Commerce Department breached as Treasury, others reportedly victimized by suspected Russian hackers

Written by

Hackers breached the Commerce Department, and reportedly have infiltrated the Treasury Department and other U.S. agencies, in incidents that government security officials said on Sunday that they were fighting to contain.

“We can confirm there has been a breach in one of our bureaus,” a Commerce Department spokesperson said. The spokesperson added that Commerce has asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “and the FBI to investigate, and we cannot comment further at this time.”

Reuters reported that foreign nation-backed hackers have been monitoring email traffic at the Treasury Department and Commerce Department’s National Telecommunications and Information Administration, and the attackers apparently used similar tools to breach other agencies.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said John Ullyot, a spokesman for the White House’s National Security Council.

NTIA has been breached and U.S. investigators suspected that other agencies have been, too, said a U.S. official familiar with the investigation. A common denominator in the malicious activity appears to be an interest in leveraging Microsoft 365, the person said. The FBI is on site responding to the NTIA breach, and U.S. Cyber Command is also assisting with the investigation, the official added.

“We have been working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” a CISA spokesperson said.

The Washington Post first reported that the Russian hacking group known as APT29, or Cozy Bear, was behind the campaign. The breaches were reportedly carried out on behalf of the Russian intelligence agency SVR. The same hacking group is suspected to be behind the breach at FireEye, announced last week.

Sean Lyngaas contributed to this story.