Attacks and Vulnerabilities
Critical infrastructure
News

GAO scrutinizes federal responses to SolarWinds, Microsoft Exchange cybersecurity incidents

January 18, 2022
GAO scrutinizes federal responses to SolarWinds, Microsoft Exchange cybersecurity incidents

The U.S. Government Accountability Office (GAO) released a report that studied federal responses to the SolarWinds network management software and the exploitation by likely Chinese government affiliates of a vulnerability in the Microsoft Exchange Server. The report said that the federal agencies worked with each other and the industry after these incidents, while the agencies also received emergency directives on how to respond.

GAO performed its work under the authority of the Comptroller General to conduct an examination of these cybersecurity incidents in light of widespread congressional interest in the area. Specifically, GAO’s objectives were to summarize the SolarWinds and Microsoft Exchange cybersecurity incidents, determine the steps federal agencies have taken to coordinate and respond to the incidents, and identify lessons federal agencies have learned from the incidents, according to the report.

Recent incidents have highlighted the significant cyber threats facing the nation and the range of consequences that these attacks pose. The SolarWinds incident resulted in one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector, GAO said in its report. As SolarWinds was widely used by the federal government to monitor network activity and manage network devices on federal systems, this incident allowed the hacker to breach and infect several federal agencies’ information systems, it added. 

Nine federal agencies were compromised by this attack, GAO said in its report, citing an official from the National Security Council (NSC). SolarWinds estimated that nearly 18,000 of its worldwide customers could have received a compromised software update. However, SolarWinds further estimated that fewer than 100 customers were actually compromised by the hacker. The smaller subset of impacted customers was comprised of high intelligence value customers, including several federal government agencies, exploited for the primary purpose of espionage, it added. 

“Even though CISA’s efforts to work with agencies have provided a degree of confidence that the threat actor is no longer present, the threat actor may have established undiscovered persistent access within affected agencies and private companies’ networks,” GAO said in its report.  Compromised agencies will risk further loss of sensitive data and the erosion of public trust in their networks. In addition, despite the primary purpose of the attack on the federal government being espionage, with the access gained, the hacker had the ability to carry out far more destructive operations, it added.

Another incident that GAO studied was the zero-day Microsoft Exchange Server vulnerabilities that had the potential to affect email servers across the federal government and provide malicious threat hackers with unauthorized remote access.

A joint cybersecurity advisory was released by CISA and FBI in March last year, which assessed that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack. “The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework,” it added.

“The potential exploitation from both incidents posed an unacceptable risk to federal civilian executive branch agencies because of the likelihood of vulnerabilities being exploited and the prevalence of affected software,” GAO said in its report, citing CISA.

U.S. federal agencies took several steps to coordinate and respond to the SolarWinds and Microsoft Exchange incidents including forming two cyber unified coordination groups (UCG), one for the SolarWinds incident and one for the Microsoft Exchange incident, GAO said. 

Both the UCGs consisted of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA). According to UCG agencies, the Microsoft Exchange UCG also integrated several private sector partners in a more robust manner than their involvement in past UCGs. 

In addition to the actions taken by the UCGs, U.S. President Joe Biden issued last May Executive Order 14028 that was prompted, in part, by the compromise of the SolarWinds software supply chain. “The executive order identifies a broad range of cybersecurity areas in need of improvement across the federal government and addresses, among other things, short and mid-term challenges highlighted by the incident,” GAO said in its report.

The U.S. agencies also identified multiple lessons from these incidents. For instance,  coordinating with the private sector led to greater efficiencies in agency incident response efforts, the GAO report said. It offered a centralized forum for interagency and private sector discussions that led to improved coordination among agencies and with the private sector and highlighted that the sharing of information among agencies was often slow, difficult, and time-consuming. It also limited the ability to collect evidence due to varying levels of data preservation at agencies.

“Effective implementation of a recent executive order could assist with efforts aimed at improving information sharing and evidence collection, among others,” GAO pointed out.

GAO finally pointed out in its report that it has since 2010 made over 3,700 recommendations to agencies aimed at addressing cybersecurity challenges facing the government. “While agencies have implemented a majority of our recommendations, many face challenges in safeguarding their information systems and information, in part, because many of these recommendations have not been fully implemented,” it pointed out.

As of November last year, about 900 of those recommendations had not yet been fully implemented. GAO will “continue to monitor federal agencies’ progress in fully implementing these recommendations, including those related to software supply chain management and cyber incident management and response. Five of six agencies provided technical comments, which we incorporated as appropriate,” the agency added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market