At least three state governments were compromised in a widespread hacking operation that’s also swept up much of the federal government and that U.S. authorities believe is the work of Russian government-backed actors, it was reported Thursday.
According to Bloomberg News, three state governments joined several federal agencies — including the departments of Treasury, Commerce, Homeland Security and Energy — where hackers were able to access systems by exploiting network monitoring software from SolarWinds. The report did not identify the compromised state governments. Officials have pinned the operation, which was first reported Sunday, on a hacking group known alternatively as APT29 or Cozy Bear, which is linked to the SVR, the Kremlin’s foreign intelligence bureau.
While SolarWinds — which has said as many as 18,000 of its customers worldwide may have been subjected to malicious code injected into its supply chain — is a prominent federal IT contractor, several states are known to use its products as well. On Thursday, the Cybersecurity and Infrastructure Security Agency, which previously ordered federal agencies to shut off and mitigate their SolarWinds implementations, issued a new advisory warning that the hacking operation poses threats to all levels of government, the private sector and other operators of critical infrastructure.
“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the alert read. “Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.”
CISA also warned that the operation may be gaining access to government networks through routes other than the SolarWinds vulnerability.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert stated. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
StateScoop this week asked several state IT organizations if they employ any SolarWinds products. Though some did not reply, officials in Texas and North Carolina confirmed their agencies use the company’s software and that they are taking steps in light of the hacking operation.
“We are evaluating the matter as more information becomes available and are taking all available security measures,” said Brittany Paylor, a spokesperson for the Texas Department of Information Resources. Paylor also said that DIR is providing “countermeasures” to all state agencies and local governments that purchased SolarWinds software through its contracting program.
Maggie Bizzell, communications manager for the North Carolina Department of Information Technology, told StateScoop that the department has not received or identified any signs of intrusion, but “is working to ensure all entities are applying best practices provided by DHS CISA.”
State and local governments are not often targets of government-backed hackers like APT29, but states should move quickly to take steps to react to the SolarWinds operation if affected, said John Evans, a former chief information security officer for the State of Maryland.
“You want to see if you’re one of those 18,000 customers that received the malware passed through it,” said Evans, now the chief technology adviser with IT services provider World Wide Technology. “You want to fix it as soon as possible, get all the patches.”
Evans recommended that government cybersecurity officials do manual searches for indicators of compromise — the CISA alert lists several dozen — as well as any unusual lateral movement across networks. He also suggested checking the Azure Active Directory for users of Microsoft’s cloud environment, domain name system logs and file hash data from endpoint detection and response systems.
“Nothing groundbreaking there, but you want to make sure you’re doing those things,” he said.