Russian hackers breach top U.S. agencies
WASHINGTON - Russian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.
Officials were scrambling over the weekend to assess the extent of the intrusions and implement countermeasures, but initial signs suggested that the breach was long-running and significant, the people familiar with the matter said.
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation's Foreign Intelligence Service (SVR) and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign and had no comment Sunday.
All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter.
The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously tampered with in a "highly sophisticated, targeted ... attack by a nation state."
The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. "This is looking very, very bad," said one person.
SolarWinds is used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world's top electronic spy agency, according to the firm's website.
SolarWinds is also used by the top 10 U.S. telecommunications companies.
"This is a big deal, and given what we now know about where breaches happened, I'm expecting the scope to grow as more logs are reviewed," said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy. "When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely."
Also compromised was a leading cybersecurity firm, FireEye, which last week reported that it was breached. The Washington Post reported that APT29 was the group behind that hack.
It is not clear what information was accessed from the government agencies, though FireEye disclosed that it has lost hacking tools that the company uses to test clients' computer defenses.
Reuters first reported the hacks of the Treasury and Commerce agencies Sunday, saying they were carried out by a foreign-government-backed group. The SVR link to the broader campaign is previously unreported.
The matter was so serious that it prompted an emergency National Security Council meeting on Saturday, Reuters reported.
"The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation," said National Security Council spokesman John Ullyot. He did not comment on the country or group responsible.
At the Commerce Department, the Russians targeted the National Telecommunications and Information Administration, an agency that handles internet and telecommunications policy, Reuters reported.
The campaign is said to be broad, encompassing an array of targets, including government agencies in the United States and other countries. APT29 has also been linked to attempts to steal coronavirus vaccine research.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon's Joint Chiefs of Staff and the State Department.
"That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks," said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats' national convention in the midst of the presidential campaign.
So far there is no sign that the current campaign is being waged for purposes of leaking information, or for disruption of critical infrastructure, such as electricity grids.
But the scope of the breaches probably will be significant. The SolarWinds tool monitors a client's network for performance, identifying problems such as failing equipment. It has extremely deep "administrative" access to a network's core functions, which means that gaining access to the SolarWinds tool would allow the Russians to freely root around victims' systems.
APT29 compromised the SolarWinds server that sends updates so any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim's system, according to a person familiar with the matter.
"Monday may be a bad day for lots of security teams," tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.