PHOTO CREDITS: BRENDAN/SMIALOWSKI/EPA
Russian hackers are being accused of carrying out the biggest cyber-raid against the US for more than five years, targeting federal government networks in a sophisticated attack, according to American officials and sources.
Hackers who targeted the federal government appear to be part of a Russian intelligence campaign aimed at multiple U.S. agencies and companies, including the cybersecurity company FireEye, officials said Sunday. A Commerce Department spokesman confirmed a breach, saying it occurred at an unidentified bureau. Department officials alerted the FBI and a cybersecurity agency within the Department of Homeland Security, the spokesman said, declining to comment further.
Emails sent by officials at DHS, which oversees border security and defense against hacking, were monitored by the hackers as part of the sophisticated series of breaches, three people familiar with the matter told Reuters Monday. The attacks, first revealed by Reuters Sunday, also hit the U.S. departments of Treasury and Commerce. Parts of the Defense Department were breached, the New York Times reported late Monday night, while the Washington Post reported that the State Department and National Institutes of Health were hacked. Neither of them commented to Reuters (NY Post).
The hackers appear to have gotten access by first breaking into SolarWinds, an Austin-based company that provides remote information technology services to an long list of clients around the world, including a number of U.S. government agencies and major corporations. The U.S. Cybersecurity and Infrastructure Security Agency issued a rare emergency directive Sunday night, instructing federal agencies to immediately stop using the version of SolarWinds products.
The company’s president and CEO, Kevin Thompson, said in an emailed statement: “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.” In a filing to the Securities and Exchange Commission, SolarWinds reported that it had informed 33,000 customers that they may have been affected, and estimated that “fewer than 18,000” could have potentially been compromised.
The Washington Post first reported that the Russia’s Foreign Intelligence Service, or SVR, carried out the attack by hacking SolarWinds. Among the SVR’s targets was FireEye, a major U.S. cybersecurity company with extensive government contracts, The Post reported. The company’s CEO said last week that it had been hacked “by a nation with top-tier offensive capabilities.” A private cybersecurity official briefed on the matter confirmed the SVR’s involvement to NBC News. FireEye CEO Kevin Mandia said the hackers’ primary goal appeared to be to steal information from the company’s government clients (MSN).
The Russian foreign ministry described the allegations as “another unfounded attempt” by the US media to blame Russia for cyber-attacks against US agencies, in a statement posted on Facebook. “Attacks in the information space do not correspond to the foreign policy principles of our country, its national interests and understanding of how relations between states are built,” the statement continued, adding that Russia does not conduct “offensive operations in the virtual environment.” It wasn’t clear how much information the hackers accessed, although the company said they obtained tools used by FireEye’s Red Team, the section tasked with defending against new cyberattacks.
The Post reported that the Commerce Department breach targeted Solar Winds, an information technology system used by tens of thousands of organizations. NBC News hasn’t independently confirmed the report. The FBI and the National Security Agency declined to comment Sunday. In a statement, the Homeland Security Department’s cybersecurity agency said it was investigating “recently discovered activity on government networks.” The agency said it was providing technical assistance to help blunt potential compromises.
Security agencies in the UK and elsewhere were also scrambling to assess the impact on their systems – while the revelation was deemed so grave it led to a national security council meeting at the White House over the weekend. The US has not formally named the country it believes is responsible, but multiple sources blamed Moscow. The Washington Post specifically cited a well-known Russian hacking group – known as Cozy Bear or APT 29 – linked to the country’s FSB and SVR spy agencies.
They compromised a little-known but strategically important corporate software management tool called SolarWinds, widely used by government agencies and businesses to copy and steal data, in attacks that began as long ago as March (Guardian).
POLITICS EDITOR: CARSON CHOATE