DOJ Detected SolarWinds Breach Months Before Public Disclosure


In November 2020, months after the DOJ completed the mitigation of its breach, Mandiant discovered that it had been hacked, and traced its breach to the Orion software on one of its servers the following month. An investigation of the software revealed that it contained a backdoor that the hackers had embedded in the Orion software while it was being compiled by SolarWinds in February 2020. The tainted software went out to about 18,000 SolarWinds customers, who downloaded it between March and June, right around the time the DOJ discovered the anomalous traffic exiting its Orion server. The hackers chose only a small subset of these to target for their espionage operation, however. They burrowed further into the infected federal agencies and about 100 other organizations, including technology firms, government agencies, defense contractors, and think tanks.

Mandiant itself got infected with the Orion software on July 28, 2020, the company told WIRED, which would have coincided with the period that the company was helping the DOJ investigate its breach.

When asked why, when the company announced the supply-chain hack in December, it didn’t publicly disclose that it had been tracking an incident related to the SolarWinds campaign in a government network months earlier, a spokesperson noted only that “when we went public, we had identified other compromised customers.”

The incident underscores the importance of information-sharing among agencies and industry, something the Biden administration has emphasized. Although the DOJ had notified CISA, a spokesperson for the National Security Agency told WIRED that it didn’t learn of the early DOJ breach until January 2021, when the information was shared in a call among employees of several federal agencies.

That was the same month the DOJ—whose 100,000-plus employees span multiple agencies including the FBI, Drug Enforcement Agency, and US Marshals Service—publicly revealed that the hackers behind the SolarWinds campaign had possibly accessed about 3 percent of its Office 365 mailboxes. Six months later, the department expanded on this and announced that the hackers had managed to breach email accounts of employees at 27 US Attorneys’ offices, including ones in California, New York, and Washington, DC. 

In its latter statement, the DOJ said that to “encourage transparency and strengthen homeland resilience,” it wanted to provide new details, including that the hackers were believed to have had access to compromised accounts from about May 7 to December 27, 2020. And the compromised data included “all sent, received, and stored emails and attachments found within those accounts during that time.”

The investigators of the DOJ incident weren’t the only ones to stumble upon early evidence of the breach. Around the same time of the department’s investigation, security firm Volexity, as the company previously reported, was also investigating a breach at a US think tank and traced it to the organization’s Orion server. Later in September, the security firm Palo Alto Networks also discovered anomalous activity in connection with its Orion server. Volexity suspected there might be a backdoor on its customer’s server but ended the investigation without finding one. Palo Alto Networks contacted SolarWinds, as the DOJ had, but in that case as well, they failed to pinpoint the problem.

Senator Ron Wyden, an Oregon Democrat who has been critical of the government’s failure to prevent and detect the campaign in its early stages, says the revelation illustrates the need for an investigation into how the US government responded to the attacks and missed opportunities to halt it.

“Russia’s SolarWinds hacking campaign was only successful because of a series of cascading failures by the US government and its industry partners,” he wrote in an email. “I haven’t seen any evidence that the executive branch has thoroughly investigated and addressed these failures. The federal government urgently needs to get to the bottom of what went wrong so that in the future, backdoors in other software used by the government are promptly discovered and neutralized.“

#DOJ #Detected #SolarWinds #Breach #Months #Public #Disclosure


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *