Paul Cunningham, chief information security officer of VA, said there was no evidence of compromise across its wide-ranging and complex networks. He told lawmakers this finding was reaffirmed in separate investigations by the Cybersecurity and Infrastructure Security Agency and the intelligence community.
Within 12 hours of CISA’s emergency directive to agencies to suspend the use of SolarWinds’ Orion platform, the VA was able to remove the software from its environment, according to Cunningham. It then searched for indicators of compromise across its networks but found none.
“We installed all the indicators of compromise, we replayed our NetFlow data looking for any other indicators that show this might have happened in the past, to identify that maybe an attacker used those indicators before who received them,” he said during a House Veterans Affairs Subcommittee on Technology Modernization hearing. “There was no evidence of that.”
CISA, the federal government’s lead cybersecurity agency housed within the Department of Homeland Security, then took a look at the VA’s systems “and found nothing,” Cunningham said. The VA also invited the intelligence community to assess the situation.
“[T]hey would come back to us if they saw anything — that’s how they put it. And they didn’t come back.”
On top of this, the VA contracted with Microsoft to once again look for any indicators of compromise. Cunningham said the company also found nothing.
“They agreed that there was no indicators that would show…first of all, that the malware was activated, or that it was used in a way to move data and nefarious way,” Cunningham added.
The biggest impact to VA, according to the official, was that in taking the SolarWinds software offline, there was a loss in the “operational monitoring” the Orion platform provides.
As the VA chose to be “slow and methodical” about investigating the possibility of compromise, it was without that capability for some time before bringing it back online in coordination with CISA guidance.
The story wasn’t the same for at least nine U.S. government agencies and 100 companies who fell victim to the Russian hackers who exploited SolarWinds’ software to access their systems and data.