Share this page!

Eric Geller Profile picture
Twitter logo
13 Dec, 26 tweets, 8 min read
Can we just have one quiet weekend...
Can confirm @Bing_Chris's report that several federal agencies incl NTIA are investigating breaches seemingly tied to nation-state hackers.

"It's not entirely certainly what vulnerability they're using, how they got in, but it continues to be a problem," a U.S. official told me.
"The FBI's on site" at the Commerce Department, the parent agency of NTIA, per this official.

Emergency NSC meeting yesterday, this person said.

"It seems like it's gonna be a much bigger issue, but there's not a lot of firm understanding of how broad the scale is."
In addition to the FBI, CISA is providing support, and ODNI and U.S. Cyber Command have gotten involved.

"When CyberCom starts getting involved in something, it's a big deal," U.S. official said. "The implication is that it's a nation-state confrontation."
The attack appears to have involved victims' Microsoft authentication tokens, raising concerns that the same techniques could be used on a wider scale.

"This seems to be connected to microsoft in some way," U.S. official said.
.@nakashimae is reporting that Russia's foreign intelligence service, the SVR, is behind these federal agency intrusions: washingtonpost.com/national-secur…

The SVR was also reportedly behind the FireEye hack.
@nakashimae When FireEye announced its breach, it said that it was working with Microsoft to investigate.

Seems possible that these attacks are connected in terms of technique not just perpetrator.
From Reuters' story: "Hackers broke into the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months..."

The hackers were "able to trick the Microsoft platform’s authentication controls..."

reuters.com/article/us-usa…
A bit more specificity on timing, per a U.S. official: Investigators believe that the hackers had been monitoring federal workers' emails since June.

Fear is that "the same techniques…could have been leveraged against other agencies," since "everybody uses Microsoft products."
Solar Winds' other government customers, per its website: Census Bureau, DOJ, Oak Ridge and Sandia National Labs, VA, Army, Air Force, Navy, and Marine Corps. solarwinds.com/federal-govern…

Plus state, local, educational, and foreign customers, e.g. Texas, NHS, and European Parliament.
CISA statement: “We have been working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”
NTIA referred to Commerce, which said: "We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time."
NSC spokesman John Ullyot: “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”
FBI and Treasury Department have not provided comments yet.
Solar Winds, IT firm used by federal agency victims, says "a highly-sophisticated, targeted and manual supply chain attack by a nation state" compromised the software updates released earlier this year for its Orion IT monitoring platform.
Confirming earlier suspicions, FireEye says that its breach was part of a global campaign of cyberattacks leveraging a compromised SolarWinds Orion software update.

FireEye is notifying victims it discovers.

fireeye.com/blog/products-…

Technical details: fireeye.com/blog/threat-re…
🚨 CISA has issued an emergency order requiring federal agencies to disable SolarWinds IT products, which hackers exploited to penetrate Treasury, NTIA, and possibly other agencies. cyber.dhs.gov/ed/21-01/

Disconnection "is the only known mitigation measure currently available."
Microsoft has published a report on the hacking campaign that has breached several federal agencies. It confirms that the intruders used SolarWinds product vulnerabilities for initial access and then forged authentication tokens to spread further. msrc-blog.microsoft.com/2020/12/13/cus…
Worth noting: Trump eliminated the position of White House cyber coordinator in 2018 and fired the CISA director last month.
The rationale for eliminating the cyber coordinator was that the government's cyber work would be coordinated enough without it.

Now we'll see how true that is.
No surprise here, but the NSC has activated PPD-41 (obamawhitehouse.archives.gov/the-press-offi…) and stood up the government's Cyber Response Group to respond to the breaches of various agencies.

They're holding a phone meeting (NSC PCC level) today, a U.S. official tells me.
One problem for the CRG as it tries to get a handle on the situation: The government doesn't even have a full list of which agencies use the SolarWinds products that led to the initial compromise, per person familiar. "FISMA/FITARA require inventories, but it’s an absolute mess."
Solar Winds says in a new SEC filing that it believes 33,000 Orion customers were vulnerable to the malicious software updates, but "the actual number" with infected products is likely "fewer than 18,000."

Note oblique reference to O365 vector...

sec.gov/ix?doc=/Archiv…
At the risk of jinxing everything, this could have been much worse.
As news breaks about DHS falling victim to this hacking campaign, a U.S. official tells me that there's "massive frustration with CISA on a sluggish response to agency breaches."

According to this official, "incident response teams" meant to assist victim agencies "are delayed."
New from a spokesperson for the IT office in Texas, where some state agencies used SolarWinds: "We have informed known users...and provided them with countermeasures."

IT staff are "actively engaged with our federal, state, and industry partners."

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Geller

Eric Geller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ericgeller

Eric Geller Profile picture
15 Dec
New: Inside the deepening crisis consuming the federal govt as agencies scramble to figure out if they've been hacked.

"This is probably going to be one of the most consequential cyberattacks in U.S. history,” a U.S. official told me.

politico.com/news/2020/12/1… Image
NSC mtg of Cyber Response Group yielded some progress — govt has a list of hacked agencies, tho more could emerge — but officials still don't know what hackers stole.

"We are in very, very early days," official said, "and there's a sense that...the news is going to get worse."
The NSC CRG, following an Obama-era directive, established a Unified Coordination Group to streamline agencies' crisis collaboration.

"We're declaring this a significant cyber event," U.S. official said, using term reserved for crises such as NotPetya.
Read 14 tweets
Eric Geller Profile picture
10 Dec
This is a big loss for CISA, which hired Masterson in 2018 after House Speaker Paul Ryan blocked his reappointment to the Election Assistance Commission.

Election officials widely praised Masterson for helping improve the relationship between them and the federal government.
.@mastersonmv confirms to me that he is leaving CISA, as first reported by @dnvolz.

Masterson, a senior cyber adviser working on election security at CISA, is leaving to join @stanfordio.
"I will be working on documenting what worked and didn’t work around election security and figuring out where we go from here on disinformation," Masterson tells me.
Read 4 tweets
Eric Geller Profile picture
1 Dec
At @AspenCyber conf, fmr CISA DepDir Matt Travis, forced out by WH, recalls texting @C_C_Krebs re @NatashaBertrand's Rumor Control story.

“I saw it first, and I said, ‘If this doesn’t get you fired, nothing will,’ and his response back was essentially, ‘Yeah, this might do it.’”
WH personnel office called CISA’s chief of staff on Veterans' Day to tell her that WH was going to ask for CISA Assistant Director for Cybersecurity Bryan Ware’s resignation, Travis says.

"We...pressed that it would be silly to change the CISA team” during election & OWS.
CISA's chief of staff asked the WH if Ware was the only one, Travis says. His understanding, he says, is that the answer at that time was yes.
Read 8 tweets
Eric Geller Profile picture
30 Nov
Got some thoughts about Friday's #TheMandalorian episode, but first: Disney shouldn't have hired an actress who was sued for transphobic harassment.

The lawsuit was dismissed, but that doesn't necessarily mean much when the defendant is a celebrity.

Avoidable blunder here.
Transgender people endure constant abuse simply because of who they are, and Disney/Lucasfilm's refusal to even acknowledge their anger is a disappointing act of corporate cowardice that casts doubt on their oft-stated commitment to inclusion.

Transgender SW fans deserve better.
As for the episode, I really liked how Favreau and Filoni adapted Ahsoka for live-action — probably one of their most challenging tasks so far, given fan expectations. She looked great, and I loved how she moved like a wraith during the fight scenes. Overall, very impressive.
Read 7 tweets
Eric Geller Profile picture
30 Nov
The Supreme Court is now hearing oral arguments in Van Buren v. United States, a case about the proper scope of the Computer Fraud and Abuse Act.

Listen here: c-span.org/video/?477429-…

Read my preview here: politico.com/newsletters/we…
Justice Thomas asked Van Buren's lawyer if he has any real-world examples of the slippery slope argument that CFAA critics have been making in the 11th Circuit, where courts have followed the government's reading of the law for a while.
Van Buren's counsel says no, but references cases in other circuits, including one where someone was prosecuted for “misusing MySpace" and another one involving Ticketmaster.
Read 37 tweets
Eric Geller Profile picture
23 Nov
I've spent the day talking to former colleagues of Biden DHS secretary nominee Alejandro Mayorkas about his work on cybersecurity.

The consensus is that, while he'll be working a lot on immigration, he'll also do great work on cyber.
"Ali is an outstanding choice to be the secretary, and he will really be able to hit the ground running," @SpauldingSez told me. "He was very much involved in some of our most important efforts" as depsec.

Fmr DHS official: "Cyber was probably his #2 [issue] behind immigration."
In my story subscriber.politicopro.com/article/2020/1… I noted Mayorkas' role in 2015 China IP theft deal.

"Ali was deeply involved in those discussions," said @C_Painter, one of the deal's key architects.

Mayorkas understood that multilateral pressure was "an important leverage point for us.”
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ericgeller has new unrolls!

Check out other threads from @ericgeller!

Read all threads by @ericgeller