The Justice Department acknowledged its email was accessed as part of the ongoing intelligence-gathering campaign linked to a backdoor in a SolarWinds product.
“After learning of the malicious activity, the [Office of the Chief Information Officer] eliminated the identified method by which the actor was accessing the [Microsoft] O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” Spokesman Marc Raimondi said in a statement released Jan. 6.
The department said the activity constitutes a major incident under the Federal Information Security Modernization Act, which means it “is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people” and requires additional reports to certain Congressional committees.
This is at least the second agency to publicly admit that its email was compromised. Treasury Secretary Steven Mnuchin confirmed the department’s unclassified systems were accessed during a Dec. 21 appearance on CNBC’s “Squawk on the Street.” Mnuchin didn’t go into details but did say that classified systems did not appear to be breached.
That’s two of the “fewer than 10” government agencies that the administration’s Cyber Unified Coordination Group said were compromised in follow-on activities in intelligence gathering operations likely conducted by Russia. Commerce and Energy departments previously publicly confirmed that they’ve been impacted. Various press reports have also named the Defense, State and Homeland Security departments as well as the National Institutes of Health.
Cybersecurity and Infrastructure Security Agency revised its related emergency directive for the third time. The new version supersedes previous guidance and requires agencies to do three things:
- Agencies that ran affected versions must conduct forensic analysis.
- Agencies that must accept the risk of running SolarWinds Orion comply with certain hardening requirements.
- Department-level chief information officers must submit additional status reports by Tuesday, January 19, and Monday, January 25, 2020.
The guidance reiterates that federal agencies that haven’t been affected must operate at least SolarWinds Orion platform version 2020.2.1HF2, and also offers more details on third-party systems and required actions.
“CISA provides this guidance as the minimum required guidance for Federal Executive Branch Agencies subject to CISA’s emergency directive authority,” the guidance states.
Software made by a small company founded by Russian engineers and based in the Czech Republic may have been an entry point into other vendors, according to a New York Times report. The report says that intelligence agencies and private cybersecurity investigators are looking into whether a JetBrains software development tool was accessed by hackers. The tool, called TeamCity, is a widely used tool to test code before it’s released and could have been how hackers inserted a backdoor into other products. One of JetBrains’ customers is SolarWinds. JetBrains officials told the New York Times they are unaware of any investigation nor compromise.