Cybersecurity

CISA: Hackers access to federal networks without SolarWinds

malware detection (Alexander Yakimov/Shutterstock.com) 

The Cybersecurity and Infrastructure Security Agency says it has evidence that hackers are breaching the federal government's networks by other paths than the recently discovered vulnerabilities in SolarWinds Orion.

"Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Wednesday. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)."

Characteristics such as a SAML tokens having a 24-hour validity periods or not containing multi-factor authentication details where expected are red flags.

As details of the SolarWinds Orion breach have surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government's networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software.

CISA's new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

"Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure," according to the agency's guidance. "Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner."

In cases where administrative level credentials were compromised, organizations should conduct a "full reconstruction of identity and trust services," CISA said. Microsoft published a queryto help identify this type of activity.

CISA's guidance also instructs federal agencies to conduct forensic analysis and harden their systems if they "accept the risk of SolarWinds Orion." Federal agencies are required to submit two status reports to CISA on those efforts later this month.

Tatyana Bolton, a cybersecurity expert at the R Street Institute, said the news of new vectors and vulnerabilities is "unsurprising" and that more will likely be found because of "how weak the U.S. federal cybersecurity requirements currently are."

"There are best practices that we already know could help prevent breaches like this, but we have lacked the political will to implement them," she said, noting practices such as developing federal cloud security certification and improving readiness for incident response and recovery.

"All of these were recommendations made by the Cyberspace Solarium Commission in its recent report, and need to be implemented yesterday," she added.

The New York Times yesterday reported the intelligence community and private cybersecurity investigators, believe JetBrains, a company used for software development that originates from the Czech Republic, may have been used as a pathway for hackers to breach the federal government's networks. The company told The Times it was not aware of any compromise or ongoing investigations.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected