More U.S. government agencies, including the Department of Energy (DoE) and the National Nuclear Security Administration (NNSA), have fallen victim to the sprawling state-backed SolarWinds Sunburst cyber attack, while more victims are being discovered to global scale, including in the UK. The Cybersecurity and Infrastructure Security Agency (CISA) has called the attack a “serious risk.”
During the last 24 hours, details emerged of how the attackers, who have been linked to the Russian group APT29 or Cozy Bear, broke into the networks of the Department of Energy and the NNSA, which is responsible for maintaining the arsenal of nuclear weapons of States. United. Among the group’s targets were the Federal Energy Regulatory Commission (FEC), the Sandia and Los Alamos laboratories, the NNSA’s Safe Transportation Office, and the Richland Field Office of the DoE, according to Politician.
The list of victims may now also include Microsoft, which has been at the forefront of efforts to disrupt the attack, although this is unconfirmed. A Microsoft spokesperson has confirmed that the organization did indeed detect malicious SolarWinds binaries in its environment, which it isolated and removed, but said there was no evidence of compromise of its production services or customer data. However, Reuters, citing sources familiar with the situation, claimed that the attackers made use of some Microsoft public cloud infrastructure.
In an alert issued Thursday, December 17, the CISA said it was aware of the commitments of government agencies, operators of critical national infrastructure (CNI) and private sector organizations by an advanced persistent threat (APT) group, from March.
“This APT actor has demonstrated patience, operational security and complex business skill in these intrusions,” he said. “CISA expects that removing this threat actor from compromised environments will be very complex and challenging for organizations.
“CISA has determined that this threat poses a serious risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organizations.”
The CISA said it faced a “patient, well-resourced and focused adversary,” and cautioned that the Sunburst compromise was not the only initial infection vector used in this campaign. Additionally, not all of the approximately 18,000 organizations that inadvertently downloaded the tainted update to the SolarWinds Orion platform that caused this incident have subsequently been targeted.
Microsoft Chairman Brad Smith said the cyber attack was indeed an attack on the United States, its government and other critical institutions, and it demonstrated just how dangerous the cybersecurity landscape had become.
“The attack is ongoing and cybersecurity teams from the public and private sectors, including Microsoft, are actively investigating and addressing it,” Smith wrote in a blog post. “As our teams act as the first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.
“More than anything, this attack provides a moment of reckoning. It requires us to look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by government and the technology sector… to spearhead a robust and coordinated global cybersecurity response. “
Based on telemetry gathered from Microsoft’s Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability were very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and engaged, and is now working with them.
Most of these customers are understood to be based in the US, but Microsoft’s work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the United Arab Emirates, and the United Kingdom, including government agencies. , NGOs and cybersecurity and technology companies.
Smith added: “This is not ‘spy business as usual’, even in the digital age. Instead, it represents an act of recklessness that created serious technological vulnerability for America and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure to advance a nation’s intelligence agency.
“While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and in need of protection, regardless of the governments under which they live. ”.