Senior officials from the Veterans Affairs Department abruptly canceled a scheduled briefing with Congressional leaders this week on the extent and impact of the SolarWinds cyber attack, a far-reaching intrusion into the networks of several American agencies and powerful corporations, allegedly perpetrated by an elite team of Russian hackers sanctioned by Moscow.
Democratic lawmakers say the VA has so far provided no explanation for its decision not to inform House and Senate oversight leaders whether the attack may have compromised any veteran’s confidential information, prompting at least one U.S. senator to publicly demand responses. the head of the agency. This week, VA officials told reporters that there are currently no signs that hackers have taken advantage of the back door on their network, which was installed unintentionally by about 18,000 SolarWinds customers this year.
On a Letter to Veterans Affairs Secretary Robert Wilkie on Wednesday, Senator Richard Blumenthal, a Democrat from Connecticut, said the veterans’ community is “particularly vulnerable” to the consequences of a breach, noting the immense amount of private veterans data that the department maintains. It remains unclear what steps, if any, Wilkie took, said Blumenthal, to assess the risk to retired members of America’s combat forces.
“I am alarmed by the potential threat to the VA and am writing to request urgent information on the impact of this incident and what steps are being taken to ensure the resilience and confidentiality of the VA mission,” wrote Blumenthal. “This hack threatens to exacerbate existing privacy concerns and allow hackers to share and sell veterans’ personal information.”
G / O Media can receive a commission
Veterans are considered to be at high risk of identity theft due to long-term government practices, such as using Social Security numbers as a primary identifier for service members. Veterans also rely heavily on the use of a document known as DD Form 214, which contains confidential information, to demonstrate proof of their service. Blumenthal notes the “necessary trust” in the document – copies of which the VA digitally maintains – as a particular vulnerability.
Wilkie is not required to answer Blumenthal’s questions, which include what precautions, if any, have been taken to segregate veteran health records from other systems and whether the VA has completed a forensic investigation of its cloud resources. The Trump administration has traditionally ignored most investigations by Democrats in Congress in the minority.
The VA, one of the largest federal SolarWinds customers, we could not be reached immediately for comment. A VA spokesperson told CyberScoop on Wednesday that the agency uninstalled SolarWinds’ network monitoring software “out of caution” and that “there are currently no signs of exploitation”.
Removing an infected copy from the SolarWinds platform does not necessarily guarantee that alleged Russian hackers no longer have a foothold on the network.
Other agencies were also less open about the breach, according to CyberScoop. In another letter this week, Senator Bob Menendez, a Democrat from New Jersey, said the US State Department remained “silent about whether its computer, communication and information technology systems were compromised”.
The SolarWinds attack represents one of the most blatant intrusions into US government networks by a state actor since at least the Office of Personnel Management violation of 2015, in which Chinese hackers have exfiltrated millions of personal files and background checks on federal officials. The Departments of State, Commerce, Treasury and Homeland Security, as well as the National Institutes of Health are among SolarWinds’ list of victims.
Experts say the Russian hacking group ATP 29, also known as Cozy Bear, may have infiltrated Texas-based software company SolarWinds as early as 2019 by inserting malicious code into copies of the Orion Platform, a management tool network used by dozens of federal agencies and more than three-quarters of the companies on the Fortune 500 list based on revenue.
Experts usually associate Cozy Bear, who is credited with attacking the Pentagon email system in 2015 and the Democratic National Committee in 2016, with the Russian Foreign Intelligence Service, predecessor of the KGB.
The malware deployed on the Orion platform, known as Teardrop, was highly sophisticated, according to experts, and in addition to collecting users’ credentials and monitoring their keystrokes, it allowed Cozy Bear to mask their movements on infected networks, helping them impersonating normal IT employees.