US investigates suspected cyber-espionage campaign against government agencies dating back months

Written by

Hackers breached the Commerce Department, and reportedly have infiltrated the Treasury Department and other U.S. agencies, in incidents that government security officials said on Sunday that they were fighting to contain.

There were signs that the impact could stretch far and wide in not only the government, but also the private sector. SolarWinds, an IT provider to many government agencies and Fortune 500 companies that boasts more than 300,000 customers, said it was working with law enforcement, the intelligence community and others to investigate a vulnerability apparently implanted into its supply chain by a nation state.

Cybersecurity firm FireEye said it had seen signs of compromise, delivered via SolarWinds software updates, in government and industry dating back to the spring in what the company called “a global intrusion campaign.

“We’ve so far been able to identify affected organizations in North America, Europe, Asia and the Middle East,” according to FireEye. “They’ve been in government, consulting, technology, telecommunications, health care and the oil and gas industry. We anticipate that the list of affected targets is much larger.”

U.S. agencies were among those struggling with breaches, although those agencies did not specify that they were SolarWinds-related.

“We can confirm there has been a breach in one of our bureaus,” a Commerce Department spokesperson said. The spokesperson added that Commerce has asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “and the FBI to investigate, and we cannot comment further at this time.”

Reuters first reported that foreign nation-backed hackers have been monitoring email traffic at the Treasury Department and Commerce Department’s National Telecommunications and Information Administration, and the attackers apparently used similar tools to breach other agencies.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said John Ullyot, a spokesman for the White House’s National Security Council.

NTIA has been breached and U.S. investigators suspected that other agencies have been, too, said a U.S. official familiar with the investigation. The FBI is on site responding to the NTIA breach, and U.S. Cyber Command is also assisting with the investigation, the official added.

“We have been working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” a CISA spokesperson said.

The Treasury Department, asked for comment, referred CyberScoop to the NSC statement.

The Washington Post first reported that the Russian hacking group known as APT29, or Cozy Bear, was behind the campaign. The breaches were reportedly carried out on behalf of the Russian intelligence agency SVR. The same hacking group is suspected to be behind the breach at FireEye, announced last week.

SolarWinds said it was working with FireEye, too. SolarWinds counts more than 425 companies in the Fortune 500 among its customers, as well as the departments of Defense, Justice, Treasury, Veterans Affairs and more.

“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” Kevin Thompson, SolarWinds president and CEO, said in a statement. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”

In a blog post published on Sunday, FireEye updated the status of its breach investigation.

“Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations,” the post states. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”

The campaign involves implanting malicious code into legitimate SolarWinds Orion software that allow remote access, and using very little malware to achieve its aims, FireEye said. The attackers go to “significant lengths” to conduct patient reconnaissance and remain stealthy, using “difficult-to-attribute” tools. FireEye has not yet blamed a specific group, only saying that the company believes it is sophisticated and resembles the work of nation-state hackers.

“If it is cyber espionage, it is one of the most effective cyber espionage operations we’ve seen in quite some time,” said John Hultquist, senior director of threat analysis at FireEye’s Mandiant Threat Intelligence.

Whether the breaches at FireEye and in the U.S. government are related remains unclear.

Sean Lyngaas contributed to this story.

Updated 12/13/20: To include statements from SolarWinds, FireEye and more context.