Hackers have been roaming inside the federal government for months in a massive breach that was revealed Sunday.
Networks belonging to the Treasury and Commerce departments were targeted.
Although federal officials did not name a suspect, federal and private experts told The New York Times that a Russian intelligence agency is “almost certainly” behind the hack.
The breach of the federal government came only days after the major cybersecurity company FireEye revealed it had been breached in an attack that was also suspected to have been conducted by Russia, according to The Associated Press.
Experts said the two intrusions were part of the same cyberattack and used the popular server software SolarWinds.
“This can turn into one of the most impactful espionage campaigns on record,” cybersecurity expert Dmitri Alperovitch told the AP.
“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.
JUST IN: A Commerce Department spokesman tells @NBCNews: “”We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”
— Josh Lederman (@JoshNBCNews) December 13, 2020
The Commerce Department admitted it had been hacked. The Times reported the agency affected was the National Telecommunications and Information Administration, which sets policy for internet issues.
The Department of Homeland Security on Sunday ordered all agencies to stop using SolarWinds software, The Times reported. The report said the software had become compromised in the spring and spread as users installed software updates.
“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain,” FireEye said in a Sunday blog post. “This compromise is delivered through updates to a widely-used IT infrastructure management software — the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actor.”
John Hultquist, director of threat analysis at FireEye, said in a statement, “We anticipate this will be a very large event when all the information comes to light. The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”
The malware gave hackers access to victims’ networks. Alperovitch said SolarWinds gives “God-mode” access to a network, making everything on it visible.
SolarWinds said there was a “potential vulnerability” connected to updates that were rolled out between March and June.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds CEO Kevin Thompson said in a statement, according to the AP.
Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope.
— Chris Krebs (@C_C_Krebs) December 13, 2020
The Washington Post also reported Russian government hackers were responsible for the breach.
“The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter,” it said.
“The same Russian group hacked the State Department and the White House email servers during the Obama administration.”
The Post report said that in addition to FireEye and the federal agencies, the cyberattacks have struck government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East.
Some experts said that news of more breaches is likely to follow.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” John Scott-Railton, a senior researcher at the University of Toronto’s Munk School of Global Affairs and Public Policy, told The Post.
“When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely,” he said.
Russia’s U.S. embassy ridiculed what it called “attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies.”
This article appeared originally on The Western Journal.