WASHINGTON, D.C. – At least three government agencies have been the target of a major cyber-espionage campaign, apparently by the Russian government. The American people learned this week that hackers have been spying on the U.S. departments of Commerce, Treasury and even Homeland Security since March, and officials say there are likely many more victims yet to be revealed. Shockingly, while the exploit is now discovered, the compromise remains in play as some systems cannot easily disable the software and the entire system running it requires shut-down prompting a rare emergency directive ordering all federal agencies to immediately power down SolarWinds Orion management tools.
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)
According to reports, the attackers got in by corrupting software updates with a piece of malware called “SUNBURST” installed on computer systems using Orin software by technology company SolarWinds, which provides network tools to government agencies and tech companies making up its roughly 300,000 customers.
Ad Disclosure: This site earns revenue from ads, some within content. You can support independent journalism and help us stay afloat by donating or purchasing our merch following us on social media (Facebook |
Feedspot) or just sharing content you like.
The nation’s now fired cybersecurity expert Chris Krebs, who was also the former top election security officer, announced on November 12, that the 2020 election was “the most secure election in history,” a statement made while the nation’s most critical data systems were being compromised in-real time, and had been being compromised for the larger part of the year.
With what has been the most highly contested election in history, rumors began to swirl that Dominion Voting Systems, the highly controversial voting machine company which was used in hundreds of countries across the country to compile and report election results, might have been a customer of SolarWinds. Some of that speculation was due to the disappearing act of the SolarWinds logo on a Dominion login page that was captured by social media users through an Internet archive search.
Dominion has released a statement saying “Dominion Voting Systems does not now nor has it ever used the SolarWinds Orion Platform, which was subject of the DHS emergency directive dated December 13, 2020,” the statement read.
While a SolarWinds press release stated that “Serv-U,” a reference to a software suite identified by hypertext shown along with the accompanying SolarWinds logo on the Dominion site, stated it is not known to be an affected software product, however, both are offered by the company.
On Thursday, December 17, Lou Dobbs spoke with Cybersecurity and terrorism analyst, Morgan Wright, who stated that Dominion was a customer of SolarWinds, but did not elude to what SolarWinds software specifically the company was using or confirm any further of connection between its customer and vendor relationship.
The U.S. government says it has evidence of additional vulnerabilities beyond SolarWinds Orion supply chain compromise, but other attack methods are still being investigated. While Russia is believed responsible, the Trump administration has not formally blamed Russia, and Russia has denied involvement. Out of the 300,000 customers, SolarWinds estimates that less than 18,000 were likely directly impacted by the malicious software updates.
“CISA [Cybersecurity and Infrastructure Security Agency] has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” according to a 17-page alert. “This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.”