Northwest Arkansas Democrat-Gazette
Hackers targeted federal agencies
Vulnerability in software detected
WASHINGTON — Hackers broke into the networks of federal agencies including the Treasury and Commerce departments in attacks revealed just days after U.S. officials warned that cyber actors linked to the Russian government were exploiting vulnerabilities to target sensitive data.
The FBI and the Department of Homeland Security’s cybersecurity arm are investigating what experts and former officials said appeared to be a large-scale penetration of U.S. government agencies.
“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.
The attacks were revealed just days after a cybersecurity firm disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia is responsible for the attack against FireEye, a major cybersecurity player whose customers include federal, state and local governments and top global corporations.
The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular
piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. government agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.
The attacks were disclosed less than a week after a National Security Agency advisory warned that Russian government hackers were exploiting vulnerabilities in a system used by the federal government, “allowing the actors access to protected data.”
The U.S. government did not publicly identify Russia as the culprit behind the hacks, first reported by Reuters, and said little about who might be responsible.
National Security Council spokesman John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible issues related to this situation.”
The government’s Cybersecurity and Infrastructure Security Agency said separately that it has been working with other agencies “regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”
President Donald Trump last month fired the director of the Cybersecurity and Infrastructure Security Agency, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump’s claims of widespread electoral fraud.
In a tweet Sunday, Krebs said that “hacks of this type take exceptional tradecraft and time,” and he raised the possibility that it had been underway for months.
“This thing is still early, I suspect,” Krebs wrote.
Reuters earlier reported that a group backed by a foreign government stole information from Treasury and a Commerce Department agency responsible for deciding internet and telecommunications policy.
The Treasury Department deferred comment to the National Security Council. A Commerce Department spokesperson confirmed a “breach in one of our bureaus” and said that “we have asked CISA and the FBI to investigate.” The FBI had no immediate comment.
The Washington Post reported Sunday, citing three unnamed sources, that the two federal agencies and FireEye were all breached through the SolarWinds network management system.
Austin, Texas-based SolarWinds confirmed Sunday in an email to The Associated Press that it has a “potential vulnerability” related to updates released earlier this year to its Orion products, which help organizations monitor their online networks for problems or outages.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds CEO Kevin Thompson said in a statement.
The vulnerability is critical because SolarWinds would give a hacker “Godmode” access to the network, making everything visible, said Alperovitch.
NETWORK BREACH
On Tuesday, FireEye said that foreign government hackers with “world- class capabilities” broke into its network and stole offensive tools it uses to probe the defenses of its thousands of customers. Those customers include federal, state and local governments and top global corporations.
The hackers “primarily sought information related to certain government customers,” FireEye CEO Kevin Mandia said in a statement, without naming them. He said there was no indication the hackers got customer information from the company’s consulting or breach-response businesses or threat-intelligence data it collects.
According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else hackers might have been able to infiltrate federal and private networks. FireEye provided some key pieces of computer code to the NSA and to Microsoft, which went hunting for similar attacks on federal systems, officials said. That led to the emergency warning last week.
Former NSA hacker Jake Williams said it seemed clear that both the Treasury Department and FireEye were hacked using the same vulnerability.
“The timing of the release here is, I think, not at all a coincidence,” said Williams, the president of the cybersecurity firm Rendition Infosec.
He said FireEye likely told the FBI and other federal partners how it had been hacked, and they determined that Treasury had been similarly compromised.
“I suspect that there’s a number of other [ federal] agencies we’re going to hear from this week that have also been hit,” Williams added.
FireEye responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack — and it has played a key role in identifying Russia as the protagonist in numerous aggressions in the burgeoning netherworld of global digital conflict.
Neither Mandia nor a FireEye spokesperson said when the company detected the hack or who might be responsible. But many in the cybersecurity community suspect Russia.
ESPIONAGE CAMPAIGN
The report by The Washington Post, citing unnamed sources, linked the breaches in the Treasury and Commerce departments to a group of Russian hackers, known by the nicknames APT29 or Cozy Bear. The hacker group, part of Russia’s Foreign Intelligence Service, hacked the State Department and the White House email servers during the Obama administration.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.
“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee.
Russia’s Foreign Intelligence Service generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
Because the Obama administration saw the APT29 operation as traditional espionage, it did not consider taking punitive measures, said Daniel, who is now president and chief executive of the Cyber Threat Alliance, an information-sharing group for cybersecurity companies.
“It was information collection, which is what nation states — including the United States — do,” he said. “From our perspective, it was more important to focus on shoring up defenses.”
But Chris Painter, State Department cyber coordinator in the Obama administration, said that even if the Russian campaign is strictly about espionage, there should be consequences if the scope is broad. “We just don’t have to sit still for it and say, ‘Good job,’” he said.