The federal Cybersecurity and Infrastructure Security Agency (CISA) said Thursday that the hacking campaign that targeted the federal government is larger than what was previously known.
The alleged foreign actors gained backdoor access in more ways than through the SolarWinds software, which was publicly disclosed by the FBI and Department of Homeland Security (DHS) earlier this week.
But it stressed that the “SolarWinds Orion supply chain compromise is not the only initial infection vector this advanced persistent threat actor leveraged.”
The agency also furthermore warned that the threat “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities” as well as the private sector.
Foreign hackers, whose country of origin is not known, compromised “government agencies, critical infrastructure entities, and private sector organizations” starting in March 2020 or before, according to CISA.
The cybersecurity agency noted that it “expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,“ adding: ”It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
CISA said that it will continue to investigate incidents that “exhibit adversary TTPs consistent with this activity, including ... were victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”
On Sunday night, CISA issued a federal government-wide directive to purge all agency networks of possibly compromised servers after finding out that the U.S. Departments of Treasury and Commerce were breached. Other federal government agencies are also said to have been compromised.
Furthermore, SolarWinds acknowledged in a Sunday statement that its systems were compromised by hackers, saying its Orion software update was the means by which the hackers exploited. The malign actors then distributed malware to its customers’ computers, the Texas-based firm said.
Security researcher Vinoth Kumar told Reuters this week that he told SolarWinds in 2019 that its update server could be accessed easily by using the simple password, “solarwinds123.”
“This could have been done by any attacker, easily,” Kumar told the news outlet. Kumar first notified the company of the security problem on Nov. 19, 2019, and SolarWinds responded to him several days later.