a Microsoft spokesperson said, adding that the company had found “no indications that our systems were used to attack others.”

One of the people familiar with the hacking spree said the hackers made use of Microsoft cloud offerings while avoiding Microsoft’s corporate infrastructure. Microsoft did not immediately respond to questions about the technique.

Still, another person familiar with the matter said the Department of Homeland Security (DHS) does not believe Microsoft was a key avenue of fresh infection.

Both Microsoft and the DHS, which earlier on Thursday said the hackers used multiple methods of entry, are continuing to investigate.

The FBI and other agencies have scheduled a classified briefing for members of Congress Friday.

The Energy Department and its National Nuclear Security Administration, which maintains America’s nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. 

An ongoing investigation has found the hack didn’t affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.

“At this point, the investigation has found that the malware has been isolated to business networks only,” Hynes said. The hack of the nuclear agency was reported earlier by Politico.

In addition, two people familiar with the broader government investigation into the attack said three states were breached, though they wouldn’t identify the states. A third person familiar with the probe confirmed that states were hacked but didn’t provide a number.

In an advisory Thursday that signalled the widening alarm over the the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector.

The agency said the attackers demonstrated “sophistication and complex tradecraft.”

While President Donald Trump has yet to publicly address the hack, President-elect Joe Biden issued a statement Thursday on “what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including US companies and federal government entities.”

Biden’s pledge

“I want to be clear: My administration will make cybersecurity a top priority at every level of government – and we will make dealing with this breach a top priority from the moment we take office,” Biden said, pledging to impose “substantial costs on those responsible for such malicious attacks.”

Russia has denied any involvement in the attack. Microsoft spokesman Frank Shaw didn’t immediately respond to a request for comment.

Hynes, the Department of Energy spokeswoman, said that efforts were immediately taken to mitigate the risk from the hack, including disconnecting software “identified as being vulnerable to this attack.”

Although many details are still unclear, the hackers are believed to have gained access to networks by installing malicious code in a widely used software program from SolarWinds Corp, whose customers include government agencies and Fortune 500 companies, according to the company and cyber-security experts.

The departments of Homeland Security, Treasury, Commerce and State were also breached, according to a person familiar with the matter.

“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” the cybersecurity agency said in its bulletin.

The Department of Homeland Security, which said earlier Thursday that the hackers used multiple methods of entry, is continuing to investigate.

The FBI and other agencies have scheduled a classified briefing for members of Congress Friday.

The Department of Homeland Security said in a bulletin on Thursday the spies had used other techniques besides corrupting updates of network management software by SolarWinds which is used by hundreds of thousands of companies and government agencies.

"The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged," said DHS's Cybersecurity and Infrastructure Security Agency, referring to "advanced persistent threat" adversaries.

CISA urged investigators not to assume their organisations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they did gain access too.

CISA said it was continuing to analyse the other avenues used by the attackers. So far, the hackers are known to have at least monitored email or other data within the US departments of Defence, State, Treasury, Homeland Security and Commerce.

As many as 18,000 Orion customers downloaded the updates that contained a back door. Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers.

But the attackers might have installed additional ways of maintaining access in what some have called the biggest hack in a decade.

For that reason, officials said that security teams should communicate through special channels to ensure that their own detection and remediation efforts are not being monitored.

The Department of Justice, FBI and Defense Department, among others, have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures. They are assuming that the non-classified networks have been accessed.

CISA and private companies including FireEye, which was the first to discover and reveal it had been hacked, have released a series of clues for organisations to look for to see if they have been hit.

But the attackers are very careful and have deleted logs, or electronic footprints or which files they have accessed. That makes it hard to know what has been taken.

Some major companies have issued carefully worded statements saying that they have "no evidence" that they were penetrated, but in some cases that may only be because the evidence was removed.

In most networks, the attackers would also have been able to create false data, but so far it appears they were interested only in obtaining real data, people tracking the probes said.

Meanwhile, members of Congress are demanding more information about what may have been taken and how, along with who was behind it. The House Homeland Security Committee and Oversight Committee announced an investigation Thursday, while senators pressed to learn whether individual tax information was obtained.