DOJ email accounts compromised in SolarWinds hack attributed to Russians



The Department of Justice on Wednesday disclosed that its computer systems were among those compromised by a massive cybersecurity breach of government networks that U.S. officials attribute to Russia.

According to the Associated Press, the DOJ said that 3% of its Microsoft Office 365 email accounts were potentially hacked. The DOJ does not believe that classified systems were breached but would not say to whom the email accounts belonged.

"On Dec. 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department's Microsoft O365 email environment," the DOJ said in a statement.

"After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted," the statement continued.

"As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination. The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted," the DOJ said.

On Tuesday, United States intelligence agencies formally accused the Russian government of orchestrating the cyberattack on software manufactured by IT company SolarWinds. The massive breach of government networks was discovered by the company last month and is estimated to have affected some 18,000 SolarWinds customers and an as yet unknown number of federal government agencies, including the DOJ, U.S. Treasury, and the Department of Commerce. Other agencies including the Department of Homeland Security, the Department of Defense, and the Energy Department's National Nuclear Security Administration have also confirmed they were affected by the attack.

A joint statement from the FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) blamed Russia for the attack. The Hill reported these agencies had set up a cyber unified coordination group in December to investigate the extent of the SolarWinds hack.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the agencies said.

Michigan says elections department does not use compromised SolarWinds Orion software



As multiple U.S. federal agencies report breaches by hackers who used a compromised software manufactured by IT company SolarWinds to infiltrate government computer networks, the state of Michigan says that so far there is "no indication" that the state network was affected.

Michigan, a key battleground state in the 2020 presidential election, has been the focus of multiple allegations of voter fraud and election irregularities made by lawyers for President Donald Trump's campaign and others. When reports emerged earlier this week that a "highly-sophisticated, targeted and manual supply chain attack by a nation state" compromised SolarWinds' Orion suite of network management software, rampant speculation immediately began as to whether the cyberattack somehow influenced the 2020 U.S. presidential election in Michigan and elsewhere.

SolarWinds services multiple government clients in addition to private sector customers with its software. Rumors initially swirled that Dominion Voting Systems, the voting machine manufacturer at the center of allegations of election tampering made by President Donald Trump and his allies, used SolarWinds products and questions were raised about whether voting machines were hacked before the election.

Reporting by the Wall Street Journal's Alexa Corse and others clarified that while Dominion does in fact use SolarWinds Serv-U product, the company does not use the compromised Orion product line. Following these reports, independent journalist Kyle Becker obtained a copy of a document from the state of Michigan's Department of Technology, Management, and Budget (DTMB) that said the state of Michigan used SolarWinds Orion products.

MICHIGAN.🚨Today, Dominion's CEO denied that the company had ever had any business with Orion SolarWinds, the tech… https://t.co/ssZ42koSao
— Kyle Becker (@Kyle Becker)1608083943.0

Caleb Buhs, a spokesman for the DTMB confirmed to TheBlaze that Michigan uses SolarWinds Orion IT tools and that the state is investigating whether its networks were compromised in the cyberattack, as the Cybersecurity and Infrastructure Agency (CISA) recommended.

"Upon notification of the SolarWinds – Orion compromise, the state of Michigan started a forensic investigation of the state network in accordance with the recommended steps outlined by the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)," Buhs told TheBlaze.

"To date, there is no indication that the SolarWinds – Orion compromise was activated within the state network," he said.

"To protect the state environment, DTMB continues to monitor the environment and will follow any additional steps that may be recommended by CISA as more information is released," Buhs added.

The spokesman also said that the Michigan Department of State, Bureau of Elections systems do not use the SolarWinds Orion software.

Multiple federal agencies, including the U.S. Treasury and Commerce Departments and the Department of Energy and National Nuclear Security Administration have reported breaches in what officials say was a widespread cyberattack suspected to be conducted by foreign actors.

Cybersecurity firm FireEye in a blog post stated that hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds' Orion software. According to cybersecurity reporter Brian Krebs, the cyberattack could have affected as many as 18,000 SolarWinds customers.

The full extent of the cybersecurity compromise could remain unknown for some time as federal and state authorities conduct their investigations.

Report: U.S. agencies responsible for nuclear arsenal targeted in SolarWinds cyberattack​



A new report reveals that hackers were able to infiltrate the U.S. Department of Energy and the National Nuclear Security Administration, which oversees the U.S. nuclear weapons arsenal. The cyberattack against the DOE and NNSA is part of a larger espionage operation that has affected at least half a dozen federal agencies, Politico's Natasha Bertrand reports.

The Energy Department's chief information officer Rocky Campione briefed the departments about the attacks on Thursday and both agencies are now coordinating to brief members of Congress on the status of their network security.

The full extent of the cyberattack may not be known "for weeks," officials said.

From Politico:

They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation and the Richland Field Office of the DOE. The hackers have been able to do more damage at FERC than the other agencies, the officials said, but did not elaborate.

Federal investigators have been combing through networks in recent days to determine what hackers had been able to access and/or steal, and officials at DOE still don't know whether the attackers were able to access anything, the people said, noting that the investigation is ongoing and they may not know the full extent of the damage "for weeks."

Spokespeople for DOE did not immediately respond to requests for comment.

The Sandia and Los Alamos National Labs conduct atomic research related to the development of nuclear power and nuclear weapons. The Office of Secure Transportation is responsible for moving enriched uranium and other materials needed to maintain the nuclear stockpile, Politico reports. As for the attack on the Federal Energy Regulatory Commission, Politico's report speculates that it was targeted to gain information that may help malicious actors find vulnerabilities in the nation's bulk electric grid.

The report emphasizes how seriously United States national security is threatened by foreign hackers who were able to infiltrate U.S. government computer systems by compromising software from IT company SolarWinds, which has hundreds of government and private-sector clients.

In a joint statement released Wednesday, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) confirmed the existence of a "significant and ongoing cybersecurity campaign."

"This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government," the statement read.

In response to the threat, the FBI has launched investigations to "attribute, pursue, and disrupt the responsible threat actors," and CISA issued an emergency directive ordering federal civilian agencies to immediately shut down affected SolarWinds Orion products in their network.

The ODNI is coordinating a response from the U.S. Intelligence Community to share information across the United States government.