Top Treasury Email Accounts Exposed In SolarWinds Hack: Report

The hackers performed a complex step inside Microsoft Office 365 to create an encrypted “token” that tricked the Treasury’s system into thinking the hackers were legitimate users, The New York Times said.

The SolarWinds hackers seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership, The New York Times reported.

Dozens of Treasury email accounts were compromised, including those in the departmental offices division, where the most senior officials operate, Sen. Ron Wyden, D-Ore., told the Times on Monday. Hackers gained access to the Treasury’s email system in July by manipulating internal software keys, and the breach came to light from Microsoft, which runs much of Treasury’s communications software.

“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” Wyden told The New York Times. “The agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”

[Related: Unclassified Treasury Systems Hit By SolarWinds Hack: Mnuchin]

Once the suspected Russian hackers used a malicious update to SolarWinds’ Orion network monitoring platform to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network, Wyden told The Times.

That tricked the system into thinking the hackers were legitimate users, meaning the hackers were able to sign on without having to guess user names and passwords. Microsoft said last week that it fixed the flaw the Russians were exploiting, but that didn’t address whether the hackers had used their access to bore through other channels into either the Treasury Department or other systems, the Times reported.

The Treasury Department nor Sen. Wyden’s office immediately responded to requests for comment from CRN. Microsoft declined to comment.

Wyden’s sounding of the alarm flies in the face of Treasury Secretary Steven Mnuchin, who downplayed the attack’s impact during an appearance on CNBC Monday morning. Mnuchin told the CNBC hosts that the Treasury Department is “completely on top on this” and that the hackers were unable to displace “large amounts of information.”

“At this point, we do not see any break-in into our classified systems,” Mnuchin said Monday. “Our unclassified systems did have some access. I will say the good is there’s been no damage, nor have we seen any large amounts of information displaced.”

Office 365 has been a key escalation vector for the hackers, who Reuters said for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software. On Dec. 14, SolarWinds said it learned of an attack vector that was used to compromise the company’s Office 365 emails.

The hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Dec. 13. The hackers heavily leveraged compromised or spoofed tokens in accounts for lateral movement, which often tricks commonly used detection techniques, the Cybersecurity and Infrastructure Security Agency (CISA) said.

Then on Thursday, CISA said it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Additionally, Microsoft said Sunday the hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates.

“These observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” CISA wrote Thursday.