Despite possibly being compromised to some degree in the SolarWinds Orion hack, the Department of Defense stands a better chance than its civilian partners in recovering from the brazen breach, former officials say.
Public records show SolarWinds as a DOD vendor, and a security researcher told FedScoop that team members of his have “personally used Orion within DOD networks.” Wednesday, DOD denied it was on growing list of victims of the SolarWinds breach, in which suspected Russian hackers planted backdoors into software updates of Orion, a network management product.
Previously, multiple outlets had reported that at least parts of the Pentagon have been compromised in the attack, but Wednesday night DOD issued a statement saying it has “no evidence of compromise of the [Department of Defense Information Network].”
“We continue to assess our DOD Information Networks for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day,” Vice Adm. Nancy Norton, director of the Defense Information Systems Agency and commander of Joint Force Headquarters-DODIN. It’s unclear if other parts of DOD’s IT networks were comprised.
So far, it appears hackers could have accessed internal information at the departments of Commerce, Treasury, Homeland Security, State and others — and the company’s footprint is much larger than that. On Wednesday, CyberScoop reported that the White House activated a cyber emergency response team.
Despite the possibility that the Orion vulnerabilities could impact some part of the DOD’s vast networks, former officials expressed confidence in the military’s ability to mitigate widespread exposure. The DODIN, which DOD said was not comprised, is DOD’s classified and unclassified complex federation of thousands of networks, information technology equipment, tools and applications, weapon system technologies and data.
“They have more culture around a unified response,” Ben Johnson, a former NSA cyber official and chief technology officer of Obsidian Security, told FedScoop in an interview.
Former DOD CISO Jack Wilmer told FedScoop that he suspects DOD will have a handle on the order of magnitude of a possible attack “pretty quick,” with a picture of the full scope taking “days to weeks” to locate which networks could have the malicious actors on them.
Bad habits, good protection (this time)
Hackers placed the backdoors in the “trusted” code of the Orion IT management platform, and every time the company pushed an update, the backdoors went with it to potentially thousands of customers. While it is a common security practice to keep software up to date, not doing so, in this case, may have coincidentally helped protect DOD’s networks.
“A lot of times DOD doesn’t allow for automatic updates” on some of its networks, especially critical command and control systems, Wilmer said.
John Hammond, a senior researcher at Huntress Labs with personal knowledge of Orion’s use in the DOD, is unsure if the department’s version of the IT platform had the update containing malicious code hackers could use to access DOD information.
“Anyone properly updating would have received this compromised version of Orion, so there is a strong likelihood that the compromised version may very well be present,” he wrote in an email. “It is a possibility… but this story is still developing.”
Another former DOD official, who requested anonymity, told FedScoop the products were not popular in DOD agencies — but even some uses of the platform would have left the military’s networks vulnerable due to the access Orion had to network entry points.
DOD has issued directives “to protect DoD networks and IT systems.”
Even if a DOD agency doesn’t have compromised tech in its network, Johnson said that every leader needs to treat responding to this breach as a top priority. Doing a full sweep of network access points, activity and cleaning out the entire environment should now be the full-time job of every security professional in DOD, Johnson said.
“Even if there turns out to be no fire, I would say [treat] this is a five-alarm fire,” he said.
If intruders had access to networks for months, that would have given adversaries time to potentially create fake accounts and burrow into other access points, Johnson added. That is one of the reasons he urges DOD to expand “defense in depth” measures that give all users, no matter their credentials, limited access to a network. It is similar to the zero-trust model where users need to be credentialed at every step of the way, not just at a network entry point.
Even with DOD’s relative assets, assessing the full scope of damage and then mitigating all the risks will take time, Johnson and others said.
“We are not talking two weeks here, we are talking months,” he said.