No federal civilian agencies are confirmed to be compromised by last week’s Microsoft Exchange cyberattack, but the investigation is still ongoing and new data keeps pouring in by the hour, according to testimony from CISA officials.
Faced with investigating two major cyberattacks on SolarWinds and a Microsoft Exchange server, officials from the Cybersecurity and Infrastructure Security Agency (CISA) told Congress on Wednesday that CISA needed robust layers of defense within each federal civilian executive branch network to mitigate the risks of future breaches.
Eric Goldstein, Executive Assistant Director at CISA’s Cybersecurity Division, told the Department of Homeland Subcommittee of the House Committee on Appropriations on Wednesday that the Microsoft Exchange breach investigation was ongoing, but that no federal civilian agencies had been confirmed to be compromised so far.
Eric Goldstein, CISA
“At this point in time, there are no federal civilian agencies that are confirmed to be compromised by this [Microsoft Exchange server hack] campaign” — Eric Goldstein, CISA
“We are still in the early days of the investigation of exploitation of a Microsoft Exchange server,” Goldstein testified.
“We are working with individual agencies to assess the results of their forensic analysis.
“At this point in time, there are no federal civilian agencies that are confirmed to be compromised by this campaign.
“However, CISA is working with individual agencies to assess the results of their analysis, and this is an evolving campaign with new information coming in by the hour.”
“We need to adopt a principle that in cybersecurity is called the ‘kill chain,’ in which we are trying to prevent an intrusion at multiple phases” — Eric Goldstein, CISA
To mitigate cybersecurity risks, Goldstein recommended adopting the “kill chain” principle of cybersecurity.
“We need to adopt a principle that in cybersecurity is called the ‘kill chain,’ in which we are trying to prevent an intrusion at multiple phases,” he said.
“So, even if we are unable to prevent the supply chain compromise, we’re detecting the lateral movement across a network, or we are detecting the escalation of privileges where the adversary attempts to compromise the authentication systems that are used to gain access to different assets within a network, and on down the line.
“And so we need robust layers of defense within each federal civilian executive branch network with data from those layers coming back to CISA, so we can identify and correlate security trends across the executive branch and identify these sorts of deeply mature intrusions before they’re able to endure for months on end and cause lasting damage,” Goldstein added.
“We need robust layers of defense within each federal civilian executive branch network with data from those layers coming back to CISA” — Eric Goldstein, CISA
Discovered last week, the Microsoft Exchange server hack was brought to the attention of CISA on March 2, and Microsoft put out a statement at the time saying, “Microsoft Threat Intelligence Center attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
Three days later, Microsoft gave an update, saying, “Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”
While the Microsoft Exchange hack was discovered last week, the attack on SolarWinds was discovered in December, but had been going on long before the victims became aware of the breach.
In the SolarWinds case, some 18,000 people and organizations were potentially exposed when sophisticated hackers put a backdoor in a software patch, and CISA believes this was used to spy on email accounts using Microsoft 365 cloud services.
However, according to CISA Acting Director Brandon Wales, the number of entities that were actually compromised was “much smaller.”
Brandon Wales, CISA
“We continue to believe this [SolarWinds supply chain attack] was largely an espionage operation where they were collecting information largely based on Microsoft Office 365 email for agency personnel” — Brandon Wales, CISA
“Nearly 18,000 entities were potentially exposed to the malicious SolarWinds software,” Wales told Congress in Wednesday’s hearing.
“CISA estimates that a much smaller number were compromised when the threat actor activated a malicious backdoor they had installed in a SolarWinds product and moved into an exposed network.
“Once inside the network, the actor was able to use their privileged access to abuse the authentication mechanisms — the systems that control trust and manage identities — ultimately allowing them to access and exfiltrate emails and other data from compromised networks and Microsoft Office 365 cloud environments,” he added.
“We have no evidence at this time that the actor did anything except steal information” — Brandon Wales, CISA
At present, the CISA acting director believes that the SolarWinds breach was a targeted espionage campaign where only information was stolen and nothing further.
“We continue to believe this was largely an espionage operation where they were collecting information largely based on Microsoft Office 365 email for agency personnel,” Wales testified.
“In many cases, that was extremely targeted. There was usually only a couple dozen individuals at an agency that were targeted as part of this campaign, and we have no evidence at this time that the actor did anything except steal information,” he added.
“The actor in this case used extremely sophisticated techniques to bypass the security” — Brandon Wales, CISA
In order to mitigate the risks of a supply chain attack, Wales said that the SolarWinds breach highlighted “the need for us to have better insights and visibility inside of networks.”
“Conducting security at the edge, on the perimeter, increasingly lacks the ability to detect the more sophisticated types of attacks, which are only going to take place on individual work stations, on individual servers, and that’s why we’re pushing for this increase in visibility down inside of networks,” he added.
What made the SolarWinds attack so unique, according to Wales, was that “the actor in this case used extremely sophisticated techniques to bypass the security that is in place at agencies as well as the significant number of private sector companies that were compromised as part of the campaign.”
“By executing a supply chain attack, by compromising the SolarWinds product, and putting the backdoor inside of one of their legitimate patches, that bypassed all of the normal traditional perimeter security that is deployed to protect agencies,” said Wales.
“And so it was a trusted patch. It was installed by network operators. And because of the nature of SolarWinds’ products, that they have broad, administrative rights […] that gave the actor access to the network and allowed them to escalate their privileges in ways that we could not see,” the CISA acting director added.
“By executing a supply chain attack, by compromising the SolarWinds product, and putting the backdoor inside of one of their legitimate patches, that bypassed all of the normal traditional perimeter security that is deployed to protect agencies” — Brandon Wales, CISA
Because cyberattacks have the potential to disrupt all functions of society, from power grids to water treatment facilities and government agencies and beyond, both Wales and Goldstein submitted in their joint testimony, “The federal enterprise can be made more resilient and secure.”
“By enhancing our visibility, implementing persistent hunt capabilities, increasing provision of shared services, and moving toward more robust architecture models, we can most effectively ensure that the Federal Government can provide critical services to the American people under all conditions.”
Prepping for a cyber pandemic: Cyber Polygon 2021 to stage supply chain attack simulation
‘Ransomware is quickly becoming a national emergency’ amid pandemic: CISA acting director testifies
