The United States Treasury Department building viewed from the Washington Monument. Photo / AP file
Hackers broke into the networks of United States federal agencies including the Treasury and Commerce departments.
The attacks were revealed just days after officials warned that cyber actors linked to the Russian Government were exploiting vulnerabilities to target sensitive data.
The FBI and the Department of Homeland Security's cybersecurity arm are investigating what experts and former officials said appeared to be a large-scale penetration of US government agencies.
"This can turn into one of the most impactful espionage campaigns on record," said cybersecurity expert Dmitri Alperovitch.
The hacks were revealed just days after a major cybersecurity firm disclosed that foreign government hackers had broken into its network and stolen the company's own hacking tools.
Many experts suspect Russia is responsible for the attack against FireEye, a major cybersecurity player whose customers include federal, state and local governments and top global corporations.
The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds.
It is used by hundreds of thousands of organisations globally, including most Fortune 500 companies and multiple US government agencies who will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.
.@nakashimae is reporting that Russia's foreign intelligence service, the SVR, is behind these federal agency intrusions: https://t.co/xobSD3OkVB
— Eric Geller (@ericgeller) December 13, 2020
The SVR was also reportedly behind the FireEye hack.
The attacks were disclosed less than a week after a National Security Agency advisory warned that Russian government hackers were exploiting vulnerabilities in a system used by the federal government, "allowing the actors access to protected data."
The US Government did not publicly identify Russia as the culprit behind the hacks, first reported by Reuters, and said little about who might be responsible.
National Security Council spokesperson John Ullyot said in a statement that the Government was "taking all necessary steps to identify and remedy any possible issues related to this situation."
The government's Cybersecurity and Infrastructure Security Agency said separately that it has been working with other agencies "regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises."
President Donald Trump last month fired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump's claims of widespread electoral fraud.
"The hack is so serious it led to a National Security Council meeting at the White House on Saturday" https://t.co/I2JEPRgep6
— Shibley Telhami (@ShibleyTelhami) December 13, 2020
In a tweet today, Krebs said "hacks of this type take exceptional tradecraft and time" and raised the possibility that it had been underway for months.
"This thing is still early, I suspect," Krebs wrote.
Federal government agencies have long been attractive targets for foreign hackers.
Hackers linked to Russia were able to break into the State Department's email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.
Reuters earlier reported that a group backed by a foreign government stole information from Treasury and a Commerce Department agency responsible for deciding internet and telecommunications policy.
If the companies that are meant to stop Russian and Chinese hackers can be hacked themselves, is anybody really secure? https://t.co/dKstU2Jfyt
— Tim O'Brien (@TimOBrien) December 10, 2020
The Treasury Department deferred comment to the National Security Council. A Commerce Department spokesperson confirmed a "breach in one of our bureaus" and said "we have asked CISA and the FBI to investigate." The FBI had no immediate comment.
The Washington Post reported, citing three unnamed sources, that the two federal agencies and FireEye were all breached through the SolarWinds network management system.
Austin, Texas-based SolarWinds confirmed to AP that it has a "potential vulnerability" related to updates released earlier this year to its Orion products, which help organisations monitor their online networks for problems or outages.
"We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state," said SolarWinds CEO Kevin Thompson in a statement.
The comprise is critical because SolarWinds would give a hacker "God-mode" access to the network, making everything visible, said Alperovitch.
- AP