Senior officials at the Department of Veterans Affairs abruptly cancelled a scheduled briefing with congressional leaders this week regarding the extent and impact of the SolarWinds cyberattack, a far reaching intrusion into the networks of multiple U.S. agencies and powerful corporations allegedly perpetrated by an elite team of Russian hackers sanctioned by Moscow.
Democratic lawmakers say the VA has so far provided no explanation for its decision not to inform House and Senate oversight leaders whether the attack may have compromised any veterans’ sensitive information, prompting at least one U.S. senator to publicly demand answers from the agency’s chief. This week, VA officials told reporters there are currently no signs the hackers took advantage of the backdoor in their network, which was unwittingly installed by roughly 18,000 SolarWinds clients this year.
In a letter to Veterans Affairs Secretary Robert Wilkie on Wednesday, Sen. Richard Blumenthal, Democrat of Connecticut, said the veteran community is “particularly vulnerable” to the consequences of a breach, noting the immense amount veterans’ private data the department holds. It remains unclear what steps, if any, Wilkie has taken, Blumenthal said, to assess the risk to retired members of America’s fighting forces.
“I am alarmed by the potential threat to the VA and write to urgently request information about the impact of this incident and what steps are being taken to ensure the resilience and confidentiality of the VA mission,” Blumenthal wrote. “This hack threatens to exacerbate existing privacy concerns and enable hackers to share and sell veterans’ personal information.”
Veterans are considered to be at high risk for identity theft due to long-term government practices, such as using Social Security numbers as a primary identifier for service members. Veterans also rely heavily on the use of a document known as DD Form 214, which contains sensitive information, to demonstrate proof of their service. Blumenthal notes the “necessary reliance” on the document—copies of which the VA digitally maintains—as a particular vulnerability.
Wilkie is not obligated to respond to Blumenthal’s questions, which include what precautions, if any, have been taken to segregate veteran health records from other systems and whether the VA has completed a forensic investigation of its cloud resources. The Trump administration has traditionally ignored most inquiries made by congressional Democrats in the minority.
The VA, one of SolarWinds biggest federal customers, could not be immediately reached for comment. A VA spokesperson told CyberScoop on Wednesday that the agency has uninstalled SolarWinds’ network monitoring software “out of an abundance of caution,” and that “currently there are no signs of exploitation.”
Removing an infected copy of the SolarWinds platform would not necessarily guarantee that the alleged Russian hackers no longer have a foothold in the network.
Other agencies have likewise been less than forthcoming about the breach, according to CyberScoop. In another letter this week, Sen. Bob Menendez, a Democrat of New Jersey, said the U.S. State Department has remained “silent on whether its computer, communication and information technology systems were compromised.”
The SolarWinds attack represents one of the most brazen intrusions into U.S. government networks by a state actor since at least the Office of Personnel Management breach of 2015, wherein Chinese hackers exfiltrated millions of personnel files and federal employee background checks. The Departments of State, Commerce, Treasury, and Homeland Security, as well as the National Institutes of Health are among the list of SolarWinds victims.
Experts say the Russian hacking group ATP 29, also known as Cozy Bear, may have infiltrated the Texas-based software company SolarWinds as early as 2019, inserting malicious code into copies of Orion Platform, a network management tool in use by dozens of federal agencies and more than three-fourths of corporations on the revenue-based Fortune 500 list.
Experts typically associate Cozy Bear, which is credited with attacking the Pentagon’s email system in 2015 and the Democratic National Committee in 2016, with the Russian Foreign Intelligence Service, the predecessor of the KGB.
The malware deployed into the Orion Platform, known as Teardrop, was highly sophisticated, according to experts, and in addition to harvesting users’ credentials and monitoring their keystrokes, enabled Cozy Bear to mask its movements in infected networks, helping them to pass as ordinary IT employees.