Unclassified Treasury Systems Hit By SolarWinds Hack: Mnuchin

The SolarWinds hackers only gained access to the U.S. Treasury Department’s unclassified systems and were unable to displace “large amounts of information,” said Secretary of the Treasury Steve Mnuchin.

“At this point, we do not see any break-in into our classified systems,” Mnuchin said on CNBC Monday morning. “Our unclassified systems did have some access. I will say the good is there’s been no damage, nor have we seen any large amounts of information displaced.”

The Treasury Department is working with the National Security Council (NSC) and the intelligence agencies and is “completely on top on this,” according to Mnuchin. Mnuchin said the Treasury breach was the result of “some third party software,” which others in the federal government and private sector have identified as being the SolarWinds Orion network monitoring platform.

[Related: Cisco Hacked Through SolarWinds As Tech Casualties Mount]

The Washington Post first reported Dec. 13 that the U.S. Treasury and the U.S. Commerce Departments were breached through SolarWinds as part of a campaign orchestrated by the Russian foreign intelligence service, also known as APT29 or Cozy Bear. Since then, Reuters has reported that the U.S. Departments of Defense, State, Energy and Homeland Security were also breached.

Secretary of State Mike Pompeo Friday became the first Trump administration official to blame Russia for injecting malicious code into updates of the SolarWinds Orion, telling conservative talk radio host Mark Levin that “we can say pretty clearly that it was the Russians that engaged in this activity.”

A day later, President Donald Trump contradicted his top diplomat, tweeting out, “Russia, Russia, Russia is the priority chant when anything happens because Lamestream [Media] is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”

No cybersecurity vendors have formally attributed the months-long campaign to Russia yet, though Microsoft President Brad Smith noted Thursday that the malicious SolarWinds Orion updates reached organizations in “many major national capitals outside Russia.” Outside of Trump, no administration officials, news organizations or cybersecurity vendors have said that China could be behind the effort.

FireEye put the Russia hacking campaign in the public consciousness Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the threat intelligence vendor’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information.

Then on Thursday, Reuters reported that Microsoft was compromised via SolarWinds, with suspected Russian hackers using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN Thursday that Reuters’ sources are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.

On Friday afternoon, KrebsOnSecurity reported that a VMware vulnerability allowing federated authentication abuse and access to protected data was used by the SolarWinds hackers to attack high-value targets. VMware told CRN Friday that it had received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.”

A couple of hours later, Bloomberg reported that internal machines used by Cisco researchers were targeted via SolarWinds, with roughly two dozen computers in a Cisco lab compromised through malicious Orion updates. The San Jose, Calif.-based networking giant told CRN its security team moved quickly to address the issue, and that there isn’t currently any known impact to Cisco offers or products.