The SolarWinds breach that compromised 18,000 accounts including several branches of the U.S. government was worse than initially reported, according to new information from the Cybersecurity and Infrastructure Security Agency (CISA).
While initial reports had confirmed the breach of email systems belonging to the U.S. Departments of Treasury and Commerce, the list of affected entities now includes the Department of Homeland Security (under whose jurisdiction CISA operates), the Pentagon, the Postal Service, the National Institutes of Health, The Department of Energy, and the National Nuclear Security Administration.
FireEye, a cybersecurity company whose recent high-profile breach was also thought to be the work of Russian threat actors, was the first to notify the affected agencies of the breach.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” said the CISA in a public alert released December 17. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The CISA went on to specify that “SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.”
The CISA warned that the threat actors behind the breaches utilized several advanced hacking methodologies including steganographic hacking, user impersonation, “impossible” logins and tokens, and still other sophisticated penetration methodologies.
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” President-elect Joe Biden said in a statement, promising to make cybersecurity and mitigation of the breach a “top priority” of his administration.
President Trump has yet to comment on the breach.
