U.S. officials worked over the weekend to determine the damage done by Russian government hackers who breached U.S. government agencies, including the Treasury and Commerce departments.
According to the Washington Post, the hackers were part of a global espionage scheme believed to have started months ago. Sources close to the incident reported that officials tried to assess the extent of the intrusion and learn ways to prevent this from happening again after discovering the espionage campaign was long-running and significant.
The hackers have been identified as APT29 or Cozy Bear. Officials state they are involved in a Russian foreign intelligence service, also known as the SVR. They are known to break into email systems, sources said. This isn’t their first violation; the hackers also broke into the State Department and the White House email servers when President Obama was in office, the Post reported.
The FBI has launched an investigation into the wrongdoing, which is believed to have started this past spring. Since then, several victims have been identified, including the government, consulting agencies, technology companies, telecom, and oil and gas countries worldwide.
The Russian Embassy released a Facebook statement on the incident, calling it “baseless.”
The hackers invaded the organizations and agencies through an updated server of a network management platform created by the firm SolarWinds network management platform.
According to NPR, the hackers worked for the Kremlin. Officials are still trying to determine all of the government departments and private companies affected by the hackers. As for now, the Commerce Department, the National Security Council, and the Department of Homeland Security have confirmed they were part of the intrusion.
Russia has denied any involvement.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)—a branch of Homeland Security–has advised federal civilian agencies on what to do, including reviewing their computer networks to see if it was compromised and disconnect from SolarWinds Orion systems immediately.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
SolarWinds has government contracts; this includes contracts with the U.S. military and intelligence services, the NPR reported.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA’s acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise.”
“We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWind stated, adding that they are cooperating with the FBI and other agencies.