US cyber officials warned that a major cyber attack unearthed this week was still continuing and posed a “grave risk” to the government, critical infrastructure and private sector.
The update on the SolarWinds hack is the first time the US has confirmed the scale of the attack and the difficulty involved in finding and removing perpetrators from secure networks.
Thousands of businesses and government agencies may have been exposed after downloading compromised software from SolarWinds, a Texas-based IT group.
But the Cybersecurity and Infrastructure Security Agency said on Thursday that the hackers had gained access to systems using other means than the SolarWinds software.
Cisa said the hackers had “demonstrated sophistication and complex tradecraft in these intrusions” and that it would be “highly complex and challenging” to remove the hackers from compromised systems.
The agency cited a report published by cyber group Volexity detailing attacks by the same hackers against an unnamed US think-tank, including one that used new methods to bypass multi-factor authentication security.
It added that it had “evidence” of “access vectors, other than the SolarWinds Orion platform” which were being investigated.
FireEye, SolarWinds and some US officials have blamed “nation-state” hackers for the breach, which first came to light at the end of last week. Cyber security experts, plus several politicians, have singled out Russian intelligence as the culprit, although Russia has strongly denied any involvement.
“Today’s classified briefing on Russia’s cyber attack left me deeply alarmed, in fact downright scared,” Richard Blumenthal, Democratic senator from Connecticut wrote on Twitter on Wednesday. “Americans deserve to know what’s going on. Declassify what’s known & unknown.”
On Thursday, House committees for homeland security and oversight announced they were launching a probe into the hack, urging the FBI, the DHS and the intelligence agencies to share more information about the scale and implications of the attack. They also requested a classified inter-agency briefing on Friday.
“While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for US national security,” the committees’ chairs said.
President-elect Joe Biden also said in a statement that he had been briefed by US government officials on the attack and vowed to impose “substantial cost” on adversaries who penetrate US computer systems.
“We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” Mr Biden said. “Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”
Cisa warned that the hackers “demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks”.
The agency also confirmed reports that, once inside a victim’s networks, the hackers were able to pose as other accounts and gain privileged access to certain systems, such as email services, travel services and file storage services.
In particular, it said it had seen “adversaries targeting email accounts belonging to key personnel, including IT and incident-response personnel”.
As a result, it warned that “discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures”. It recommended that victims communicate via other channels that have not been exposed in any way.
FireEye said on Wednesday it had identified a kill switch that could stop the attackers from continuing to lurk inside networks in some cases.