US government agencies were hit by a widespread campaign of cyberattacks by hackers who were suspected of exploiting a flaw in the update of a US software company, according to three people familiar with the investigation.
“The US government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.
The attacks may eventually rank as among the worst in recent memory, in part because the hackers appear to have penetrated the systems of a Texas company that sells technology products to a who’s who of sensitive targets, according to the people. Those include the US state department, the Centres for Disease Control and Prevention, the Naval Information Warfare Systems Command, the FBI, all five branches of the US military, and 425 corporations out of the Fortune 500, according to the company’s website and government data.
The attacks included snooping on e-mails at the US treasury department and an arm of the commerce department, Reuters reported. An infamous hacking group backed by the Russian government is suspected of being behind the breach, the Washington Post reported.
All this suggests that as the US government was focused over the last several months on detecting and countering possible Russian interference in the US presidential election — an effort that was largely viewed as successful — suspected Russian hackers were quietly working their way into the computer networks of American government agencies and sensitive corporate victims undetected.
The company — Austin, Texas-based SolarWinds — issued a statement appearing to confirm that the software update system for one of its products had been used to send malware to customers.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds president and CEO Kevin Thompson said in a statement on Sunday evening.Thompson said his company was working with the FBI as well as others on the investigation.
Two people briefed on the probe said that because just about any SolarWinds customer which used the product got the manipulated software, the number of victims could eventually reach into the thousands. The hackers appear to have concentrated on the most attractive and sensitive targets first, so that the harm suffered by various victims may vary widely, those people said.
FireEye told clients on Sunday that it was aware of at least 25 entities hit by the attack, according to people briefed by the company.The quickly broadening investigation broke into public view on 8 December when FireEye announced that it had been breached in a highly sophisticated attack that it attributed to hackers backed by US adversaries.
As investigators followed the attackers’ digital tracks, it now appears that FireEye may have simply been the first victim to detect the attack. US government investigators are now racing to determine which agencies may have also been breached and to what extent the hackers accessed sensitive information – a process that could take days or weeks.
FireEye said last week the attackers took extreme care not to be detected, and in its case had managed to steal tools the security firm uses to test the security of its clients networks. FireEye also said the hackers sought information related to government customers but didn’t appear to steal customer data.
A commerce department spokesman confirmed there was a breach “in one of our bureaus”, which Reuters identified as the National Telecommunications and Information Administration. The attacks were so concerning that the National Security Council met at the White House on Saturday. The treasury department didn’t respond to requests for comment.
The Washington Post reported that the Russian hacking group known as Cozy Bear, or APT 29, was behind the campaign. That is the same hacking group that was behind the cyberattacks on the Democratic National Committee going back to 2015. It was also accused by US and UK authorities in July of infiltrating organisations involved in developing a Covid-19 vaccine.
The last time the US government was caught so thoroughly by surprise may have been five years ago, when Chinese hackers stole information related to anyone who had applied for or received a national security clearance from the computers of the Office of Personnel Management.
That investigation lasted for months, cost some US officials their jobs, and resulted in a massive and expensive push to increase the security of unclassified US government computer networks.This attack – and the next several weeks – will tell to what extent those measures were successful. — Reported by Alyza Sebenius, Kartikay Mehrotra and Michael Riley, (c) 2020 Bloomberg LP