Tactics unseen used in U.S. hacks
WASHINGTON — Federal investigators reported Thursday on evidence of previously unknown tactics for penetrating government computer networks, a development that underscores the disastrous reach of Russia’s recent intrusions and the logistical nightmare facing federal officials trying to purge intruders from key systems.
The troubling development comes as news broke of more federal agencies falling victim to the Russian hacking case. The latest to discover evidence of compromise are the Department of Energy and the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, according to a U.S. official who spoke on the condition of anonymity because of the matter’s sensitivity. The latest breaches were first reported by Politico.
For days it has been clear that compromised software patches distributed by a Texas-based company, SolarWinds Corp., were central to Russian efforts to gain access to U.S. government computer systems. But Thursday’s alert from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said evidence suggested there was other malware used to initiate what the alert described as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
While many details remained unclear, the revelation about new modes of attack raises fresh questions about the access that Russian hackers were able to gain in government and corporate systems worldwide.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures [TTPs] that have not yet been discovered.”
The U.S. government has not publicly blamed Russia for the hacks, but U.S. officials speaking privately say that Russian government hackers were behind the operation. Moscow has denied any involvement.
The alert cited a blog post this week from Volexity, a Reston, Va.-based cybersecurity company, about repeated intrusions into an unnamed think thank that, according to the company, took place over several years without being detected. The attackers, who are described using only a pseudonym in the Volexity post, gained access to the think tank’s networks using “multiple tools, backdoors, and malware implants” and exploited a vulnerability in Microsoft’s Exchange Control Panel software, which is central to the company’s email services.
Microsoft did not respond to a request for comment.
Only the last of three separate intrusions against the think tank, in June and July, involved a corrupted patch from SolarWinds, suggesting an aggressive, persistent hacking team with numerous sophisticated tactics at its disposal.
The list of known victims of the Russian hacks reported last weekend includes agencies that are central to U.S. national security and other core government functions, including the State, Treasury, Commerce and Homeland Security departments, as well as the National Institutes of Health. Thousands of private companies worldwide also were potentially affected, many in sensitive industries, after they uploaded software patches that were infused with malware, reportedly by Russia’s foreign intelligence service, known as the SVR.
Purging the intruders and restoring security to affected networks could take months, some experts say.