CISA: Hackers access to federal networks without SolarWinds

The Cybersecurity and Infrastructure Security Agency says it has evidence that hackers are breaching the federal government's networks by other paths than the recently discovered vulnerabilities in SolarWinds Orion.

"Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Wednesday. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)."

Characteristics such as a SAML tokens having a 24-hour validity periods or not containing multi-factor authentication details where expected are red flags.

As details of the SolarWinds Orion breach have surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government's networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software.

CISA's new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

"Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure," according to the agency's guidance. "Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner."

In cases where administrative level credentials were compromised, organizations should conduct a "full reconstruction of identity and trust services," CISA said. Microsoft published a queryto help identify this type of activity.

CISA's guidance also instructs federal agencies to conduct forensic analysis and harden their systems if they "accept the risk of SolarWinds Orion." Federal agencies are required to submit two status reports to CISA on those efforts later this month.

Tatyana Bolton, a cybersecurity expert at the R Street Institute, said the news of new vectors and vulnerabilities is "unsurprising" and that more will likely be found because of "how weak the U.S. federal cybersecurity requirements currently are."

"There are best practices that we already know could help prevent breaches like this, but we have lacked the political will to implement them," she said, noting practices such as developing federal cloud security certification and improving readiness for incident response and recovery.

"All of these were recommendations made by the Cyberspace Solarium Commission in its recent report, and need to be implemented yesterday," she added.

The New York Times yesterday reported the intelligence community and private cybersecurity investigators, believe JetBrains, a company used for software development that originates from the Czech Republic, may have been used as a pathway for hackers to breach the federal government's networks. The company told The Times it was not aware of any compromise or ongoing investigations.