SolarWinds hack is worse than feared. CISA says the threat “poses a grave risk to the federal government”

As the U.S. federal agencies learned more about the SolarWinds hack, it is now becoming more apparent that the scale of the cyberattack on the U.S. government networks is much bigger than first anticipated.

In a summary report released on Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) said that the threat “poses a grave risk to the federal government.” CISA added that “state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations” are also at risk.

According to a report from CISA, which is also corroborated by the filings SolarWinds submitted to the SEC,  the cyberattack on SolarWinds began at least as early as March.  SolarWinds said it has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.

Since the cyberattack was first reported, multiple government agencies have reportedly been targeted by the hackers, with confirmation from the Energy and Commerce departments so far. CISA said the “advanced persistent threat actor” used SolarWinds network management software Orion to breach the government networks.

“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” CISA said. “Removing the threat actor from compromised environments will be highly complex and challenging.”

“The magnitude of this ongoing attack is hard to overstate,” former Trump Homeland Security Advisor Thomas Bossert said in a piece for The New York Times on Thursday. “The Russians have had access to a considerable number of important and sensitive networks for six to nine months.”

So far, about 18,000 SolarWinds customers were compromised after they downloaded a software update that contained a backdoor, which the hackers used to gain access to the networks. On Thursday, Microsoft confirmed it was also a victim of attacks resulting from vulnerabilities tied to software from SolarWinds.

At this point, no one knows for sure if this is just the beginning of a global-scale cyberattack on the United States by state-sponsored actors. Reuters, citing people familiar with the matter, reported that Microsoft products were leveraged to attack victims. One U.S. Federal official, speaking on condition of anonymity, also said the hack was severe and extremely damaging. “This is looking like it’s the worst hacking case in the history of America,” the official said. “They got into everything.”

“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” he told Tass. “We have nothing to do with this.”