Per briefing today on SolarWinds hack, @RonWyden says IRS was not compromised or taxpayer data affected. However, hack of Treasury Department "appears to be significant." Treasury breach began in July, "the full depth of which isn’t known."
Microsoft notified Treasury Dept that dozens of email accounts were compromised. Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to Treasury's highest-ranking officials. Treasury still doesn't know precisely what info was stolen.
. @RonWyden on SW: “[A]fter yrs of gov officials advocating for encryption backdoors and ignoring warnings from [infosec] experts who said...encryption keys [are targets] for hackers, the USG has..suffered a breach that seems to involve...stealing encryption keys from USG servers”
What does Wyden mean when he says they stole encryption keys from US gov servers? "Once the hackers gained access to [Treasury Dept's] Departmental Offices network, they stole an encryption key used by Treasury's 'single sign on' login infrastructure," a Wyden aide tells me.
"With this key, the hackers were able to forge the credentials necessary to gain legitimate access to several Microsoft cloud-hosted email accounts," Wyden's aide says, attributing the info to Treasury officials who provided a briefing on the SolarWinds hack.
This matches what Microsoft had revealed in its writeup where it discussed how the SolarWinds hackers stole SAML encryption certificates for the targets who were hacked ( https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/)
Important steps for customers to protect themselves from recent nation-state cyberattacks -...

Today, Microsoft is sharing information and issuing guidance about increased activities from a sophisticated threat actor that is focused on high value targets such as government agencies and...

https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
Here's Microsoft describing it: The intruders using admin permissions gained access to an org’s trusted SAML token-signing cert. "This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts."
The forged tokens "can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate." In other words, the keys to the kingdom.
You can follow @KimZetter.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.