https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855 Nuclear weapons agency breached amid massive cyber onslaught Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile. The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies, officials directly familiar with the matter said. On Thursday, DOE and NNSA officials began coordinating notifications about the breach to their congressional oversight bodies after being briefed by Rocky Campione, the chief information officer at DOE. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE. The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, but did not elaborate. The officials said that the Cybersecurity and Infrastructure Security Agency, which has been helping to manage the federal response to the broad hacking campaign, indicated to FERC this week that CISA was overwhelmed and might not be able to allocate the necessary resources to respond. DOE will therefore be allocating extra resources to FERC to help investigate the hack, even though FERC is a semi-autonomous agency, the officials said. Several top officials from CISA, including its former director Christopher Krebs, have either been pushed out by the Trump administration or resigned in recent weeks. Federal investigators have been combing through networks in recent days to determine what hackers had been able to access and/or steal, and officials at DOE still don’t know whether the attackers were able to access anything, the people said, noting that the investigation is ongoing and they may not know the full extent of the damage “for weeks.” Shaylyn Hynes, a DOE spokesperson, said that an ongoing investigation into the hack has found that the perpetrators did not get into critical defense systems. "At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration," Hynes said in a statement. "When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.” The attack on DOE is the clearest sign yet that the hackers were able to access the networks belonging to a core part of the U.S. national security enterprise. The hackers are believed to have gained access to the federal agencies’ networks by compromising the software company SolarWinds, which sells IT management products to hundreds of government and private-sector clients. DOE officials were planning on Thursday to notify the House and Senate Energy committees, House and Senate Energy and Water Development subcommittees, House and Senate Armed Services committees, and the New Mexico and Washington State delegations of the breach, the officials said. CISA, the FBI and the Office of the Director of National Intelligence acknowledged the “ongoing” cybersecurity campaign in a joint statement released on Wednesday, saying that they had only become aware of the incident in recent days. “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the statement read. The U.S. government has not blamed any particular actor for the hacks yet, but cybersecurity experts have said the activity bears the hallmarks of Russia’s intelligence services. NNSA is responsible for managing the nation's nuclear weapons, and while it gets the least attention, it takes up the vast majority of DOE's budget. Similarly, the Sandia and Los Alamos National Labs conduct atomic research related to both civil nuclear power and nuclear weapons. The Office of Secure Transportation is tasked with moving enriched uranium and other materials critical for maintaining the nuclear stockpile. Hackers may have been casting too wide a net when they targeted DOE's Richland Field Office, whose primary responsibility is overseeing the cleanup of the Hanford nuclear waste site in Washington state. During World War II and the Cold War, the U.S. produced two- thirds of its plutonium there, but the site hasn't been active since 1971. The attack on the Federal Energy Regulatory Commission may have been an effort to disrupt the nation's bulk electric grid. FERC doesn't directly manage any power flows, but it does store sensitive data on the grid that could be used to identify the most disruptive locations for future attacks.
https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit The Pentagon, intelligence agencies, nuclear labs and Fortune 500 companies use software that was found to have been compromised by Russian hackers. The sweep of stolen data is still being assessed. WASHINGTON — The scope of a hack engineered by one of Russia’s premier intelligence agencies became clearer on Monday, when some Trump administration officials acknowledged that other federal agencies — the State Department, the Department of Homeland Security and parts of the Pentagon — had been compromised. Investigators were struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected by the highly sophisticated attack. United States officials did not detect the attack until recent weeks, and then only when a private cybersecurity firm, FireEye, alerted American intelligence that the hackers had evaded layers of defenses. It was evident that the Treasury and Commerce Departments, the first agencies reported to be breached, were only part of a far larger operation whose sophistication stunned even experts who have been following a quarter-century of Russian hacks on the Pentagon and American civilian agencies. About 18,000 private and government users downloaded a Russian tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised. Among those who use SolarWinds software are the Centers for Disease Control and Prevention, the State Department, the Justice Department, parts of the Pentagon and a number of utility companies. While the presence of the software is not by itself evidence that each network was compromised and information was stolen, investigators spent Monday trying to understand the extent of the damage in what could be a significant loss of American data to a foreign attacker. The National Security Agency — the premier U.S. intelligence organization that both hacks into foreign networks and defends national security agencies from attacks — apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye. The N.S.A. itself uses SolarWinds software. Two of the most embarrassing breaches came at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the American election system last month. A government official, who requested anonymity to speak about the investigation, made clear that the Homeland Security Department, which is charged with securing civilian government agencies and the private sector, was itself a victim of the complex attack. But the department, which often urges companies to come clean to their customers when their systems are victims of successful attacks, issued an obfuscating official statement that said only: “The Department of Homeland Security is aware of reports of a breach. We are currently investigating the matter.” Parts of the Pentagon were also affected by the attack, said a U.S. official who spoke on the condition of anonymity, who added that they were not yet sure to what extent. “The D.O.D. is aware of the reports and is currently assessing the impact,” said Russell Goemaere, a Pentagon spokesman. This was the second time in recent years that Russian intelligence agencies had pierced the State Department’s email systems. Six years ago, officials struggled to get Russian hackers out of their unclassified email systems, at times shutting down State’s communications with its own staff in an effort to purge the system. Then, as now, State Department officials refused to acknowledge that Russia had been responsible. In an interview with Breitbart Radio News, Secretary of State Mike Pompeo deflected the question with generalities, saying that there had “been a consistent effort of the Russians to try and get into American servers, not only those of government agencies, but of businesses. We see this even more strongly from the Chinese Communist Party, from the North Koreans, as well.” In fact, it is the Russians who have been consistently most effective, though in this case it was not clear which State Department systems they had extracted data from or how much. A State Department spokeswoman declined to comment. Investigators were also focused on why the Russians targeted the Commerce Department’s National Telecommunications and Information Administration, which helps determine policy for internet-related issues, including setting standards and blocking imports and exports of technology that is considered a national security risk. But analysts noted that the agency deals with some of the most cutting-edge commercial technologies, determining what will be sold and denied to adversarial countries. Nearly all Fortune 500 companies, including The New York Times, use SolarWinds products to monitor their networks. So does Los Alamos National Laboratory, where nuclear weapons are designed, and major defense contractors like Boeing, which declined on Monday to discuss the attack. The early assessments of the intrusions — believed to be the work of Russia’s S.V.R., a successor to the K.G.B. — suggest that the hackers were highly selective about which victims they exploited for further access and data theft. The hackers embedded their malicious code in the Orion software made by SolarWinds, which is based in Austin, Texas. The company said that 33,000 of its 300,000 customers use Orion, and only half of those downloaded the malign Russian update. FireEye said that despite their widespread access, Russian hackers exploited only what was considered the most valuable targets. “We think the number who were actually compromised were in the dozens,” said Charles Carmakal, a senior vice president at FireEye. “But they were all the highest-value targets.” The picture emerging from interviews with corporate and government officials on Monday as they tried to assess the scope of the damage was of a complex, sophisticated attack on the software used in the systems that monitor activity at companies and government agencies. After a quarter-century of hacks on the defense industrial establishment — many involving brute-force efforts to crack passwords or “spearphishing” messages to trick unwitting email recipients to give up their credentials — the Russian operation was a different breed. The attack was “the day you prepare against,” said Sarah Bloom Raskin, the deputy Treasury secretary during the Obama administration. Investigators say they believe that Russian hackers used multiple entry points in addition to the compromised Orion software update, and that this may be only the beginning of what they find. SolarWinds’s Orion software updates are not automatic, officials noted, and are often reviewed to ensure that they do not destabilize existing computer systems. SolarWinds customers on Monday were still trying to assess the effects of the Russian attack. A spokesman at the Justice Department, which uses SolarWinds software, declined to comment. Ari Isaacman Bevacqua, a spokeswoman for The New York Times, said that “our security team is aware of recent developments and taking appropriate measures as warranted.” Military and intelligence officials declined to say how widespread the use of Orion was in their organizations, or whether those systems had been updated with the infected code that gave the hackers broad access. But unless the government was aware of the vulnerability in SolarWinds and kept it secret — which it sometimes does to develop offensive cyberweapons — there would have been little reason not to install the most up-to-date versions of the software. There is no evidence that government officials were withholding any knowledge of the flaw in the SolarWinds software. The Cybersecurity and Infrastructure Security Agency on Sunday issued a rare emergency directive warning federal agencies to “power down” the SolarWinds software. But that only prevents new intrusions; it does not eradicate Russian hackers who, FireEye said, planted their own “back doors,” imitated legitimate email users and fooled the electronic systems that are supposed to assure the identities of users with the right passwords and additional authentication. “A supply chain attack like this is an incredibly expensive operation — the more you make use of it, the higher the likelihood you get caught or burned,” said John Hultquist, a threat director at FireEye. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.” The chief executive officers of the largest American utility companies held an urgent call on Monday to discuss the possible threat of the SolarWinds compromise to the power grid. For the N.S.A. and its director, Gen. Paul M. Nakasone, who also heads the U.S. Cyber Command, the attack ranks among the biggest crises of his time in office. He was brought in nearly three years ago as one of the nation’s most experienced and trusted cyberwarriors, promising Congress that he would make sure that those who attacked the United States paid a price. He famously declared in his confirmation hearing that the nation’s cyberadversaries “do not fear us” and moved quickly to raise the cost for them, delving deep into foreign computer networks, mounting attacks on Russia’s Internet Research Agency and sending warning shots across the bow of known Russian hackers. General Nakasone was intensely focused on protecting the country’s election infrastructure, with considerable success in the 2020 vote. But it now appears that both civilian and national security agencies were the target of this carefully designed hack, and he will have to answer why private industry — rather than the multibillion-dollar enterprises he runs from a war room in Fort Meade, Md. — was the first to raise the alarm. Analysts said it was hard to know which was worse: that the federal government was blindsided again by Russian intelligence agencies, or that when it was evident what was happening, White House officials said nothing. But this much is clear: While President Trump was complaining about the hack that wasn’t — the supposed manipulation of votes in an election he had clearly and fairly lost — he was silent on the fact that Russians were hacking the building next door to him: the United States Treasury. In the near term, government agencies are now struggling to get to the bottom of a problem with limited visibility. By shutting down SolarWinds — a step they had to take to halt future intrusions — many agencies are losing visibility into their own networks. “They’re flying blind,” said Ben Johnson, a former N.S.A. hacker who is now the chief technology officer of Obsidian, a security firm.
All the US .gov simply need to hire Dominion. Dominion is the only unhackable software on the face of the planet.
https://www.cnn.com/2020/12/19/politics/pompeo-us-government-hack-russia/index.html Trump downplays massive cyber hack on government after Pompeo links attack to Russia (CNN)Secretary of State Mike Pompeo on Friday publicly linked Russia to a massive cyberattack on US federal government agencies, calling the data breach "a very significant effort" in remarks the President appeared to contradict Saturday. "This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity," Pompeo said in an interview Friday on "The Mark Levin Show." "I can't say much more as we're still unpacking precisely what it is, and I'm sure some of it will remain classified," he added. In his first public comments on the hack, President Donald Trump on Saturday appeared to undercut Pompeo's remarks, downplaying the breach in a pair of tweets and suggesting without evidence "it may be China" that's responsible. Instead of condemning the attack, or Russia, Trump wrote that he had been "fully briefed and everything is well under control" -- despite officials in his administration having said this week that the cyberattack "poses a grave risk" to networks across both the public and private sector.