- The U.S. Department of Energy has confirmed that its computer systems were compromised as part of the devastating SolarWinds hack, though the agency said that so far the malware has not impacted "mission essential national security functions."
- Fallout from the massive security breach continues, and experts say energy companies are scrambling to assess their networks. It is widely believed Russian hackers associated with that nation's intelligence service are behind the operation, which targeted multiple U.S. government agencies.
- Security experts say the hack is unprecedented for its scale and sophistication. The operation was "a success for Russia, strategically, and calls into question the security of the United States and our industrial grid," said Matthew Schmidt, an associate professor of national security and political science at the University of New Haven.
Fallout from the SolarWinds hack continues to grow, and experts say it is still impossible to know the full extent of the damage.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) said the hacking "poses a grave risk" to the federal government along with state and local governments and critical infrastructure.
"This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks," CISA said in an alert. Systems at the departments of Treasury, Commerce and Homeland Security were initially identified as compromised, and the list has continued to grow.
DOE on Thursday acknowledged its own systems had been targeted. In a statement, the energy agency said it was "responding to a cyber incident" related to the SolarWinds hack, but "at this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration."
DOE spokesperson Shaylyn Hynes said in a statement that when the agency identified vulnerable software "immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network."
The North American Electric Reliability Corp. issued a statement, saying its Electricity Information Sharing and Analysis Center is "actively engaged" with industry and government partners and is disseminating information and mitigation steps to members "as soon as available through its secure portal."
A program offered by SolarWinds called Orion is used by thousands of companies and organizations to monitor computer networks. Hackers inserted malware into Orion updates provided by SolarWinds, allowing unprecedented access to compromised systems.
Hackers were then able to spend months accessing secure networks and may have installed additional backdoors and malware that will be very difficult to root out, said Schmidt. "This hack was so good that we can't assume we found everything," he said. "It's going to absorb a lot of IT resources to find out what's there or not there."
"Energy companies don't know yet if they have the malware in their systems," said Schmidt. Hackers could have used their access to also compromise industrial control systems, he said.
Security firm Dragos said it is aware of industrial entities that have been compromised by the hack, and advised asset owners and operators to first assess their exposure in operational technology (OT) environments.
"Supply chain compromises, like SolarWinds, provide illicit and malicious access to OT environments facilitating possible disruption," Dragos Vice President of Threat Intelligence Sergio Caltagirone said in a statement.
Hackers are increasingly targeting operational environments and control systems with malware and ransomware. Also on Thursday, DOE announced that Secretary of Energy Dan Brouillette had issued a "prohibition order" that aimed to mitigate risk associated with grid equipment sourced from China.
The order prohibits utilities that supply critical defense facilities from procuring some types of bulk power system equipment from China because it "poses an undue risk" to the grid and national security. The prohibition builds on an executive order issued in May by President Donald Trump, blocking the installation of some equipment sourced from adversaries of the United States.
“It is imperative we secure the BPS against attacks and exploitation by foreign adversaries," Brouillette said in a statement. "This order is one of several steps this Administration is taking to greatly diminish the ability of our foreign adversaries to target our critical electric infrastructure."