US nuclear weapons agency hacked in cyber attack

SAN FRANCISCO • The United States nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber attack that struck a number of federal government agencies.

Microsoft was also breached, and its products were used to further attacks on others, Reuters reported.

The software giant said it detected a malicious version of software from technology firm SolarWinds inside the company, but that its investigation so far showed no evidence hackers had used Microsoft systems to attack customers.

Microsoft is a user of Orion, the widely deployed networking management software from SolarWinds, which was used in the suspected Russian attacks on US agencies and others.

The company also had its own products leveraged to attack victims, said sources familiar with the matter.

The US National Security Agency issued a rare "cyber-security advisory" on Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems.

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," a Microsoft spokesman said, adding that the company had found "no indications that our systems were used to attack others".

One of the sources said the hackers made use of Microsoft cloud offerings while avoiding the firm's corporate infrastructure.

The company did not immediately respond to questions about the technique.

Still, another source said the Department of Homeland Security (DHS) does not believe Microsoft was a key avenue of fresh infection.

Both Microsoft and the DHS, which on Thursday said the hackers used multiple methods of entry, are continuing to investigate.

The Department of Energy and its National Nuclear Security Administration, which maintains America's nuclear stockpile, were targeted as part of the larger attack, according to a source.

An ongoing investigation has found the hack did not affect "mission-essential national security functions", Ms Shaylyn Hynes, a Department of Energy spokesman, said in a statement.

"At this point, the investigation has found that the malware has been isolated to business networks only," Ms Hynes said.

The hack of the nuclear agency was reported earlier by Politico.

In addition, two sources familiar with the broader government investigation into the attack said three states were breached, though they would not identify the states.

A third source familiar with the probe confirmed that states were hacked but did not provide a number.

In an advisory on Thursday that signalled the widening alarm over the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a "grave risk" to federal, state and local governments, as well as critical infrastructure and the private sector.

The agency said the attackers demonstrated "sophistication and complex tradecraft".

While US President Donald Trump has yet to publicly address the hack, President-elect Joe Biden issued a statement on Thursday on "what appears to be a massive cyber-security breach affecting potentially thousands of victims, including US companies and federal government entities".

"I want to be clear: My administration will make cyber security a top priority at every level of government - and we will make dealing with this breach a top priority from the moment we take office," Mr Biden said, pledging to impose "substantial costs on those responsible for such malicious attacks".

Russia has denied any involvement in the attack.

Microsoft spokesman Frank Shaw did not immediately respond to a request for comment.

Ms Hynes said that efforts were immediately taken to mitigate the risk from the hack, including disconnecting software "identified as being vulnerable to this attack".

BLOOMBERG, REUTERS

Hackers managed to compromise and install malware on a piece of security software - the Orion security tool developed by SolarWinds which is used for management and supervision of IT networks.

The hackers aimed to compromise the software's automatic update function. The break-in further allowed them to gain an idea of their victim's systemic structural vulnerabilities.

The malware was laced into the software updates that breached network security and allowed access to data, including mail, with FireEye saying the breaches began around March.

According to SolarWinds, 18,000 users of Orion have potentially suffered a security breach, including government agencies and Fortune 500 companies. These include:

• Cyber-security company FireEye

• Microsoft

• US Department of Homeland Security

• US Department of Treasury

• US Department of Commerce's National Telecommunications and Information Administration

• Parts of the US Department of Defence

• US State Department

• US National Institutes of Health

Firms or institutions that have used infected updates are urged to disconnect their servers and check for telltale signs their data might have been compromised.

FireEye and Microsoft believe the attack was by a nation state and expert analysis has pointed the finger at Russia, as have anonymous US security sources.

These US sources have focused on an organisation known as advanced persistent threat (APT) 29, or Cozy Bear, which is believed to be linked to one or more Russian intelligence agencies and previously pirated the White House under former US president Barack Obama.

Mr Jacques de la Riviere, who runs French cyber-security firm Gatewatcher, says he has responded by ramping up protection on his own servers.

Beyond that, he hopes the high-profile attack will encourage firms and institutions to be more demanding when it comes to stewardship of their data and software security.

"This could be a turning point, where many clients are going to start saying 'I no longer want to purchase software that has not been certified by a third party'," he said.

AGENCE FRANCE-PRESSE