Suspected Russian hackers have carried out the biggest cyber-raid against the US for more than five years, US officials have said, targeting key government networks including the Treasury and commerce departments.
The hackers were able to monitor internal email traffic and may have compromised other government bodies, in what is being described as a highly sophisticated state-level attack. The situation is so grave it led on Saturday to a national security council meeting at the White House.
The Trump administration has given few details beyond confirming one of its agencies was breached. It has asked the FBI and the Cybersecurity and Infrastructure Security Agency to investigate, and a hunt is now on to determine the scale of the damage. National Security Council spokesman John Ullyot said officials were taking “all necessary steps”.
The US has not named the country responsible but three people familiar with the investigation blamed Moscow. In 2015 and 2016 two groups of Russian hackers – one working for the GRU military intelligence agency – stole thousands of Democratic party emails, in an operation designed to damage Hillary Clinton.
A separate Russian hacking group – known as Cozy Bear or APT 29 – carried out similar raids. This was initially believed to be the work of the FSB, the domestic spy agency which Vladimir Putin headed before he became president. It is now thought to be linked to the SVR, Russia’s foreign intelligence outfit.
In a statement posted on Facebook, the Russian foreign ministry described the allegations as another unfounded attempt by the US media to blame Russia for cyber-attacks against US agencies.
According to the New York Times, the hackers broke into the servers of the National Telecommunications and Information Administration. The commerce department body determines policy for internet-related issues. This includes blocking technology seen as a national security risk.
The attack appears to have begun in spring. It continued undetected throughout the US presidential election campaign. Officials suggest it is linked to a recently revealed raid against FireEye, a US cybersecurity company with government and commercial contracts.
The Russian hackers made off with sensitive FireEye tools used for detecting vulnerabilities in computer systems. They also targeted an IT company, SolarWinds, which serves US government customers, including the military, intelligence services, and the executive, officials said.
The cyber-spies appear to have inserted their own code into SolarWinds software, used to carry out updates. This “supply chain attack” is extraordinarily difficult to detect, officials added, and allowed the operatives to gain access to sensitive systems without being detected.
On Sunday SolarWinds admitted updates to its monitoring software may have been subverted between March and June. The breach was “highly sophisticated” and the work of a “nation state”, it said.
The company based in Austin, Texas, declined to offer details. But the diversity of SolarWind’s customer base has sparked concern within the US intelligence community that other government agencies may be at risk, according to four people briefed on the matter.
SolarWinds says on its website that its customers include most of America’s Fortune 500 companies, the top 10 US telecommunications providers, all five branches of the US military, the state department, the National Security Agency, and the Office of President of the United States.
Organisations outside the US are likely to have been affected as well. FireEye said the Solar Winds attack was “widespread, affecting public and private organisations around the world” and said it was working with the FBI as it scrambled to work out the impact of the attack.
The head of spy agency GCHQ said that the UK was “working at pace” to understand what the implications of the Solar Winds and FireEye hacks were on British government and private sector companies.
Jeremy Fleming told a Chatham House event at lunchtime that “I haven’t seen any news as yet” on the potential impact on UK systems. GCHQ and other British agencies would “continue to work very closely” with their US counterparts as they scrambled to find out more, he added.
The spy chief advised companies and individuals to ensure to follow the advice released on Monday morning from the UK’s National Cyber Security Centre, an arm of GCHQ, and patch the Solar Winds software urgently.
Putin has repeatedly denied Russia is guilty of subverting American democracy and infrastructure. In their infamous 2018 summit in Helsinki Donald Trump said he “didn’t see any reason” why Moscow would have interfered in 2016 to help him win. Last year’s report by special counsel Robert Mueller laid out the GRU’s hacking and dumping operation in lurid detail.
This latest breach presents a major challenge to the incoming administration of Joe Biden as officials investigate what information was stolen and try to ascertain what it will be used for. It is not uncommon for large scale cyber-investigations to take months or years to complete.
“This is a much bigger story than one single agency,” said one of the people familiar with the matter. “This is a huge cyber-espionage campaign targeting the US government and its interests.“
Hackers broke into the commerce department via Microsoft’s Office 365. Staff emails at the National Telecommunications and Information Administration agency were monitored by the hackers for months, sources said.
The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident. “This is a nation state,” said a different person briefed on the matter.
A Microsoft spokesperson did not respond to a request for comment. Neither did a spokesman for the treasury department.
A spokesperson for the Cybersecurity and Infrastructure Security Agency said they had been “working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.“
The FBI and National Security Agency did not respond to a request for comment.
Reuters contributed to this report