US agencies hacked in a global cyber spying campaign
Hackers broke into the networks of the Treasury and Commerce Departments as part of a months-long global cyber espionage campaign revealed Sunday, just days after the prominent cyber security firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.
In response to what may be a large-scale penetration of US government agencies, the Department of Homeland Security’s (DHS) cyber security arm issued an emergency directive calling on all federal civilian agencies to scour their networks for compromises.
The threat apparently came from the same cyber espionage campaign that has afflicted FireEye, foreign governments, and major corporations, and the Federal Bureau of Investigation (FBI) was investigating.
“This can turn into one of the most impactful espionage campaigns on record,” said cyber security expert Dmitri Alperovitch.
News of the hacks, first reported by local news channel, came less than a week after FireEye disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia is responsible. FireEye’s customers include federal, state, and local governments and top global corporations.
The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple US federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cyber security firm CrowdStrike.
The DHS directive — only the fifth since they were created in 2015 — said US agencies should immediately disconnect or power down any machines running the impacted SolarWinds software.
Global cyber hack campaign
FireEye, without naming any specific targets, said in a blog post that its investigation into the hack of its own network had identified “a global campaign” targeting governments and the private sector that, beginning in the spring, had slipped malware into a SolarWinds software update. Neither the company nor US government officials would say whether it believed Russian state-backed hackers were responsible.
The malware gave the hackers remote access to victims’ networks; and Alperovitch said SolarWinds grants “God-mode” access to a network, making everything visible.
“We anticipate this will be a very large event when all the information comes to lightL;” said John Hultquist, director of threat analysis at FireEye. “The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”
On its website, SolarWinds says its 300,000 customers worldwide include all five branches of the US military, the Pentagon, the State Department, NASA, the National Security Agency (NSA), the Department of Justice, and the White House. It says the 10 leading US telecommunications companies and top five US accounting firms are also among customers.
FireEye said it had confirmed infections in North America, Europe; Asia, and the Middle East, including in the health care and oil and gas industry; and had been informing affected customers around the world in the past few days. It said that malware that rode the SolarWinds update did not seed self-propagating malware; like the 2016 NotPetya malware blamed on Russia that caused more than $10 billion in damage globally; and tHat any actual infiltration of an infected organization required “meticulous planning and manual interaction.”
That means it’s a good bet only a subset of infected organizations were being spied on by the hackers. Nation-states have their cyber espionage priorities, which include Covid-19 vaccine development.
Cyber security experts said last week that they considered Russian state hackers to be the main suspect in the FireEye hack.
On Sunday, Russia’s US embassy described as “unfounded” in a post on its Facebook page the “attempts of the US media to blame Russia for hacker attacks on US governmental bodies.”
President Donald Trump last month fired the director of CISA; Chris Krebs after Krebs vouched for the integrity of the presidential election; and disputed Trump’s claims of widespread electoral fraud.
In a tweet Sunday, Krebs said “hacks of this type take exceptional tradecraft and time,”; adding that he believed that its impact was only beginning to be understood.
Federal government agencies have long been attractive targets for foreign hackers.
Hackers linked to Russia were able to break into the State Department’s email system in 2014; infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.
The intrusions disclosed Sunday included the Commerce Department’s agency responsible for internet and telecommunications policy.
Treasury deferred comment to the National Security Council. A Commerce spokesperson confirmed a “breach in one of our bureaus” and said; “we have asked CISA and the FBI to investigate.” ; The FBI said it was engaged in a response but declined to comment further.
FireEye announced on Tuesday that it had been hacked, saying foreign state hackers with “world-class capabilities”; broke into its network and stole tools it uses to probe the defenses of its thousands of customers. The hackers “primarily sought information related to certain government customers;” FireEye CEO Kevin Mandia said in a statement, without naming them.
Former NSA hacker Jake Williams, the president of the cyber security firm Rendition Infosec; said FireEye surely told the FBI and other federal partners; how it had been hacked and they determined that Treasury had been similarly compromised.
“I suspect that there’s a number of other (federal) agencies we’re going to hear from this week that has also been hit,” Williams added.
FireEye responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyber attack; and has played a key role in identifying Russia as the protagonist; in numerous aggressions in the burgeoning netherworld of global digital conflict.
Mandia said there was no indication they got customer information; from the company’s consulting or breach-response businesses or threat-intelligence data it collects.