Russians Hacked Trump Administration’s Treasury and Commerce Departments
The Succeeding New York Times has the story:
The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.
Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal systems in the past five years. Several said national security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material.
The Trump administration said little in public about the hack, which suggested that while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration — and unrelated to the election — were actually the subject of a sophisticated attack that they were unaware of until recent weeks.
The hackers have had access since the spring. A similar attack happened to the Obama administration in 2014 and 2015.
Coincidentally, this morning I began reading Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers Kindle Edition, by Andy Greenberg (affiliate link). Two chapters in, it’s a compelling book that reads like a novel. Before reading the New York Times story, I had planned to write a post about how cyber attacks are like pandemics: a handful of people warn about them, but nobody listens until it is too late.
The attack on Treasury and Commerce is small potatoes. Much worse could happen. But maybe we should start paying attention now, rather than later.
So what about CISA and Krebs?
nk (1d9030) — 12/14/2020 @ 9:03 amI’m certainly no national security expert, but it almost seems like we should’ve spent some of the last four years shoring up our infrastructure against Russian cyberattacks instead of downplaying or denying them outright while kissing Putin’s ass at every turn.
TR (9bed35) — 12/14/2020 @ 9:07 amTypical.
Time123 (b4d075) — 12/14/2020 @ 9:11 amI expect Trump will react to this hacking business just as forcefully as responded to Putin’s failed attempt to assassinate a chief political rival, Navalny.
Paul Montagu (77c694) — 12/14/2020 @ 9:42 amBut they didn’t get into clitontonemail.com (Bill Clinton’s secret server) during the time Hillary Clitnton was using it, because it was more secure.
It couldn’t be hacked. No backdoor password reset. No plausible phishing emails. Password picked by computer and impervious to a dictionary attack, and if it continued for some time, server would be shut down temprarily by the SYSOP. Limited thruput, so if by any chance it was penetrated, SYSOP would know and stop it before much material was obtained. Limited number of users, all personally approved by the SYSOP. Running software not known to the hackers. Physically protected by the Secret Service so not even a burglary could get at the data.
Resistant to subpoenas as well.
Sammy Finkelman (26a080) — 12/14/2020 @ 10:17 amnk (1d9030) — 12/14/2020 @ 9:03 am
Election systems, especially vote counting systems, are not connected to the Internet.
There could be ways of hacking something not connected to the Internet, a la the Stuxnet virus that ruined Iranian cyclotrons, but it requires much effort and many stages. The Russians started too late in 2016 and in 2020 they didn;t try at all – I think that’s what it is. Of course among the Trump election claims is that somebody maybe stuck a USB drive into a Dominion voting machines.
https://www.usatoday.com/story/news/factcheck/2020/12/02/fact-check-claim-dominion-tech-altered-georgia-votes-false/3792599001
Sammy Finkelman (26a080) — 12/14/2020 @ 10:23 amThis is an institutional problem, not necessarily whomever resides in the Whitehouse problem.
I’ve been trying to wrap my head around this ever since the Hillary Clinton email saga, but there doesn’t seem to be a coherent enterprise-wide strategy to the government’s non-military IT infrastructure and policies.
FWIW, my background is that of an IT professional working for one of the largest healthcare institution in the state. I regularly meet with my executives and auditors with respect to our polices in IT security.
Having said that, it looks like EACH federal departments has their “own” IT team/infrastructure/policies so there’s going to be disparate “IT infrastructures & Policies” between the departments. That is, the folks supporting the VA are different folks than the Treasury. There’s nothing wrong with it per se, as each department’s security needs can be different.
However, I think Congress need to create a new cabinet level-position, confirmed by the Senate to be the Executive Branch’s CIO/CTO officer, who’s job is to lead the non-military department’s IT/security needs. This ought to be a new department as well, so that it’s funded properly with congressional oversight, as well as have department IGs ensuring everyone is in compliance. Having it at the cabinet-level position puts MORE accountably to whomever resides in the Whitehouse.
I mean, that OPM hack several years ago was due to absolutely appalling level of security. Yet, there wasn’t much made public after the Root Cause Analysis ( RCA ) of what happened and what is being don’t to strengthen security.
That’s my idea to address this, take industry standards and incorporate the all the best practices to protect the government’s IT infrastructure.
Seems so simple… and yet, here we are.
whembly (c30c83) — 12/14/2020 @ 11:19 am@5 Sammy, that’s not quite accurate. Government officials has stated time and again that it was more than possible that hackers were already monitoring the Clinton’s homebrew servers. That is because the security settings used was so lack. (that include the original apple email server and especially true when they migrated to MS Outlook). Much, much more was needed to be done to “harden” that email server.
This goes into a little more detail:
https://www.techdirt.com/articles/20160623/09170034795/emails-show-hillary-clintons-email-server-was-massive-security-headache-set-up-to-route-around-foia-requests.shtml
There’s the roundup of all HRC email saga:
whembly (c30c83) — 12/14/2020 @ 11:25 amhttps://www.techdirt.com/blog/?tag=hillary+clinton
@7 …continuing, such CIO/CTO Cabinet-level officials would also be responsible for managing the Executive’s political positions (ie, cabinet, deputy, ambassadors, etc…) only email & personal devices during their term, to ensure proper security is observed and compliance with regulation like the FOIA and classified info handling.
What you’d want to avoid, is another story that an Executive is conducting business in personal email (…and no, forwarding personal email correspondence to the government account shouldn’t suffice. A stronger sanction should be deployed here to encourage compliance)
whembly (c30c83) — 12/14/2020 @ 11:31 amThe hack was not against the government, but against Solarwinds (NYSE:SWI) which provides security software to governments and firms worldwide. Their recent updates contained a Trojan hack, so by updating their security suite, the various agencies and firms opened themselves to the Russians.
SWI down 17% today. I would not want to own their stock, even now. Their reputation has taken a possibly fatal hit.
Kevin M (ab1c11) — 12/14/2020 @ 12:40 pmYet, there wasn’t much made public after the Root Cause Analysis ( RCA ) of what happened and what is being don’t to strengthen security.
Nor should there be, and I say that as an OPM hack victim. If the same thing happens again, though, the laws against negligence with classified material should be employed in detail. They should have been last time, too, but it took Obama a year to remove those responsible; no one went to jail.
Kevin M (ab1c11) — 12/14/2020 @ 12:42 pmCorrect, Kevin M. This hack is much more serious than even the headlines are portaying. This is from Krebs On Security (no, not that Krebs).
U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
That’s quite a list of customers for SolarWinds.
JoeH (f94276) — 12/14/2020 @ 1:03 pmToday, Solwarwinds “minimizes” this by saying that “only” 18,000 of its 300,000 customers were affected.
Kevin M (ab1c11) — 12/14/2020 @ 1:09 pmMore on hack: https://www.ft.com/content/3558b9b6-465f-4338-9d66-70b2fbe8f900
Kevin M (ab1c11) — 12/14/2020 @ 1:10 pmSo, it turns out that Dominion is a Solarwinds customer. Just sayin’
Kevin M (ab1c11) — 12/14/2020 @ 1:32 pmAlmost as bad as China hacking OPM and getting the background information on every government employee, including those working in the USIC.
Hoi Polloi (139bf6) — 12/14/2020 @ 3:49 pm8. whembly (c30c83) — 12/14/2020 @ 11:25 am
That’s what they said
But clintnemail.com was not like a big system.
Of course, it was state.gov that was more vulnerable. (made more vulnerable for a while in 2011 because Bryan Paglian (Hillary’s IT person at the State Department) disabled a newly installed anti-phishing spam filter until he could secretly whitelist hdr22@clintonemail.com and probably a few other email addresses at clintonemail.com.)
This goes into a little more detail:
That’s what I was talking about above.
This has nothing to do with FOIA requests, though, except for the idea that the reason Hillary set this up was to evade FOIA requests. That’s not true. She evaded FOIA requests by never sending any communications to lower ranking people in the State Department by email. Everything was communicated orally or through other people. She really left almost no trace of what she did. When she communicated with the White House she copied the email to a dummy state.gov email address so it should look like she had one.
The purpose of the private email system was probably so that she should not accidentally leave any incriminating evidence in government records – including email sent to her by people outside the State Department emailing her.
Looks like an interesting link.
There are election rigging charges made in 2016 by Democrats.
Sammy Finkelman (26a080) — 12/14/2020 @ 4:12 pmKevin M @10
In other words, if I understand this correctly, they hacked the software provider’s security update! >
And every super secure system was penetrated.
clintonemail.com, on the other hand, used tried and tested software.
Sammy Finkelman (26a080) — 12/14/2020 @ 4:18 pmIn 2016 somebody physically got out of building in Shanghai (it is said not to be a hack) the Chinese Communist Party’s list of members. It was uploaded somewhere in encrypted form.
Six weeks ago it was leaked and now the news broke. It listed them by party cell and party cells wee organized according to place of work.
Sammy Finkelman (26a080) — 12/14/2020 @ 4:22 pmDustin Volz is a cybersecurity reporter for the WSJ. His Twitter account says:
Alexa Corse is also a WSJ reporter and she retweeted it.
DRJ (aede82) — 12/14/2020 @ 5:38 pmHomeland Security was hit, too.
DRJ (aede82) — 12/14/2020 @ 5:47 pmMoscow denied any connection to the hackers. No one but Trump believes that.
DRJ (aede82) — 12/14/2020 @ 5:49 pm@20: Good to know.
Kevin M (ab1c11) — 12/14/2020 @ 5:51 pmSo, what do we do to respond to this?
Kevin M (ab1c11) — 12/14/2020 @ 5:55 pmKevin,
Time123 (52fb0e) — 12/14/2020 @ 6:08 pmStep 1 wait until Jan 20
Step 2 who knows. But I’m sure about step 1.
As expected, the Russian hack was way worse than initially reported.
Putin might as well have pissed on Trump’s head.
Paul Montagu (77c694) — 12/14/2020 @ 8:59 pmBellingcat did some research on the Navalny poisoning, concluding that a Russian hit squad was out to get him.
Paul Montagu (44a4b4) — 12/15/2020 @ 6:52 amThis morning, Putin finally congratulated Biden on his victory.
This morning, Putin finally congratulated Biden on his victory.
Putin is more respectful of our Constitution that we are. The Electoral College designates the President-Elect, not CNN (or the GSA for that matter). Not to mention that it would have been impolitic and undiplomatic to have taken a side before the United States as a whole did.
No, I think Putin played it just right. But, then, he mostly does. If only he had chosen a better proxy to govern America with.
nk (1d9030) — 12/15/2020 @ 7:27 amThe systems that were hacked were those that used the Orion network management software upgrade that was the latest version between March and June, 2020. It gave outsiders a backdoor.
Letters were sent to 33,000 customers by SolarWinds, but slightly less than 18,000 systems downloaded that upgrade. They are all over the world, but the presumed target was the U.S. government.
How SolarWinds itself was compromised was not disclosed except maybe that it was their Microsoft Office 365 email system that was compromised first and from there the hackers may have been able to gain access to data contained in their office productivity tools – and presumably eventually alter their software after it had passed all their tests.
Microsoft said, in a blog post on Sunday, the day before SolarWinds said in a SEC filing that 33,000 customers had been notified, that they hadn’t identified any vulnerabilities in its products so I suppose that means entry was first gained by spear phishing utilizing information gained from previous hacks.
Sammy Finkelman (26a080) — 12/15/2020 @ 8:20 amWhhile 33,000 institutions could have downloaded the hacked software update and almost 18,000 did only a few hundred organizations were probably penetrated.
They are discovering it one by one: U.S. Department of State, Treasury, Energy etc.
The back door created with the hack was open during the time the latest update of Orion installed was March. In June another update didn’t have the hack included with their software upgrade but any place that was penetrated might still be.
The U.S. government also thinks there might have been more than one way their systems were hacked.
Sammy Finkelman (ab7073) — 12/17/2020 @ 8:01 pmThe problem is that the United States federal government has a very limited list of software products the agencies are allowed to use, and if the creator gets hacked, as seemed to have happened here with their update becoming a Trojan horse, everything gets hacked.
They don’t test and pre-approve the upgrades, at least they don’t test and see what is available for download.
Sammy Finkelman (ab7073) — 12/18/2020 @ 8:06 am