The U.S. Department of Justice has joined the list of federal departments that have been victimized by a vulnerability in SolarWinds Orion network management platform.
“On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others.” the department said in a statement. “This activity involved access to the Department’s Microsoft O365 email environment.
“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around three per cent and we have no indication that any classified systems were impacted.”
Under federal law for government systems, this is deemed a “major incident,” the statement added.
In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned Wednesday it is looking into the possibility that the threat actor connected to recent incidents not only used Orion as an entry point but also abused Security Assertion Markup Language (SAML) tokens. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs),” the statement said.
There are cases where initial access was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services, it said.
Security investigators have found two vulnerabilities in Orion since word of its use in cyberattacks was discovered in December. It isn’t clear if the same attacker is responsible for both. Earlier this week, four U.S. law enforcement and intelligence agencies said an advanced persistent threat (APT) actor, “likely Russian in origin,” is responsible for most or all of the recently discovered and ongoing cyber compromises of both government and non-governmental networks.
U.S. federal departments that have publicly acknowledged being affected by Orion vulnerabilities include the Treasury, Commerce, Health, Homeland Security, Energy, Cybersecurity and Infrastructure Agency, State and the National Nuclear Security Administration. According to ZDNet, three state governments were also hit, as well as The City of Austin, Texas and a number of tech companies including Microsoft and Cisco Systems.
There is also an investigation following several news reports that software from a Czech Republic-based tech company called JetBrains, which makes a widely-used software development tool called TeamCity, may have been used to get into SolarWinds’ infrastructure, or was used separately to attack organizations. A story in the New York Times notes that JetBrains’ has a research and development lab in Russia. One of its customers is SolarWinds.
In a statement, JetBrains CEO Maxim Shafirov said his company “has not taken part or been involved in this attack in any way. SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software. SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available. It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability.”
JetBrains hasn’t been contacted by any government or security agency regarding recent cyber attacks, he added.
(This story has been updated from the original with statements from the CISA)