Former DHS Leader Shares Details on SolarWinds AttackChad Wolf Confirms Attackers Gained Access to His Unclassified Email Accounts
Chad Wolf, the former acting secretary for the Department of Homeland Security, has confirmed the accuracy of an earlier news report saying that the SolarWinds supply chain attackers gained access to his unclassified DHS email accounts, which included calendar details.
See Also: Threat Briefing: Ransomware
Speaking Monday at a Heritage Foundation virtual event, Wolf said that when he was told about the SolarWinds breach by DHS and the Cybersecurity and Infrastructure Security Agency, he began to realize the scale of what had happened and the breadth of the attack.
"They told me, 'Look at your accounts.' We looked at one email account - I had a couple at the time - that could be hacked, but what [the attackers] could tell is that I was running late for an event," said Wolf, who was acting secretary during the last few months of the Trump administration. "I was most concerned about that if they [the attackers] have the ability to do that, what else do they have the ability to do? Or what else do we know? Do we not have insight into what they were doing? Just the fact that they're able to do that was my primary concern."
Wolf stressed that the SolarWinds attackers only had access to unclassified DHS systems, including those that the acting secretary used for event scheduling and other tasks.
"So that is concerning, but obviously it is much more concerning if they somehow, some way accessed classified accounts since the vast majority of the department's most critical work - whether it's at CISA or whether it's at headquarters or somewhere else - happens there," Wolf said.
A Broad Attack
The Department of Homeland Security was one of nine federal agencies that, along with 100 companies, were targeted in follow-on attacks after the SolarWinds supply chain incident, in which a Trojan was added to an update of the company's Orion network monitoring platform (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).
Following the March news report that Wolf's accounts had been targeted, Sen. Garry Peters, D-Mich., chairman of the U.S. Senate Homeland Security and Governmental Affairs Committee, and Sen. Rob Portman, R-Ohio, the ranking member of the committee, wrote to DHS and CISA asking for more details about the scope of the attack and a list of all networks and systems that might have been affected during the incident (see: Why Didn't Government Detect SolarWinds Attack?).
The two senators also asked why CISA's Einstein intrusion detection system failed to detect the SolarWinds supply chain breach before the security firm FireEye discovered it in December 2020.
Although Wolf, in his Monday presentation, did not offer many details about the SolarWinds attack, he noted that CISA and DHS soon realized the enormous scale of the incident.
"This was a scale of around a nine out of a 10 on how bad it is or could be," he said.
About a week after the initial reports about the SolarWinds supply chain attack surfaced, DHS determined that it, too, had been targeted, Wolf said. He did not, however, specify exactly when CISA and DHS discovered that his unclassified emails had been compromised.
Although unclassified department emails might not contain strategic information, they contain a wealth of information about what is happening daily at DHS, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"There are details about how funding will be apportioned to high-risk state and local governments; the potential identification of activities that have been remanded to other agency jurisdictions, such as the National Security Administration and FBI; and ongoing initiatives such as the ultimate fate of the Einstein program may all have been disclosed," says Hamilton, who now serves as CISO of CI Security. "Actors that may have obtained this information can certainly make use of it in strategic planning and development of evasion techniques."
Federal investigators have said that a Russia-linked organization conducting cyberespionage was likely behind the SolarWinds campaign. Dmitri Alperovitch, the former CTO of security firm CrowdStrike, says the incident shows how Russian cyber techniques and tactics are evolving (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
The Biden administration is expected to soon announce executive orders and sanctions designed to target those responsible for the SolarWinds supply chain attack. On Monday, the White House announced its nominee for national cyber director, John "Chris" Inglis, and leader of CISA, Jen Easterly (see: NSA Veterans Nominated for Top Cyber Posts).