The SolarWinds attack in 2020 was a humiliating all-out assault on U.S. government cybersecurity, and it’s likely that one key reason it’s not more famous is that we still know very little about what the hackers achieved. But we now have a few more crumbs to work with, because new revelations from Bloomberg have revealed that the hackers were in Treasury Department email accounts, essentially doing whatever they wanted.
Bloomberg’s reporting comes from a Freedom of Information Act lawsuit, which resulted in the release of a redacted investigation report from the Treasury’s inspector general.
To refresh your memory, SolarWinds is a Texas-based information management company that is both a little-known part of the software supply chain, but it’s also ubiquitous and essential. In early 2020 SolarWinds was targeted by an elite, possibly Russia-affiliated entity, and infiltrated through a combination of social engineering and hacking—essentially turning a key piece of its software called Orion Platform into a malware dispenser, spreading its spying tools all over systems belonging to SolarWinds’ clients. That client list included sensitive organizations at the very highest levels like the White House and the NSA, exposing the hackers to communications networks that process classified information.
The key piece of shocking information reported shortly after the hack was discovered was the duration of the exposure: about nine months—most of 2020. We now know a little bit about four of those nine months.
Bloomberg says the infiltration of the Treasury Department’s SolarWinds account occurred on July 6, 2020 when the highest level administrator account for Treasury’s SolarWinds software was compromised. The hackers apparently used that account to change an application hilariously called Secure Mail, which in turn “potentially allowed access to all e-mail addresses ending in ‘treasury.gov’,” per the inspector general’s report.
The infiltration of the treasury email system apparently lasted until October 12, 2020, when Treasury—apparently accidentally—ended the hackers’ party with some kind of system change. The user of the compromised admin account claims in the report not to know which specific emails were targeted, or whether or not anything was actually stolen.
Read the full article here
