HACKERS BREAK INTO FEDERAL TARGETS
Experts suspect Russia may be culprit behind ‘ impactful’ attacks on Treasury, Commerce and other networks.
WASHINGTON — Hackers broke into the networks of federal agencies including the Treasury and Commerce departments in attacks revealed just days after U. S. officials warned that cyber actors linked to the Russian government were exploiting vulnerabilities to target sensitive data.
The hacks on the networks of the Treasury and Commerce departments are part of a months- long global cyberespionage campaign revealed Sunday, just days after the prominent cybersecurity f irm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.
The FBI and the Department of Homeland Security’s cybersecurity arm are investigating what experts and former officials said appeared to be a large- scale penetration of U. S. government agencies — apparently the same cyberespionage campaign that also aff licted FireEye, foreign governments and major corporations.
“This can turn into one of
the most impactful espionage campaigns on record,” cybersecurity expert Dmitri Alperovitch said.
News of the hacks, f irst reported by Reuters, came less than a week after FireEye disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia is responsible. FireEye’s customers include federal, state and local governments and top global corporations.
The apparent conduit for the Treasury and Commerce hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U. S. government agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity f irm CrowdStrike.
FireEye, without naming any specific targets, said in a blog post that its investigation into the hack of its network had identified “a global campaign” targeting governments and the private sector that, beginning in the spring, had slipped malware into a SolarWinds software update. Neither the company nor U. S. government officials would say whether they believed Russian statebacked hackers were responsible.
The malware gave the hackers remote access to victims’ networks, and Alperovitch said SolarWinds grants “God- mode” access to a network, making everything visible.
“We anticipate this will be a very large event when all the information comes to light,” said John Hultquist, director of threat analysis at FireEye. “The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”
FireEye said it had conf irmed infections in North America, Europe, Asia and the Middle East, including in the healthcare and oil and gas industry — and had been informing affected customers around the world in the last few days. It said that malware that rode the SolarWinds update did not seed self- propagating malware — such as the 2016 NotPetya malware blamed on Russia that caused more than $ 10 billion in damage globally — and that any actual infiltration of an infected organization required “meticulous planning and manual interaction.”
That means it’s a good bet only a subset of infected organizations were being spied on by the hackers. Nation- states have their cyberespionage priorities, which include COVID- 19 vaccine development.
Cybersecurity experts said last week that they considered Russian state hackers to be the main suspect in the FireEye hack.
In a post on its Facebook page Sunday, Russia’s U. S. embassy described as “unfounded” the “attempts of the U. S. media to blame Russia for hacker attacks on U. S. governmental bodies.”
Earlier, National Security Council spokesperson John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible issues related to this situation.”
On its website, SolarWinds says it has 300,000 customers worldwide, including all f ive branches of the U. S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House.
It says the 10 leading U. S. telecommunications companies are also among customers.
The U. S. government’s Cybersecurity and Infrastructure Security Agency said it was working with other agencies to help “identify and mitigate any potential compromises.”
President Trump last month f ired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump’s claims of widespread electoral fraud.
In a tweet Sunday, Krebs said “hacks of this type take exceptional tradecraft and time.”
Federal government agencies have long been targets of foreign hackers.
Hackers linked to Russia were able to break into the State Department’s email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.
The intrusions disclosed Sunday included the Commerce Department’s agency responsible for internet and telecommunications policy.
Treasury deferred comment to the National Security Council. A Commerce spokesperson confirmed a “breach in one of our bureaus” and said, “We have asked CISA and the FBI to investigate.” The FBI said it was engaged in a response but declined to comment further.
SolarWinds, based in Austin, Texas, confirmed Sunday a “potential vulnerability” related to updates released between March and June for software products called Orion that help monitor networks for problems.
SolarWinds Chief Executive Kevin Thompson said in a statement that the company was working with the FBI, FireEye and intelligence community.
FireEye announced Tuesday that it had been hacked, saying foreign state hackers with “world- class capabilities” broke into its network and stole tools it uses to probe the defenses of its thousands of customers. The hackers “primarily sought information related to certain government customers,” CEO Kevin Mandia said in a statement, without naming them.