A major computer hack that was originally estimated to have affected 18,000 businesses, including federal agencies, and is now being blamed squarely on Russian origins, so far seems to have had minimal follow-on activities, according to federal intelligence agencies.
In a release, the Cyber Unified Coordination Group (UCG) – a group formed by elements of the federal intelligence community to investigate and remediate the massive SolarWinds/Orion computer network hack that occurred last month – said that, of the approximately 18,000 affected public and private sector customers affected by the hack of the SolarWinds’ Orion product, a much smaller number had been compromised by follow-on activity on their systems.
“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the release stated.
The Jan. 5 release said that the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA), said they had “stood up” the UCG task force. The agencies said UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the release stated. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
LINKS:
CISA resource page for Solar Winds/Orion supply chain compromise
(Dec. 23, 2020) All three federal banking agencies late last week jointly released a proposal requiring banks and banking organizations they supervise to promptly notify their primary federal regulator in the event of a computer security incident.
The joint release follows the individual adoption of the proposal by each agency (such as by the FDIC Board) earlier in the week.
Under the proposal, notification (or alerts) would be required for incidents that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector.
The agencies said the proposed rule is intended to provide the agencies with an early warning of significant computer security incidents and would require notification as soon as possible and no later than 36 hours after a banking organization determines that an incident has occurred.
NCUA did not join in the proposal.
In addition, the agencies said, the proposal would require service providers to notify affected banking organizations immediately when the service provider experiences computer security incidents that materially disrupt, degrade, or impair certain services they provide.
LINK:
Joint Release/Agencies Propose Requirement for Computer Security Incident Notification
(Dec. 18, 2020) A new proposal that would require financial institutions to provide “prompt notification” to their federal regulators upon occurrence of a security incident may be coming to an NCUA Board meeting in the not-so-distant future.
This week, federal banking regulators released a joint proposal (with a 90-day comment period) requiring banks to provide the notification no later than 36 hours after the banking organization believes in good faith that an incident occurred. The notification requirement, the proposal states, is intended to serve as an early alert to a banking organization’s primary federal regulator “and is not intended to provide an assessment of the incident.”
NCUA was not included in the joint release. However, given the scope of the proposal (and the recent highly publicized SolarWinds hack) it’s possible the credit union regulator may soon issue its own version for entities under its supervision.
However, the bank regulators’ proposal does something NCUA cannot now do: require a bank service provider to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.
Also this week, the FDIC for the first time included consideration of competition presented by credit unions when less-than-well-capitalized banks are facing interest rate restrictions by the regulator. Under the new rule adopted by the agency’s board, interest rates offered by credit unions in a market area could be cited by a bank as a way of mitigating the level of restrictions.
(Dec. 18, 2020) NASCUS is in touch with federal authorities about the recent – and some say catastrophic – hack of IT systems by a nation-state hacker group that was revealed over last weekend through products offered by IT software provider SolarWinds.
The hack, according to documents filed by SolarWinds early this week with the Securities and Exchange Commission (SEC), appears to have affected about 18,000 of the firm’s 300,000 customers. The hackers reportedly inserted malware into updates for Orion, a software application by SolarWinds for IT inventory management and monitoring. The versions affected were 2019.4 through 2020.2.1, released between March 2020 and June 2020. According to reports, the malware allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. SolarWinds has not yet said how hackers breached its own network.
However, as indicated by the relatively narrow scope of those affected by the hack, the attack was targeted to specific groups using the software, including the Treasury Department, and the Department of Commerce’s National Telecommunications and Information Administration (NTIA).
Other federal government customers known to be using the software (but which may or may not be affected by the hack) include the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command, the Departments of Defense, Homeland Security, Energy and Veterans Affairs, the FBI, and others. Customers in other countries may also have been affected, including governments.
NASCUS is participating in a number of conversations among federal regulators regarding the hack, most of which are confidential, and monitoring developments. However, during the conversations, groups such as NASCUS have been urged to encourage their members to review the CISA emergency directive on the compromise and plug into the agency for updates as they become available.
LINK:
CISA emergency directive on SolarWinds/Orion management products