Day Nine of the SolarWinds Crisis: Treasury Department Breach Confirmed

A slew of high-tech firms infected by malware, Former SolarWinds adviser claims he warned of security problems, Microsoft publishes critical guidance

Dec 22, 2020

(As we reach the end of our open access to Metacurity’s daily emails and our special reports, we urge you to consider signing up now for a premium subscription. Or better yet, email us at info@metacurity.com and let us know your organization is interested in a special bulk license. Just don’t miss out on our unique content and upcoming premium offerings. Thank you for reading Metacurity.)

Dozens of email accounts at the U.S. Treasury Department were breached as part of the SolarWinds hack, Senator Ron Wyden (D-OR) said, and Treasury Secretary Steven Mnuchin confirmed, saying the hackers penetrated only the unclassified network.

Microsoft and not the U.S. intelligence agencies informed the Treasury Department of the email breach. (Raphael Satter / Reuters)

Kim Zetter @KimZetter

Per briefing today on SolarWinds hack, @RonWyden says IRS was not compromised or taxpayer data affected. However, hack of Treasury Department "appears to be significant." Treasury breach began in July, "the full depth of which isn’t known."

The reach of infected victims of the SolarWinds hack extends to at least two dozen organizations, including top technology giants Cisco Systems, Intel, Nvidia, Deloitte LLP, VMware, and Belkin.

The hackers were also able to install surveillance backdoors into the California Department of State Hospitals and Kent State University systems. (Kevin Poulsen, Robert McMillan, Dustin Volz / Wall Street Journal)

Ian Thornton-Trump, a former security adviser to SolarWinds, says he warned the company in 2017 that its survival depended on “an internal commitment to security.”

He terminated his contract with the company shortly after informing of this matter because he believed it wasn’t making changes that would have a “meaningful impact.” (Ryan Gallagher / Bloomberg)

Microsoft published two important blog posts related to the SolarWinds hack. The first offers guidance on the techniques to consider when helping an organization respond to suspected identity compromise.

The second focuses on understanding and detecting the kinds of identity compromises used in attacks on several organizations.

SwiftOnSecurity @SwiftOnSecurity

MORE - NEW: Microsoft posts more on stolen SAML certificate token signing and detection

Understanding “Solorigate”’s Identity IOCs - for Identity Vendors and their customers.Microsoft recently disclosed a set of complex techniques used by an advanced actor to execute attacks against several key customers. While we detected anomalies by analyzing requests from customer environments to the Microsoft 365 cloud, the attacks generalize to any Identity Provider or Service pro…aka.ms

Catalin Cimpanu @campuscodi

Microsoft has published two important blog posts today. The first is a guide "on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware" microsoft.com/security/blog/…