The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Thursday issued its most urgent and detailed alert yet about the hacking campaign that has rocked government agencies and technology firms in recent days, saying that it “poses a grave risk” to federal and state governments, critical infrastructure entities, and private sector organizations.
Additionally, CISA said it has evidence of additional attack vectors other than the SolarWinds Orion platform—SolarWinds said in a securities filing this week that a cyberattack inserted a vulnerability in its Orion monitoring products that could allow attackers to compromise the server on which the product is run. Thousands of customers, including many government agencies, could be affected. CISA said it is still investigating the additional attack vectors, and that the attacker is likely using tactics, techniques, and procedures (commonly referred to as TTPs among cybersecurity professionals) that have not yet been discovered.
“CISA expects that removing the threat actor from compromised environments will be highly complex and challenging,” the alert said. “This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks.”
Although many of the details of the attack are still unknown—including who is affected, who carried it out, and what their motivation is—CISA warned that the attacker is skilled, stealthy, and well-resourced. Several news outlets, citing anonymous government officials, have reported that the attack was carried out by Russia, and is likely the work of its SVR spy agency. CISA’s alert did not mention Russia or suggest that it was a nation-state hack, though it did say the main motivation appeared to be espionage.
“The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments,” the alert said.
CISA additionally warned that the attacker is using a number of measures to thwart detection. Although the compromise began at least as early as March, U.S. officials did not detect the attack until cybersecurity firm FireEye alerted intelligence agencies that a sophisticated hacker evaded layers of its defenses, The New York Times reported.
According to CISA, the attacker has been able to hide its activity among legitimate user traffic by using virtual private servers with U.S.-based IP addresses. The attacker is also leveraging compromised or spoofed tokens for accounts, which can thwart commonly used detection techniques. Because attackers could be using valid security tokens and accounts, cybersecurity professionals may have to comb through data to find activity that’s outside of a user’s normal duties.
“Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” CISA said.
The alert came one day after CISA, the FBI, and the Office of the Director of National Intelligence officially confirmed the breach and said they were coordinating “a whole-of-government response” to the incident.
According to the joint statement, the FBI is leading the response by investigating and gathering intelligence to attribute and disrupt the attacker, and has engaged with known and suspected victims. CISA is in charge of providing technical assistance, and made the early step of instructing federal civilian agencies to disconnect or power down affected SolarWinds Orion products from their network. ODNI will lead intelligence support, sharing information across government agencies and the Intelligence Community, according to the statement.
On Monday, Microsoft, FireEye, and GoDaddy developed a “killswitch” by disabling the infrastructure the attacker used to send malicious code to victims. However, those measures don’t necessarily help organizations that the attacker had compromised weeks or months ago.
Compromised government organizations include the U.S. Treasury, the Department of State, CISA, and the Department of Homeland Security, though that list could grow as investigations continue.