Bill Chizek - stock.adobe.com

Senate hearing raises questions about SolarWinds backdoors

U.S. Department of Commerce CISO Ryan Higgins said in a Senate committee hearing Tuesday that his department was one of first agencies to detect the systemic compromise.

The U.S. Department of Commerce's CISO said during a Senate committee hearing Tuesday that his agency was one of the first to identify a SolarWinds-related compromise, raising questions about when the U.S. government initially detected the supply chain attacks.

The hearing, titled "Prevention, Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds" was held by the U.S. Senate Committee on Homeland Security & Governmental Affairs.

Members of the committee, including Senators Gary Peters (D-Mich.), Ron Johnson (R-Wis.) and Rob Portman (R-Ohio), spoke with Higgins, acting Cybersecurity and Infrastructure Security Agency (CISA) director Brandon Wales and U.S. Department of Health & Human Services CISO Janet Vogel. They testified about various security topics, including the government's response to the SolarWinds supply-chain attacks as well as the Colonial Pipeline ransomware attack.

Higgins said during his prepared testimony that the National Telecommunications and Information Administration (NTIA), a Commerce Department agency, "identified indications of a potential systemic compromise related to this campaign" before engaging with the Commerce Department's Office of the Chief Information Officer to begin incident response.

"As a result of this engagement, the department was one of the first federal agencies to identify potential systemic compromise in response to SolarWinds, determined that this was a major incident, and immediately initiated coordination with CISA to assist," Higgins said.

Higgins did not say when the NTIA first identified signs of the systemic compromise, or explain why his agency was one of the first to catch on to the extensive supply chain attacks.

U.S. Department of Commerce CISO Ryan Higgins testifying during a U.S. Senate Committee on Homeland Security & Governmental Affairs committee hearing.
U.S. Department of Commerce CISO Ryan Higgins testifies about the SolarWinds supply-chain attack during a Senate committee hearing.

But Higgins' testimony recalled a report published by infosec journalist Brian Krebs last month. The article found that while a seemingly newly-discovered backdoor used by SolarWinds attackers became public knowledge in March, a VirusTotal account apparently associated with the NTIA uploaded the first known sample of the malware backdoor last August, months before the SolarWinds breach and supply chain attacks came to light.

The backdoor malware has been referred to as GoldMax by Microsoft and Sunshuttle by FireEye, and was utilized by the same threat group responsible for the still-developing SolarWinds supply-chain attack disclosed in December. In Microsoft's post revealing GoldMax on March 4, it also gave a name to the SolarWinds threat actors: Nobelium.

SearchSecurity contacted the Commerce Department for clarification on the NTIA's initial detection of the compromise, and for comment on Krebs' report. The agency did not respond.

In his prepared testimony, Higgins said "based on what the department knew concerning the potential systemic compromise, an initial review showed that it met the definition of a major cybersecurity incident." In accordance with FISMA, the Commerce Department reported it to the White House's  Office of Management and Budget, Congress, the FBI, CISA and the Office of the Director of National Intelligence.

During the hearing, Wales told the committee that the federal government first became aware of the supply chain threat in early December. He later noted that FireEye, which discovered the SolarWinds attacks, informed CISA prior to Dec. 8, 2020, when the vendor disclosed it had been breached by nation-state threat actors. The official timeline of events suggests that if NTIA personnel did discover the GoldMax backdoor last summer, they did not identify it as an indicator of systemic compromise and did not inform CISA.

Six months after the SolarWinds supply-chain attacks were revealed, new information about the nature of the attacks -- and attackers -- is still coming to light. In mid-April, President Joe Biden signed an executive order formally blaming Russia and imposing sanctions against several organizations and individuals in the country. Russia is one of the "big four" nation-states considered a primary adversary to the U.S., and is known for having highly sophisticated cyberoperations.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

SolarWinds hackers compromised Microsoft support agent

Dig Deeper on Threats and vulnerabilities

SearchCloudSecurity
SearchNetworking
SearchCIO
SearchEnterpriseDesktop
SearchCloudComputing
ComputerWeekly.com
Close