U.S. Treasury Data Breach Much Worse Than Initially Assumed
Table of Contents
- By Dawna M. Roberts
- Published: Dec 23, 2020
- Last Updated: Mar 18, 2022
The SolarWinds Orion attack has such far-reaching consequences. Not only were more agencies affected than previously thought, but the data breach of the U.S. Treasury Department was also much worse than we were led to believe.
What Happened?
According to Data Breach Today, a senior Democratic senator reported that the SolarWinds supply chain attack affected dozens of U.S. Treasury Department email accounts.
Data Breach Today reported, “The hack of the Treasury Department appears to be significant,” says Sen. Ron Wyden, D-Ore., the top Democrat on the Senate Finance Committee, in a statement. “According to Treasury staff, the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”
Security experts believe the hackers had “full access” to these email accounts, which could mean any number of things. A full investigation is ongoing to determine what was breached and how it may impact things going forward.
The Ongoing Investigation into the SolarWinds Attack
Along with FireEye and 50 other high-value targets, the hacker group was well-funded and focused. More than 18,000 SolarWinds customers downloaded the malicious software onto their devices.
Along with the grim news that many email accounts were affected, some belonging to the department’s highest-ranking officials, the IRS has commented that “there is no evidence that IRS was compromised or taxpayer data was affected.”
On CNBC on Monday, Treasury Secretary Steven Mnuchin said, “We do not see any breaking into our classified systems,” he said. “Our unclassified systems did have some access. I will say the good news is there’s been no damage, nor have we seen any large amounts of information displaced.” He also reassured the public they are on top of the situation.
The Microsoft Connection
Microsoft is fully involved in the investigation in part because they too were on SolarWinds’ supply chain customer list, along with Belkin, Cisco, VMWare, Nvidia, and Intel. According to Data Breach Today, “On Thursday, Microsoft President Brad Smith said his company had notified more than 40 customers that they appeared to have been victims of the more advanced phase of the intrusion. He said 80% of those organizations are U.S.-based, and the others are in Canada, Mexico, Belgium, Britain, Spain, Israel, and the United Arab Emirates.” Needless to say, the U.S. government also uses many SolarWinds products, and those agencies breached had exploited versions.
Part of the problem is that many U.S. government agencies use Office 354 and email accounts integrated into that cloud-based system. Hackers used the vulnerability in Orion to gain access to Azure Active Directory and Office 365. Once the culprits had their single sign-on tokens, they had full access to those mailboxes for an unknown length of time.
The Need for Better Email Encryption
In his report, Mnuchin also commented that “Finally, after years of government officials advocating for encryption backdoors and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers, the U.S. government has now suffered a breach that seems to involve skilled hackers stealing encryption keys from U.S. government servers.”
Could it Be Russia Again?
With so many of the most recent data breaches and hacking incidents pointed at Russia, threat assessors have to consider that this too might be related to a state-backed bad actor. Russia has denied any involvement, but would they really tell us if they were behind it?
On Friday, during a radio broadcast, Secretary of State Mike Pompeo said, “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.” Then on Monday, Attorney General Bill Barr reinforced the idea with, “It certainly appears to be the Russians, but I am not going to discuss it beyond that.”
In between the two figures stands President Donald Trump, who downplayed the severity of the SolarWinds supply chain attack and implied that it was most likely China, not Russia, who was behind it.
The problem is that Russian hacker gangs are well funded, well trained, and very difficult to find and apprehend. Dmitri Alperovitch, who used to head up CrowsStrike, said, “If this is indeed SVR, as we believe it is, those guys are incredibly hard to kick out of networks.”
What is the SVR?
The SVR is Russia’s intelligence agency (like the U.S. CIA). The SVR was established in December of 1920. The current Russian Prime Minister, Vladimir Putin, is a graduate of the SVR and served in East Germany during the 1980s. According to the BBC, the SVR describes itself as a “modern special service employing talented, ambitious people devoted to the Motherland and their military duty.” After the end of the Cold War, things between the U.S. and Russia had improved, but since Vladimir Putin has been at the helm, relations have deteriorated, and more and more U.S. targeted digital attacks seem to trace back to Russia.