The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks, officials directly familiar with the matter said.
Investigators found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation and the Richland Field Office of the DOE.
DOE and NNSA officials have begun coordinating notifications about the breach to their congressional oversight bodies. Officials at DOE still don’t know whether the attackers were able to access anything, the people said—and may not know "for weeks".
We asked cyber experts to weigh-in on this new development.
Mark Carrigan, COO at PAS Global, a Houston based OT Integrity company that delivers software solutions that prevent, detect, & remediate cyber threat:
"Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, [earlier this week] the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond.
You can not secure what you can’t see, so organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. From there, they must further hone in on their inventory by determining the version(s) that are running to evaluate the vulnerability risk that may or may not be present. Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life."
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:
“While we cannot confirm the reporting, it is entirely possible that additional government agencies have been targeted in this campaign. As the incident response activities and historical hunting continue, more details will trickle out to the public, however the general public is unlikely to ever know the complete scope and implications of these intrusions.”
Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:
“There is no such thing as 100% secure so having effective breach detection is just as critical as preventative, vulnerability management controls. Establishing a secure baseline and operating sensitive integrity monitoring is the only way to guarantee systems have not been tampered with.”
Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education:
“It appears that human error wasn’t directly implicated in this incident, but the fact that nation state actors had months of gathering inside information that they could use to extort or manipulate employees within the breached companies should ignite planning right now to prepare employees to fend off social engineering attempts that utilize this information. Imagine how easy it would be to scam an employee if you could examine all their communications? This is a ticking time bomb that may take many years to explode.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services:
“This is really just the beginning. As soon as we think it can’t get any worse, more evidence will be found. The government needs to really step up and prepare for the fallout of all this data loss. Claiming we don’t know will not satisfy the public about the state of national security. There needs to be some level of transparency about what was taken and how we plan to respond based on all the potential ways this data can be used.”
###