Category Archives: Russia

Biden Leaving Troops in Afghanistan Past the May Deadline

Posted on by

For many many months, the Trump administration was negotiating a peace deal with the Taliban. Frankly, all that the Taliban has agreed to, they have violated. Trump also issued a schedule to lower troop levels in Afghanistan to only a small tight residual number in May of 2021 along with contractors. With the new possible threat(s) of the Taliban and their growing connection to al Qaeda, Biden has decided to leave troop levels in the region at the present level with an increase in Syria and possibly Iraq. All the while, Iran just hosted a Taliban leader for talks where the topic(s) are unknown. Further, Taliban officials have been meeting in Moscow with Russian officials. Those details are found here. 

President Biden also has another immediate issue before him and that is the release of a U.S. contractor that went missing in Afghanistan about a year ago. Mark Frerichs, a navy veteran went missing about a year ago while he was working as a contractor on an engineering project. It is thought he is in the custody of the Haqqani network. The U.S. State Department is offering a $5 million reward that leads to Frerichs’ return. 

So, it is rather fitting that just this week, a very old FOIA request for former Defense Secretary Donald Rumsfeld documents have been released. Frankly, the questions which were referred to at the Pentagon as ‘snowflakes’ reflects his frustration of the layers of bureaucracy  within the Department of Defense and his anger at getting real answers and challenging the quality of intelligence reports. Sound familiar? It is clearly a problem that after 20+ years has not found a quality solution. Just read a few of his snowflakes and judge for your self.

***Donald H. Rumsfeld - U.S. PRESIDENTIAL HISTORY

35 of the most notable items from the new collection is below from the National Archives. 

A follow-on DNSA publication covering the rest of Rumsfeld’s tenure as secretary will appear through ProQuest later in 2021.

One such snowflake was written on March 3, 2003. At 8:16 AM, Rumsfeld wrote to Senior Military Assistant LTG Bantz J. Craddock and Department of Defense General Counsel William Haynes with the subject “KSM”. He wanted to know, “Do we know where the information to find Khalid Sheikh Mohammed came from? Was it from GTMO detainees?” There is no response from either Craddock or Haynes in the DOD release to the Archive, though Rumsfeld’s question is likely a push back to the false claims made by CIA Director George Tenet that the Agency’s resort to torture of Abu Zubaydah led to the capture of Khalid Sheikh Mohammed.

The Senate Select Committee on Intelligence torture report would later reveal that key intelligence on KSM as the mastermind of the 9/11 attacks came from the FBI’s non-coercive, rapport-building interrogation of Abu Zubaydah.[1] This success was prior to the CIA’s contract psychologists, James Mitchell and Bruce Jessen, taking over the interrogation at the CIA “Detention Site Green” in Thailand, which was created to house Zubaydah in 2002.  Their approach to Zubaydah would include 83 water board sessions yet fail to produce any valuable intelligence.  CIA clandestine services chief Jose Rodriguez (and perhaps Gina Haspel, who would later become DCI, though CIA redactions of documents continue to obscure her role) ordered the destruction of the torture videotapes, commenting that “the heat from destoying [sic] is nothing compared to what it would be if the tapes ever got into public domain.”

Later on March 3, under the subject “Contingencies”, Rumsfeld wrote to Under Secretary of Defense for Policy Doug Feith, stating, “We need to plan what we will do if Saddam Hussein is captured. We need to plan what we will do if we catch an imposter.” There is no record of Feith’s answer in the DOD release to the Archive.

Throughout Rumsfeld’s tenure, his snowflakes circulated daily through the highest levels of the Pentagon. With scant limitations on their subject matter, the all-encompassing documents are sometimes an hourly paper trail inside the Office of the Secretary of Defense during six years of tremendous consequence for U.S. foreign policy. The declassified documents also provide an account that at times contradicts DOD public statements.  For example, The Washington Post published a selection of the memos in the six part series “The Afghanistan Papers” in September 2019 revealing that officials misled the American public about the war in Afghanistan.

The entire corpus of snowflakes also details many aspects of the day-to-day operations of the Pentagon, the modernization of the U.S. armed forces, and Rumsfeld’s personal agenda against bureaucracy. “Bureaucracy is driving people nuts,” he wrote in an April 8, 2002, memo at 7:41AM. “If we can take two or three layers out of this place, we will be a lot better off.” In a separate April 8 letter, the secretary suggested cutting all major Pentagon programs by at least 20 percent. (The DOD budget increased by 37.54 percent between FY2001 and FY2006.) On March 11, 2002, Rumsfeld wrote to colleagues, “I am getting tired of seeing the word ‘joint’ everywhere.”

Rumsfeld, Snowflake by Snowflake - Open Source with ...

Other topics in the collection include:

  • the military budgeting process and efforts to rein in defense spending;
  • military planning, procurement, and expenditures;
  • nuclear issues – weapons, proliferation, safety;
  • decision making on military wages, benefits, tours of duty, and veterans issues;
  • military intelligence;
  • Defense Department relations with the CIA and Homeland Security;
  • Rumsfeld’s relations with the State Department and National Security Council;
  • U.S. relations with NATO;
  • U.S. military relations with Russia, former Soviet republics, and other countries;
  • Rumsfeld’s interactions with the news media, Congress, and the public;
  • Guantanamo detainees, interrogation, and torture;
  • concerns about the International Criminal Court and U.S. liability for war crimes;
  • the hunt for Osama bin Laden and other terrorists;
  • the Joint Strike Fighter program; and
  • the emergency landing of a U.S. EP-3 at Hainan Island in 2001

Donald Rumsfeld’s Snowflakes, Part 1: The Pentagon and U.S. Foreign Policy, 2001-2003 will be a critical research tool for historians and will be available through many college and research libraries. Part II, which covers the last three years of Rumsfeld’s tenure as secretary of defense from 2004 to 2006, will be published in 2021. Learn more about accessing the Digital National Security Archive through your library online and how to request a free trial here.

 

March 11, 2002
April 8, 2002
September 12, 2003
October 23, 2003

A few more:

October 10, 2001
Rumsfeld requests a daily report on the location of Osama bin Laden.

 

November 8, 2001
Rumsfeld inquires: “Why doesn’t Pakistan sever its relationship with [sic] Taliban?”

 

November 29, 2001
Rumsfeld accuses career employees in the OSD of undermining his decisions and working too slowly.

 

January 5, 2002
Rumsfeld complains to George Tenet about the CIA.

 

February 15, 2002
Rumsfeld directs his staff to develop a white paper on detainees and the Geneva Conventions.

 

March 11, 2002
Rumsfeld suggests further classification review of the already pre-reviewed Annual Report to the President and the Congress.

 

March 11, 2002
Rumsfeld says the DOD annual report is not conclusive or upbeat enough.

 

March 12, 2002
Rumsfeld recounts his conversation with Russian MoD Sergei Ivanov at a Washington Wizards basketball game.

 

March 14, 2002
Rumsfeld asks how to fix the requirements process.

 

March 16, 2002
Rumsfeld inquiries into U.S. nuclear policy.

 

March 26, 2002
Under the subject “Business As Usual”, Rumsfeld questions whether the Department should cut educational programs while at war.

 

March 28, 2002
Rumsfeld pushes to lift restrictions on contractors providing force protection.

 

March 28, 2002
Rumsfeld proposes a weekly meeting on Afghanistan, stating that it is “drifting”.

April 3, 2002
Rumsfeld’s thoughts on the Middle East.

 

April 8, 2002
Rumsfeld instructs his staff to create a list of all the major “processes” at the Pentagon and shorten them by atleast 20 percent.

 

April 9, 2002
Rumsfeld expresses concern about a “zero defect mentality” in promotion process.

 

 

April 12, 2002
Rumsfeld ruminates on the creation of a new Homeland Security Department.

 

April 15, 2002
Rumsfeld details a conversation with Henry Kissinger about the ICC.

 

April 15, 2002
Rumsfeld contacts Tenet about the ICC.

 

April 23, 2002
Rumsfeld considers possibly renegotiating a Russia-NATO arrangement.

 

April 23, 2002
Rumsfeld proposes using contractors to train the Afghan army.

 

April 23, 2002
Rumsfeld asks if a DOD chart of the PPB system is a joke, or whether it should be.

 

May 5, 2002
Rumsfeld tells Hank Crumpton to “speak up”.

 

May 22, 2002
Rumsfeld circulates a letter comparing interrogation techniques in Afghanistan to Guantanamo.

 

August 8, 2002
Rumsfeld questions whether it is right for pilots to use amphetamines.

 

August 17, 2002
Rumsfeld ruminates on the U.S. and Western Europe “stopping proliferation, reducing weapons of mass destruction and contrubitng to peace and stability” around the world.

 

August 19, 2002
Rumsfeld addresses the President, Vice President, CIA Director, and National Security Advisor on U.S. policy towards Iran and North Korea.

 

October 1, 2002
Rumsfeld sends handwritten notes from an interview with a detainee to Fieth.

 

March 3, 2003
Rumsfeld requests a contingency plan for the possibility of capturing an imposter of Saddam Hussein.

 

March 3, 2003
Rumsfeld contacts Tenet about the intelligence that led to capturing KSM.

 

March 26, 2003
Rumsfeld requests material to brief the President privately on a post-Saddam Iraq.

 

Increased Alarm over Intrusion into U.S. and Sandia/Los Alamos

Posted on by

WASHINGTON (AP) — Federal authorities expressed increased alarm Thursday about an intrusion into U.S. and other computer systems around the globe that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.

The Cybersecurity and Infrastructure Security Agency said in its most detailed comments yet that the intrusion had compromised federal agencies as well as “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo.

CISA did not say which agencies or infrastructure had been breached or what information taken in an attack that it previously said appeared to have begun in March.

“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the agency said in its unusual alert. “CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.”

President Donald Trump, whose administration has been criticized for eliminating a White House cybersecurity adviser and downplaying Russian interference in the 2016 presidential election, has made no public statements about the breach.

President-elect Joe Biden said he would make cybersecurity a top priority of his administration, but that stronger defenses are not enough.

“We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” he said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

The cybersecurity agency previously said the perpetrators had used network management software from Texas-based SolarWinds t o infiltrate computer networks. Its new alert said the attackers may have used other methods, as well.

Over the weekend, amid reports that the Treasury and Commerce departments were breached, CISA directed all civilian agencies of the federal government to remove SolarWinds from their servers. The cybersecurity agencies of Britain and Ireland issued similar alerts.

A U.S. official previously told The Associated Press that Russia-based hackers were suspected, but neither CISA nor the FBI has publicly said who is believed be responsible. Asked whether Russia was behind the attack, the official said: “We believe so. We haven’t said that publicly yet because it isn’t 100% confirmed.”

Another U.S. official, speaking Thursday on condition of anonymity to discuss a matter that is under investigation, said the hack was severe and extremely damaging although the administration was not yet ready to publicly blame anyone for it.

“This is looking like it’s the worst hacking case in the history of America,” the official said. “They got into everything.”

The official said the administration is working on the assumption that most, if not all, government agencies were compromised but the extent of the damage was not yet known.

This hack had nothing to do with President Trump firing Director Krebs at CISA even though Associated Press keeps suggesting. But things just took a turn for the bad bad side –>

Sandia National Laboratories - From the Manhattan Project to a National Lab Sandia

Texas A&M System part of team awarded lucrative Los Alamos National Lab contract | The Texas Tribune Los Alamos

The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies, officials directly familiar with the matter said.

On Thursday, DOE and NNSA officials began coordinating notifications about the breach to their congressional oversight bodies after being briefed by Rocky Campione, the chief information officer at DOE.

They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation and the Richland Field Office of the DOE. The hackers have been able to do more damage at FERC than the other agencies, the officials said, but did not elaborate.

Federal investigators have been combing through networks in recent days to determine what hackers had been able to access and/or steal, and officials at DOE still don’t know whether the attackers were able to access anything, the people said, noting that the investigation is ongoing and they may not know the full extent of the damage “for weeks.”

Spokespeople for DOE did not immediately respond to requests for comment.

The attack on DOE is the clearest sign yet that the hackers were able to access the networks belonging to a core part of the U.S. national security enterprise. The hackers are believed to have gained access to the federal agencies’ networks by compromising the software company SolarWinds, which sells IT management products to hundreds of government and private-sector clients.

DOE officials were planning on Thursday to notify the House and Senate Energy committees, House and Senate Energy and Water Development subcommittees, House and Senate Armed Services committees, and the New Mexico and Washington State delegations of the breach, the officials said.

The FBI, Cybersecurity and Infrastructure Security Agency, and Office of the Director of National Intelligence acknowledged the “ongoing” cybersecurity campaign in a joint statement released on Wednesday, saying that they had only become aware of the incident in recent days.

“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the statement read.

NNSA is responsible for managing the nation’s nuclear weapons, and while it gets the least attention, it takes up the vast majority of DOE’s budget. Similarly, the Sandia and Los Alamos National Labs conduct atomic research related to both civil nuclear power and nuclear weapons. The Office of Secure Transportation is tasked with moving enriched uranium and other materials critical for maintaining the nuclear stockpile.

Hackers may have been casting too wide a net when they targeted DOE’s Richland Field Office, whose primary responsibility is overseeing the cleanup of the Hanford nuclear waste site in Washington state. During World War II and the Cold War, the U.S. produced two- thirds of its plutonium there, but the site hasn’t been active since 1971.

The attack on the Federal Energy Regulatory Commission may have been an effort to disrupt the nation’s bulk electric grid. FERC doesn’t directly manage any power flows, but it does store sensitive data on the grid that could be used to identify the most disruptive locations for future attacks.

Space Command Alarmed at Russia’s Anti-Satellite Weapons Test

Posted on by

WASHINGTON — Russia conducted its second test this year of a direct ascent anti-satellite missile test, according to a U.S. Space Command, yet again drawing sharp criticism from the U.S.

“Russia has made space a war-fighting domain by testing space-based and ground-based weapons intended to target and destroy satellites. This fact is inconsistent with Moscow’s public claims that Russia seeks to prevent conflict in space,” said Space Command head Gen. James Dickinson in a statement. “Space is critical to all nations. It is a shared interest to create the conditions for a safe, stable and operationally sustainable space environment.”

U.S. SPACECOM nominee Dickinson says countries must be ...

Space Command said the direct-ascent anti-satellite missile tested is a kinetic weapon capable of destroying satellites in low Earth orbit. A similar anti-satellite missile test by India in March 2019 that destroyed the nation’s own satellite on orbit drew criticism from observers, who noted that the debris created from the threat could cause indirect damage to other satellites.

Russia has completed tests of its Nudol ballistic-missile system several times in recent years, including in April of this year. Nudol can be used as an anti-satellite weapon and is capable of destroying satellites in low Earth orbit. According to the CSIS Aerospace Security Project’s “Space Threat Assessment 2020,” Russia conducted its seventh Nudol test in 2018.

Under the Trump administration, the U.S. has used the development and testing of anti-satellite weapons by Russia and China as a justification for creating both Space Command and the U.S. Space Force in 2019.

“The establishment of U.S. Space Command as the nation’s unified combatant command for space and U.S. Space Force as the primary branch of the U.S. Armed Forces that presents space combat and combat support capabilities to U.S. Space Command could not have been timelier. We stand ready and committed to deter aggression and defend our nation and our allies from hostile acts in space,” Dickenson said.

Acting Secretary of Defense Christopher C. Miller made similar comments last week as the White House released a new National Space Policy, which calls for the U.S. to defeat aggression and promote norms of behavior in space

“Our adversaries have made space a war-fighting domain, and we have to adapt our national security organizations, policies, strategies, doctrine, security classification frameworks and capabilities for this new strategic environment. Over the last year we have established the necessary organizations to ensure we can deter hostilities, demonstrate responsible behaviors, defeat aggression and protect the interests of the United States and our allies.”

***

Kilopower  An illustration of a Kilopower nuclear reactor on the moon. Development of surface nuclear power technologies is a key element of the roadmap included in Space Policy Directive 6. Credit: NASA

The White House released a new space policy directive Dec. 16 intended to serve as a strategic roadmap for the development of space nuclear power and propulsion technologies.

Space Policy Directive (SPD) 6, titled “National Strategy for Space Nuclear Power and Propulsion,” discusses responsibilities and areas of cooperation among federal government agencies in the development of capabilities ranging from surface nuclear power systems to nuclear thermal propulsion, collectively known as space nuclear power and propulsion (SNPP).

“This memorandum establishes a national strategy to ensure the development and use of SNPP systems when appropriate to enable and achieve the scientific, exploration, national security, and commercial objectives of the United States,” the 12-page document states.

SPD-6 sets out three principles for the development of space nuclear systems: safety, security and sustainability. It also describes roles and responsibilities for various agencies involved with development, use or oversight of such systems.

Much of the document, though, is a roadmap for the development of nuclear power and propulsion systems. It sets a goal of, by the mid-2020s, developing uranium fuel processing capabilities needed for surface power and in-space propulsion systems. By the mid to late 2020s, NASA would complete the development and testing of a surface nuclear power system for lunar missions that can be scalable for later missions to Mars.

SPD-6 calls for, by the late 2020s, establishing the “technical foundations and capabilities” needed for nuclear thermal propulsion systems. It also sets a goal of developing advanced radioisotope power systems, versions of radioisotope thermoelectric generators (RTGs) long used on NASA missions, by 2030.

Many of the initiatives outlined in SPD-6 are already in progress. NASA has been working with the Department of Energy (DOE) on a project called Kilopower to develop surface nuclear reactors, including efforts to seek proposals to develop a reactor for use on the moon. NASA has also been studying nuclear thermal propulsion, an initiative backed by some in Congress who have set aside funding in NASA’s space technology program for that effort.

“We have these individual initiatives going on — nuclear thermal power, the Kilopower activities — and what we’re trying to do is pull together a common operating picture for Defense, NASA and DOE,” said a senior administration official, speaking on background about SPD-6.

That roadmap and schedule is also intended to prioritize those activities. Surface nuclear power is needed in the nearer term to support lunar missions later in the decade, particularly to handle the two-week lunar night. Nuclear thermal propulsion, as well as alternative nuclear electric propulsion technologies, are less critical since they are primarily intended to support later missions to Mars.

“Those things are important for going to Mars,” the official said of nuclear propulsion, “but first we’re doing the moon and leveraging terrestrial capabilities and technologies to put that foothold on the moon.”

Another issue addressed in SPD-6 is the use of different types of uranium. Tests in 2018 as part of the Kilopower program used highly enriched uranium, or HEU. That project, and discussions by NASA and DOE to use HEU for flight reactors, raised concerns in the nuclear nonproliferation community. They were worried that it could set a precedent for renewed production of HEU, which is also used in nuclear weapons.

SPD-6 restricts, but does not prohibit, the use of HEU in space nuclear systems. “Before selecting HEU or, for fission reactor systems, any nuclear fuel other than low-enriched uranium (LEU), for any given SNPP design or mission, the sponsoring agency shall conduct a thorough technical review to assess the viability of alternative nuclear fuels,” it states.

“We want to keep those proliferation concerns foremost in our minds,” a senior administration official said. “We don’t want to necessarily rule out HEU if that’s the only way to get a mission about, but we want to be very deliberate about it.”

The policy, an official said, “sets an extremely high bar” for non-defense use of HEU on space systems, citing progress on high-assay low enriched uranium, which can provide power levels similar to HEU systems with only a modest mass penalty.

The White House released SPD-6 a week after it issued a new national space policy during a meeting of the National Space Council. That broader policy briefly addressed space nuclear power and propulsion, discussing roles for various agencies, but did not mention the roadmap or other details found in SPD-6.

Many thought the release of the national space policy would conclude the administration’s work on space policy, making SPD-6 something of a surprise. A senior administration official said work on various space policy directives and the national space policy had been slowed down by the coronavirus pandemic, but wouldn’t rule out additional announcements in the remaining five weeks of the Trump administration.

AG Barr Resigns

Posted on by

Image

Image

Politico lists a critique of the relationship between President Trump and AG Barr.

Now, what action items has AG Barr launched in recent weeks and what may be expected…

  • Barr had sounded frequent alarms in advance of the election about the potential for fraud, particularly through foreign interference in mail-in balloting, infuriating Democrats who emphasized there was no evidence such a plot was afoot.
  • Barr unilaterally appointed U.S. Attorney John Durham to review the origins of the Trump-Russia probe, known as Crossfire Hurricane — and in October, he elevated Durham’s ongoing inquiry into a full-fledged special counsel investigation.
  • Barr also appointed U.S. Attorney Jeffrey Jensen to review the FBI’s handling of the investigation of former National Security Adviser Michael Flynn, a probe that became the basis of Barr’s decision to recommend dismissing charges against him. The U.S. District Court judge in that case, Emmet Sullivan, considered the Justice Department’s reasons as “dubious” and likely a pretextual effort to protect an ally of the president, but he ultimately dropped the matter after Trump pardoned Flynn.
  • The US attorney’s office in Delaware is led by David Weiss, who was appointed by Trump and sworn into the position in February 2018. A spokesperson for the US attorney’s office in Delaware declined to comment, citing the ongoing nature of the investigation of Hunter Biden, the Biden family which has become comprehensive including money-laundering, foreign agency crimes and income tax fraud.

AG Barr has appointed Jeffrey Rosen to the position of Acting Attorney General. For reference his credentials include:

  1. Taking the lead on the antitrust case against Google.
  2. Driving the sensitive litigation that the White House had an interest in, including a lawsuit against Mr. Trump’s former national security adviser, John Bolton, over the publication of his book in June.
  3. Mr. Rosen also led the Justice Department’s charge against Purdue Pharma LP. It agreed to plead guilty to three felonies related to its marketing and distribution of powerful painkiller OxyContin as part of an $8.34 billion settlement over tactics the government said helped fuel the opioid crisis.

Additionally, Richard Donoghue has been elevated at the DoJ. Donoghue served in the Judge Advocate General’s Corps, United States Army, where he was a Military Magistrate Judge, Prosecutor, Defense Counsel, and Contract Litigator. He also served in the 82nd Airborne Division. Donogue worked at the United States District Court for the Eastern District of New York before leaving to serve as Principal Associate Deputy Attorney General and Counselor to the U.S. Attorney General. Donogue was selected to serve as United States Attorney in January 2018. In 2020, it was announced that Donoghue would leave the Eastern District to serve as Principal Associate Deputy Attorney General at the United States Department of Justice

*** You should consider that AG Barr is a veteran of how Washington DC works and in his last days has crafted an operational playbook not only for the White House Office of Legal Counsel but to the Department of Justice. Interesting items are on deck that do include the Biden family, the still open wounds of the existing and former FBI officials, China operatives in the U.S. embedded with Democrat politicians and then cases against Google and Big Tech and the matter of a fraudulent election system in also front and center. Sadly, we must be wait and hence we need to judge slowly.

Details: Cozy Bear, Solarwinds, FireEye and the Hack of the US Govt

Posted on by

Cozy Bear (also called APT29, a known unit of Russia’s SVR foreign intelligence service) appears to have been behind the attack, the Wall Street Journal reports. Moscow denies any involvement in the incident. Reuters adds that the Kremlin thinks the Americans should have been more mutual, more cooperative.

FireEye calls the backdoor “Sunburst.” Microsoft’s Security Response Center has a detailed account of how the malware functions. Both FireEye and Microsoft have upgraded their security products to include measures for detecting and protecting against the attack. SolarWinds urges its customers to “upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.”

Global cybersecurity firm FireEye hacked by foreign ... source

When FireEye Inc. discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defenses.

It wasn’t just FireEye that got attacked, they quickly found out. Investigators discovered a vunerability in a product made by one of its software providers, Texas-based SolarWinds Corp.

“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.

After discovering the backdoor, FireEye contacted SolarWinds and law enforcement, Carmakal said.

In part: Washington — U.S. government agencies were ordered to scour their networks for malware and disconnect potentially compromised servers after authorities learned that the Treasury and Commerce departments had been hacked in a months-long global cyberespionage campaign. The campaign was discovered when a prominent cybersecurity firm learned it had been breached.

In a rare emergency directive issued late Sunday, the Department of Homeland Security’s cybersecurity arm warned of an “unacceptable risk” to the executive branch from a feared large-scale penetration of U.S. government agencies that could date back to mid-year or earlier.

“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

The apparent conduit for the Treasury and Commerce Department hacks – and the FireEye compromise – is a hugely popular piece of server software called SolarWinds. It’s used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.

On its website, SolarWinds says it has 300,000 customers worldwide, including all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House. It says the 10 leading U.S. telecommunications companies and top five U.S. accounting firms are also among customers.

The DHS directive – only the fifth since such directives were created in 2015 – said U.S. agencies should immediately disconnect or power down any machines running the impacted SolarWinds software.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” said SolarWinds CEO Kevin Thompson said in a statement. He said it was working with the FBI, FireEye and intelligence community. More here.

***  SolarWinds of Austin posts sharp rise in revenue - Austin ... source

Many more details on consequence –>

It turns out that the attackers also compromised the Department of Homeland Security. SolarWinds revealed to the Securities and Exchange Commission that the breach may affect 18,000 customers.

It appears that, in March 2020, someone managed to modify the SolarWinds Orion software during the build process—that is, the process that translates the human-readable code and merges it into a form that a computer can execute. This timing is based on both the Microsoft and FireEye analyses, as well as the reported versions affected by SolarWinds.

This modification included a sophisticated and stealthy Trojan program, designed to remotely control any computer that installed SolarWinds Orion. When customers installed the latest update, the Trojan program would start running on the victims’ computers. This is considered a software “supply chain attack”: The intended victims received a polluted copy of the Orion software directly or indirectly from SolarWinds.

What Now?

Christmas is now officially cancelled for three groups. The first is for the IT staff working for the perhaps 18,000 SolarWinds customers affected by the breach, who are going to have to spend the next weeks rebuilding their networks and going over everything with a fine-toothed comb looking for various backdoors. This is going to be a lot of work to sort out. The only good thing is that most of the customers don’t have secondary backdoors to worry about, because the biggest problem faced by the attacker was simply the target-rich environment. Each effort at exploitation increases the risk of discovery, and in the end, there are only so many people who can conduct these attacks.

The second group is the U.S. intelligence community. This attack started in March with the first exploitation starting in April. Either they didn’t know about it—a failure in the “defend forward” philosophy—or they did know about it, in which case they also failed to defend forward. There are going to be tough questions that the intelligence community will need to answer internally.

The final group is the Russian government. This was an amazingly valuable intelligence feed, capturing U.S. government communication leading up to the transition as well as critical insights into U.S. financial controls. Now the feed has gone dark and Russia has lost a hugely powerful asset. But then again, these are a bunch of Russian spies, so in the immortal words of every sysadmin: “fsck those guys”.

More here.