Cybersecurity firm FireEye has released today a report detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached. From a report: Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks. Today's FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike. The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. Named OSAMiner, the malware has been distributed in the wild since at least 2015 disguised in pirated (cracked) games and software such as League of Legends and Microsoft Office for Mac, security firm SentinelOne said in a report published this week. But the cryptominer did not go entirely unnoticed. SentinelOne said that two Chinese security firms spotted and analyzed older versions of the OSAMiner in August and September 2018, respectively. But their reports only scratched the surface of what OSAMiner was capable of, SentinelOne macOS malware researcher Phil Stokes said yesterday.

The primary reason was that security researchers weren't able to retrieve the malware's entire code at the time, which used nested run-only AppleScript files to retrieve its malicious code across different stages. As users installed the pirated software, the boobytrapped installers would download and run a run-only AppleScript, which would download and run a second run-only AppleScript, and then another final third run-only AppleScript. Since "run-only" AppleScript come in a compiled state where the source code isn't human-readable, this made analysis harder for security researchers.

Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. From a report: Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist.

Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software.

An anonymous reader quotes a report from The Associated Press: German prosecutors said Tuesday that they have taken down what they believe was the biggest illegal marketplace on the darknet and arrested its suspected operator. The site, known as DarkMarket, was shut down on Monday, prosecutors in the southwestern city of Koblenz said. All sorts of drugs, forged money, stolen or forged credit cards, anonymous mobile phone SIM cards and malware were among the things offered for sale there, they added. German investigators were assisted in their months-long probe by U.S. authorities and by Australian, British, Danish, Swiss, Ukrainian and Moldovan police.

The marketplace had nearly 500,000 users and more than 2,400 vendors, prosecutors said. They added that it processed more than 320,000 transactions, and Bitcoin and Monero cryptocurrency to the value of more than 140 million euros ($170 million) were exchanged. The suspected operator, a 34-year-old Australian man, was arrested near the German-Danish border. Prosecutors said a judge has ordered him held in custody pending possible formal charges, and he hasn't given any information to investigators. More than 20 servers in Moldova and Ukraine were seized, German prosecutors said. They hope to find information on those servers about other participants in the marketplace. The move against DarkMarket originated from an investigation of a data processing center installed in a former NATO bunker in southwestern Germany that hosted sites dealing in drugs and other illegal activities.

An anonymous reader quotes a report from Ars Technica: The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has "interesting similarities" to malicious software that has been circulating since at least 2015, researchers said on Monday. Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history. The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was "likely" behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin's SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.

On Monday, researchers from Moscow-based security company Kaspersky Lab reported "curious similarities" in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world's most advanced hacking groups, whose members speak fluent Russian. In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are: The algorithm used to generate the unique victim identifiers; The algorithm used to make the malware "sleep," or delay taking action, after infecting a network; and Extensive use of the FNV-1a hashing algorithm to obfuscate code.

Monday's post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation. Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.

MojoKid writes: At its virtual CES 2021 event today, Intel's EVP Gregory Bryant unveiled an array of new processors and technologies targeting virtually every market, from affordable Chromebooks to enthusiast-class gaming laptops and high-end desktops. Intel's 11th Gen Core vPro platform was announced, featuring new Intel Hardware Shield AI-enabled threat ransomware and crytpo-mining malware detection technology. In addition, the Intel Rocket Lake-S based Core i9-11900K 8-core CPU was revealed, offering up to a 19% improvement in IPC performance and the ability to out-pace AMD's Ryzen 9 5900X 12-core CPU in some workloads like gaming. Also, a new high-end hybrid processor, code-named Alder Lake was previewed. Alder Lake packs both high-performance cores and high-efficiency cores on a single product, for what Intel calls its "most power-scalable system-on-chip" ever. Alder Lake will also be manufactured using an enhanced version of 10nm SuperFin technology with improved power and thermal characteristics, and targets both desktop and mobile form factors when they arrive later this year.

Finally, Intel launched its new 11th Gen Core H-Series Tiger Lake H35 parts that will appear in high-performance laptops as thin as 16mm. At the top of the 11th Gen H-Series stack is the Intel Core i7-11375H Special Edition, a 35W quad-core processor (8-threads) that turbos up to 5GHz and supports PCI Express 4.0, and is targeted for ultraportable gaming notebooks. Intel is claiming single-threaded performance improvements in the neighborhood of 15% over previous-gen architectures and a greater than 40% improvement in multi-threaded workloads. Intel's Bryant also announced an 8-core mobile processor variant leveraging the same architecture as the 11th Gen H-Series that is slated to start shipping a bit later this quarter at 5GHz on multiple cores, with 20 lanes of PCIe Gen 4 connectivity.

A hacker took control of people's internet-connected chastity cages and demanded a ransom to be paid in Bitcoin to unlock it. From a report: "Your cock is mine now," the hacker told one of the victims, according to a screenshot of the conversation obtained by a security researcher that goes by the name Smelly and is the founder of vx-underground, a website that collects malware samples. In October of last year, security researchers found that the manufacturer of an Internet of Things chastity cage -- a sex toy that users put around their penis to prevent erections that is used in the BDSM community and can be unlocked remotely -- had left an API exposed, giving malicious hackers a chance to take control of the devices. That's exactly what happened, according to a security researcher who obtained screenshots of conversations between the hacker and several victims, and according to victims interviewed by Motherboard. A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely "locked," and he "could not gain access to it."

After Wednesday's invasion by protesters, America's Capitol building is now grappling with "the process of securing the offices and digital systems after hundreds of people had unprecedented access to them," writes Wired.

Long-time Slashdot reader SonicSpike shares their report: Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Senator Jeff Merkley of Oregon said in a video late Wednesday that intruders took one of his office's laptops off a conference table...

Former Senate sergeant at arms Frank Larkin, who retired as Senate sergeant at arms in 2018, adds that cybersecurity is the next priority after physical security. In spite of this, the mob Wednesday had ample opportunities to steal information or gain device access if they wanted to. And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives. But this also means that there aren't necessarily standardized authentication and monitoring schemes in place. Larkin emphasizes that there is a baseline of monitoring that IT staffers will be able to use to audit and assess whether there was suspicious activity on congressional devices. But he concedes that representatives and senators have varying levels of cybersecurity competence and hygiene.

It's also true that potentially exposed data at the Capitol on Wednesday would not have been classified, given that the mob had access only to unclassified networks. But congressional staffers are not subject to Freedom of Information Act obligations and are often much more candid in their communications than other government officials. Security and intelligence experts also emphasize that troves of unclassified information can still reveal sensitive or even classified information when combined... Kelvin Coleman, executive director of the National Cyber Security Alliance, who formerly worked in the Department of Homeland Security and National Security Council... adds, though, that for now the most important thing congressional IT staffers can do is account for which devices were stolen and begin a mass effort to reset passwords, add multifactor authentication to any accounts that don't already have it, wipe and reimage hard drives when practical, and comb monitoring logs for signs of access or exfiltration.

An anonymous reader quotes a report from ZDNet: Analysts from security firm Trend Micro said in a report today that they've spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms. Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.

Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. But in a report today, Trend Micro researchers said that the TeamTNT gang's malware code had received considerable updates since it was first spotted last summer. TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

An anonymous reader quotes a report from Krebs On Security: The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack. That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software as far back as March 2020.

"The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings," the agency said in a statement published Jan. 6. "An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation," the statement continues. "Due to the nature of the attacks, the review of this matter and its impact is ongoing."

The AO declined to comment on specific questions about their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court document system was "hit hard," by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as "likely Russian in origin." The source said the intruders behind the SolarWinds compromise seeded the AO's network with a second stage "Teardrop" malware that went beyond the "Sunburst" malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software. This suggests the attackers were targeting the agency for deeper access to its networks and communications. The report notes that AO's court document system "may contain highly sensitive information, including intellectual property and trade secrets, or even the identities of confidential informants."

While it doesn't hold documents that are classified for national security reasons, "the system is full of sensitive sealed filings -- such as subpoenas for email records and so-called 'trap and trace' requests that law enforcement officials use to determine with whom a suspect is communicating via phone, when and for how long."

An anonymous reader quotes a report from ZDNet: Security firm Intezer Labs said it discovered a covert year-long malware operation where cybercriminals created fake cryptocurrency apps in order to trick users into installing a new strain of malware on their systems, with the obvious end goal of stealing victims' funds. The campaign was discovered last month in December 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020. Intezer Labs said the hackers relied on three cryptocurrency-related apps for their scheme. The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively.

The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app. All three apps came in versions for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework. But Intezer researchers say the apps also came with a little surprise in the form of a new malware strain that was hidden inside, which the company's researchers named ElectroRAT. Intezer researchers believe the malware was being used to collect cryptocurrency wallet keys and then drain victims' accounts. To spread the trojanized applications, Intezer says the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts. Because of a quirk in the malware's design, which retrieved the address of its command and control server from a Pastebin URL, Intezer believes this operation infected around 6,500 users -- the total number of times the Pastebin URLs were accessed.

An anonymous reader shares a report: Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location. While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer. However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first. This second technique relies on grabbing the infected user's BSSID. Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command: netsh wlan show interfaces | find "BSSID" Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

After Russia's massive breach of both government and private networks in the U.S., American intelligence officials "have expressed anger that Microsoft did not detect the attack earlier.

But new criticisms are also falling on SolarWinds: Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.... SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia's agents compromised. The company has said only that the manipulation of its software was the work of human hackers rather than of a computer program. It has not publicly addressed the possibility of an insider being involved in the breach.

None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.

Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of "security architecture." Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be "catastrophic." After his basic recommendations were ignored, Mr. Thornton-Trump left the company.

SolarWinds declined to address questions about the adequacy of its security. In a statement, it said it was a "victim of a highly-sophisticated, complex and targeted cyberattack" and was collaborating closely with law enforcement, intelligence agencies and security experts to investigate. But security experts note that it took days after the Russian attack was discovered before SolarWinds' websites stopped offering clients compromised code.
And privately U.S. officials are now also considering the security of the U.S. power grid: Publicly, officials have said they do not believe the hackers from Russia's S.V.R. pierced classified systems containing sensitive communications and plans. But privately, officials say they still do not have a clear picture of what might have been stolen. They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout. The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent....

The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack. From a report: In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year. Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18. The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday. Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident.

A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit. From a report: The attack, discovered by security firm ESET and detailed in a report named "Operation SignSight," targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents. Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. The VGCA doesn't only issue these digital certificates but also provides ready-made and user-friendly "client apps" that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.

As the United States comes to grips with a far-reaching Russian cyberattack on federal agencies, private corporations and the nation's infrastructure, new evidence has emerged that the hackers hunted their victims through multiple channels. From a report: The most significant intrusions discovered so far piggybacked on software from SolarWinds, the Austin-based company whose updates the Russians compromised. But new evidence from the security firm CrowdStrike suggests that companies that sell software on Microsoft's behalf were also used to break into customers of Microsoft's Office 365 software. Because resellers are often entrusted to set up and maintain clients' software, they -- like SolarWinds -- have been an ideal front for Russian hackers and a nightmare for Microsoft's cloud customers, who are still assessing just how deep into their systems Russia's hackers have crawled. "They couldn't get into Microsoft 365 directly, so they targeted the weakest point in the supply chain: the resellers," said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm.

CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike's case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack. The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer's heating and cooling vendor. The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google's G-Suite, Zoom, Slack, SolarWinds and others -- and giving them broad access to employee email and corporate networks -- they will never be secure, cybersecurity experts say. "These cloud services create a web of interconnections and opportunity for the attacker," Mr. Chisholm said. "What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses." Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.

Reuters reports: A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company's products earlier this year, according to a security research blog by Microsoft.

"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the blog said... It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times.
Microsoft's detailed blog post notes that the code "provides an attacker the ability to send and execute any arbitrary C# program on the victim's device."

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said.

Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users.

ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

One day after they were uploaded, RubyGems discovered and removed two malicious packages that had been designed to steal cryptocurrency from unsuspecting users by installing a clipboard hijacker, reports Bleeping Computer, citing research by open-source security firm Sonatype.

Fortunately, while the packages were downloaded a total of 142 times, "At this time, none of the cryptocurrency addresses have received any funds." These packages were masquerading as a bitcoin library and a library for displaying strings with different color effects. A clipboard hijacker monitored the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker's control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker's cryptocurrency address instead of the intended recipient...

The base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs into Windows. This VBS script is the clipboard hijacker and is stored at C:\ProgramData\Microsoft Essentials\Software Essentials.vbs to impersonate the old Microsoft Security Essentials security software. The clipboard hijacking script monitors the Windows clipboard every second and check if it contains a Bitcoin address, an Ethereum address, or a raw Monero address.

The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber attack that struck a number of federal government agencies. Microsoft Corp. was also breached, and its products were used to further attacks on others, Reuters reported. Bloomberg reports: The Energy Department and its National Nuclear Security Administration, which maintains America's nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn't affect "mission-essential national security functions," Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement. "At this point, the investigation has found that the malware has been isolated to business networks only," Hynes said. The hack of the nuclear agency was reported earlier by Politico.

In addition, two people familiar with the broader government investigation into the attack said three states were breached, though they wouldn't identify the states. A third person familiar with the probe confirmed that states were hacked but didn't provide a number. In an advisory Thursday that signaled the widening alarm over the the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a "grave risk" to federal, state and local governments, as well as critical infrastructure and the private sector. The agency said the attackers demonstrated "sophistication and complex tradecraft."