Russian hackers are being accused of carrying out the biggest cyber-raid against the US for more than five years, targeting federal government networks in a sophisticated attack, according to American officials and sources.
The hackers, linked to Russian spy agencies, were able to monitor internal emails at the US Treasury and Department of Commerce and may have compromised other bodies, in what is being described as a highly sophisticated state-level attack.
Security agencies in the UK and elsewhere were also scrambling to assess the impact on their systems – while the revelation was deemed so grave it led to a national security council meeting at the White House over the weekend.
On Monday, the US national security council said it was working closely with the FBI and the Cybersecurity and Infrastructure Security Agency (Cisa) “to coordinate a swift and effective whole-of-government recovery and response to the recent compromise.”
The US has not formally named the country it believes is responsible, but multiple sources blamed Moscow. The Washington Post specifically cited a well-known Russian hacking group – known as Cozy Bear or APT 29 – linked to the country’s FSB and SVR spy agencies.
Earlier this year Cozy Bear was accused by the UK, US and Canada of trying to steal coronavirus vaccine secrets from western researchers; the group has been previously accused of trying to hack into White House and Democratic party systems in 2014 and 2015.
The Russian foreign ministry described the allegations as “another unfounded attempt” by the US media to blame Russia for cyber-attacks against US agencies, in a statement posted on Facebook.
They compromised a little-known but strategically important corporate software management tool called SolarWinds, widely used by government agencies and businesses to copy and steal data, in attacks that began as long ago as March.
Cybersecurity experts said the hackers inserted their own code into SolarWinds software, used to carry out updates, from March without the company knowing. This “supply chain attack” is extraordinarily difficult to detect, officials added, and allowed the operatives to gain access to sensitive systems without being detected.
SolarWinds software is used by 300,000 companies and agencies, but on Monday it said only 18,000 of those customers were using the compromised version of its system, in a filing to the US Securities and Exchange Commission.
Its customers include most of America’s Fortune 500 companies, the top 10 US telecommunications providers, all five branches of the US military, the state department, the National Security Agency, and the Office of President of the United States.
Organisations outside the US are likely to have been affected as well. SolarWinds lists “UK central government” and the NHS among its UK clients as well as the European parliament and Nato’s Support Agency.
Jeremy Fleming, the head of the UK spy agency GCHQ, said the organisation was “working at pace” to understand what the implications of the SolarWinds and related attacks were on British government and private sector companies.
Fleming told a Chatham House event at lunchtime that “I haven’t seen any news as yet” on the potential impact on UK systems. GCHQ and other British agencies would “continue to work very closely” with their US counterparts as they scrambled to find out more, he added.
The spy chief advised companies and individuals to ensure to follow the advice released on Monday morning from the UK’s National Cyber Security Centre, an arm of GCHQ, and patch the SolarWinds software urgently.
This latest breach presents a major challenge to the incoming administration of Joe Biden as officials investigate what information was stolen and try to ascertain what it will be used for. Western officials repeatedly argue it demonstrates Russia’s willingness to engage in conflict with the west at below the threshold of war.
Another group of Russian hackers – Fancy Bear – working for the country’s GRU military intelligence agency – stole thousands of Democratic party emails, in an operation designed to damage Hillary Clinton in the run-up to the 2016 presidential election won by Donald Trump.
However, Putin has repeatedly denied Russia is guilty of subverting US democracy and infrastructure. In their infamous 2018 summit in Helsinki, the current US president Donald Trump said he “didn’t see any reason” why Moscow would have interfered in 2016 to help him win.
SolarWinds admitted updates to its monitoring software may have been subverted between March and June. The breach was “highly sophisticated” and the work of a “nation state”, the US company said.
A specialist cybersecurity firm FireEye said the attack was linked to a hacking attack it had discovered a week before on its own organisation. The latest attack, FireEye added, was “widespread, affecting public and private organisations around the world”.
Hackers broke into the commerce department via Microsoft’s Office 365. Staff emails at the National Telecommunications and Information Administration agency were monitored by the hackers for months, sources said.
The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident. “This is a nation state,” said a different person briefed on the matter.
A spokesperson for Cisa said they had been “working closely with our agency partners regarding recently discovered activity on government networks. Cisa is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”