SolarWinds hackers also breached the US NNSA nuclear agency

US DOE confirmed that threat actors behind the recent SolarWinds supply chain attack also hacked the networks of the US NNSA nuclear agency.

US DOE confirmed this week that threat actors behind the recent SolarWinds supply chain attack also compromised the networks of the US National Nuclear Security Administration (NNSA) agency.

“The Department of Energy is responding to a cyber incident related to the Solar Winds compromise in coordination with our federal and industry partners. The investigation is ongoing and the response to this incident is happening in real time. At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA). When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.” said Shaylyn Hynes, DOE Spokeswoman.

“Additional background: As part of its ongoing response, DOE has been in constant communication with our industry partners, including the leadership of the energy sector Subsector Coordinating Councils, and is also in regular contact with Electricity, Oil & Natural Gas (ONG), and Downstream Natural Gas (DNG) Information Sharing and Analysis Centers (ISAC).”

NNSA is a semi-autonomous agency within the U.S. Department of Energy that was established by Congress in 2000. The agency is responsible for enhancing national security through the military application of nuclear science. NNSA maintains and enhances the safety, security, and effectiveness of the U.S. nuclear weapons stockpile; works to reduce the global danger from weapons of mass destruction; provides the U.S. Navy with safe and militarily effective nuclear propulsion; and responds to nuclear and radiological emergencies in the United States and abroad.

DOE and NNSA notified about the breach their congressional oversight bodies, government experts have found evidence of compromise in the US DOE and NNSA networks.

“They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.” reads the post published by Politico.

“The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, but did not elaborate.”

According to the DOE officials, the agency that suffered the major damage was the FERC.

The hackers likely targeted the Federal Energy Regulatory Commission to disrupt the US electric grid. FERC has access to sensitive data on the electric grid that could be used by an advanced attacker to plan a disruptive attack on these infrastrutures.

The Cybersecurity and Infrastructure Security Agency was helping the federal agencies to respond to the hacking campaign.

According to the DoE, the threat actors did not get into critical defense systems.

“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Shaylyn Hynes, a DOE spokesperson, said in a statement. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”

Since the supply chain attack was disclosed, Microsoft, FireEye, and GoDaddy partnered to create a kill switch for the SolarWinds Sunburst backdoor.

Pierluigi Paganini

(SecurityAffairs – hacking, NNSA)

Read More

Pierluigi Paganini