The federal agency that controls the safety, security, and effectiveness of the nation’s nuclear weapons stockpile was also breached in the massive SolarWinds hack suspected to have been perpetrated by Russian operatives, Politico reported.
This week, news broke that thousands of customers had installed a software package from IT management firm SolarWinds that had been secretly bugged with malware by hackers. Microsoft, which was also attacked by the same group, estimated that over 40 of those customers were specifically targeted “through additional and sophisticated measures.” Among those known to be affected are government agencies including the Department of Homeland Security and the U.S. Treasury. On Thursday, the Cybersecurity and Infrastructure Security Agency identified the hack as a “grave risk to the federal government” perpetrated by an “advanced persistent threat actor.”
Officials told Politico that the U.S. Department of Energy and its subsidiary agency, the National Nuclear Security Administration (NNSA), have found evidence their networks were among the numerous government agencies penetrated during the hack. The NNSA consumes around half of the department’s annual budget and handles everything from nuclear weapons development and non-explosive testing to counter-terrorism and the physical security of nuclear installations. Affected networks include those belonging to the Federal Energy Regulatory Commission, an independent DOE sub-agency; Sandia and Los Alamos national laboratories, which work on nuclear weapons; and the Richland Field Office of the DOE, which oversees the cleanup of a plutonium manufacturing facility that shut down in the early 1970s.
[referenced id=”1038234″ url=”https://gizmodo.com.au/2017/04/the-nuclear-security-administration-lost-a-film-titled-skull-melting-demonstration/” thumb=”https://gizmodo.com.au/wp-content/uploads/2017/04/28/hdavoa8nfe4tyfqc8lt0-300×223.gif” title=”The Nuclear Security Administration Lost A Film Titled ‘Skull Melting Demonstration’” excerpt=”Back in August, I submitted a Freedom of Information Act (FOIA) request for a bunch of films held by the National Nuclear Security Administration (NNSA). We looked at one yesterday from 1976 about nuclear extortion, and we’ll explore the others in the coming weeks. But there was one that I…”]
An NNSA spokesperson, Shaylyn Hynes, told Politico that the agency does not currently believe the attackers gained access to the more secure parts of its network where intelligence on the nuclear stockpile may have been found.
“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Hynes said in a statement. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
The malware in question was baked into multiple versions of Orion Platform, SolarWinds’ network monitoring/management tool. After download, the malware, dubbed Sunburst, typically sat dormant for a period of days or weeks. Sunburst would then conduct reconnaissance of the network it had infected and shoot those details back to its handlers. In a sign of the attack’s sophistication, communication between the hackers and Sunburst was disguised to look like typical Orion traffic. When the hackers pinpointed a choice target — an agency tasked with safeguarding nuclear weapons, for instance — they would order Sunburst to deploy a secondary payload known as Teardrop. Teardrop would execute a series of commands culminating in the installation of Cobalt Strike, a penetration testing tool, ironically designed to help fortify systems against the attacks it mimics.
Beyond disabling security tools and transferring and executing files, the hackers would have the ability to harvest user credentials and monitor keystrokes, even as they searched for ways to gain even greater power within the network.
U.S. officials and other investigators, speaking anonymously to the press, have floated initial suspicions that a group operated by or on the behalf of Russia’s Foreign Intelligence Service was behind the supply-chain attack.
The full scale of the hack has not yet been determined, and it is likely that the U.S. government will spend years investigating and recovering from it. TrustedSec founder David Kennedy told Business Insider that while discovering attackers compromised a network is fairly simple, finding out exactly what they used their access for is much more difficult.
“Basically you have to go through with a fine-toothed comb across your entire organisation,” Kennedy said. “… Did they breach complex systems and have access to nuclear secrets or top secret data? Things to that effect will take a long time to determine.”
Dell Cameron contributed reporting to this article.