US government agencies hacked: suspicions fall on Russia

Hackers broke into the networks of federal agencies in the United States, including departments of the Treasury and Commerce.

The attacks were revealed just days after officials warned that cyber actors linked to the Russian government were exploiting vulnerabilities to attack sensitive data.

The FBI and the cybersecurity arm of the Department of Homeland Security are investigating what experts and former officials said appeared to be a large-scale penetration by US government agencies.

“This may turn out to be one of the most shocking espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

The hacks were revealed just days after a major cybersecurity firm revealed that foreign government hackers had broken into its network and stolen the company’s own hacking tools.

Many experts suspect that Russia is responsible for the attack on FireEye, a major cybersecurity player whose clients include federal, state and local governments and major global corporations.

The apparent conduit for the Treasury and Commerce attacks, and the FireEye compromise, is a very popular piece of server software called SolarWinds.

It’s used by hundreds of thousands of organizations around the world, including most Fortune 500 companies and several U.S. government agencies that will now struggle to repair their networks, said Alperovitch, a former technical director at the cybersecurity firm. CrowdStrike.

The attacks were revealed less than a week after an advisory from the National Security Agency warned that Russian government hackers were exploiting vulnerabilities in a system used by the federal government, “allowing actors to access protected data.”

The United States government did not publicly identify Russia as the culprit in the attacks, first reported by Reuters, and said little about who might be responsible.

National Security Council spokesman John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible problems related to this situation.”

The government’s Cybersecurity and Infrastructure Security Agency said separately that it has been working with other agencies “regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any compromises. potential”.

Last month, President Donald Trump fired CISA director Chris Krebs after Krebs endorsed the integrity of the presidential election and questioned Trump’s allegations of widespread voter fraud.

In a tweet today, Krebs said that “hacks of this type require exceptional work and time” and raised the possibility that it had been going on for months.

“This is still early, I suspect,” Krebs wrote.

Federal government agencies have long been attractive targets for foreign hackers.

Hackers linked to Russia were able to break into the State Department’s email system in 2014, infecting it so thoroughly that it had to be disconnected from the Internet while experts worked to eliminate the infestation.

Reuters previously reported that a group backed by a foreign government stole information from the Treasury and a Department of Commerce agency responsible for deciding Internet and telecommunications policy.

The Treasury Department deferred comment to the National Security Council. A spokesperson for the Commerce Department confirmed a “violation in one of our offices” and said that “we have asked CISA and the FBI to investigate.” The FBI did not immediately comment.

The Washington Post reported, citing three unidentified sources, that the two federal agencies and FireEye were breached through the SolarWinds network management system.

SolarWinds, based in Austin, Texas, confirmed to the AP that it has a “potential vulnerability” related to updates released earlier this year for its Orion products, which help organizations monitor their networks online for problems or problems. cuts.

“We believe this vulnerability is the result of a highly sophisticated, targeted and manual attack on the supply chain by a national state,” SolarWinds CEO Kevin Thompson said in a statement.

The compromise is critical because SolarWinds would give a hacker “God mode” access to the network, making everything visible, Alperovitch said.

– AP