Since 2016, U.S. federal agencies and large corporations have been targeted by hackers. But the recent cyberattack on SolarWinds, a software firm whose clientele includes many U.S. federal agencies besides hundreds of Fortune 500 companies, has had a wide-ranging effect and the fallout is continuing.
On Thursday, the Department of Energy (DOE) and National Nuclear Security Administration (NNSA) confirmed that their networks were also breached during the hacks. That the NNSA maintains the nuclear arsenal of the U.S., makes it a severe national security threat for the U.S.
So far, cybersecurity experts have identified over half a dozen federal agencies that have been breached by alleged state-backed Russian hackers. As the agencies complete internal network audit to find out if their networks were compromised during the cyberattacks, the DOE and NNSA identified suspicious activities. Interestingly, the digital footprints belonged to the Federal Energy Regulatory Commission (FERC), the agency which suffered the most casualties during the cyberattacks.
The DOE said that it will have more information about the breach in the coming weeks once the investigation is complete. But added that the hackers had accessed the business networks and that the defense system was not breached, Politico reported.
"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission-essential national security functions of the department, including the NNSA," Shaylyn Hynes, a DOE spokesperson said in a statement.
Is U.S. National Security Compromised?
Initial investigations suggest that the large-scale cyberattack was carried out by the infamous Russian hacker group Cozy Bear (APT29) which is allegedly the Russian intelligence agency (GRU). The hackers created a backdoor (named Sunburst or Solorigate) and were able to weaponize SolarWinds' Orion IT monitoring software to launch a supply chain attack that led to the breach at FERC.
While initially it was thought that SolarWinds was the only company that was under attack, soon reports started circulating that its government clients were the main target. With the breach in DOE networks, it was clear that the hackers' motive was to compromise the national security of the U.S. and they were partly successful. The DOE is not only responsible for the country's nuclear stockpile, but also keeps account of locations, many of which are classified. Apart from that, the agency is also in charge of domestic nuclear energy production.
Network breach was also reported in Los Alamos and Sandia national laboratories in Washington and New Mexico apart from the Office of Secure Transportation (OST) at NNSA and the Richland Field Office of the DOE. The two national labs conduct researches on the civil nuclear program and nuclear weapons while the OST is responsible for maintaining and moving enriched uranium and other raw materials needed in making a nuclear weapon.
For weeks, it will not be clear if the hackers were able to get away with sensitive data, but for sure, the ongoing attacks have exposed a weakness in the U.S.' cyber defense. If the hackers had their hands on sensitive data related to the nuclear weapons program, it will be a disaster for the country's national security something that the Biden administration will have to deal with. The hackers supposedly gained access to the networks back in March and the U.S. cyber defense noticed the breach only on December 8. However, Hynes said that the agency had taken immediate action to mitigate the risk and uninstalled the identified vulnerable software that was used to breach federal networks.
"This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government," Hynes' statement said.
Microsoft Networks Breached Too
As the fallout continues, Microsoft also revealed that it found the malware in its system as well. Microsoft's Office 365 was targeted to attack victims, but the technology giant also uses the SolarWinds software that was primarily used in the cyberattack. The company has isolated the software and network to avoid a further breach. However, Microsoft did not reveal if any sensitive customer information was stolen.
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," a Microsoft spokesperson told Reuters.