Suspected Russian hackers spied on US federal agencies

Technology 03:09 PM - 2020-12-14

.

FBI to investigate after treasury and commerce departments believed to have been targeted

 

Suspected Russian hackers have carried out the biggest cyber-raid against the US for more than five years, US officials have said, targeting key government networks including the Treasury and commerce departments.

 

The hackers were able to monitor internal email traffic and may have compromised other government bodies, in what is being described as a highly sophisticated state-level attack. The situation is so grave it led on Saturday to a national security council meeting at the White House.

 

The Trump administration has given few details beyond confirming one of its agencies was breached. It has asked the FBI and the Cybersecurity and Infrastructure Security Agency to investigate, and a hunt is now on to determine the scale of the damage. National Security Council spokesman John Ullyot said officials were taking “all necessary steps”.

 

The US has not named the country responsible but three people familiar with the investigation blamed Moscow. In 2015 and 2016 two groups of Russian hackers – one working for the GRU military intelligence agency – stole thousands of Democratic party emails, in an operation designed to damage Hillary Clinton.

 

A separate Russian hacking group – known as Cozy Bear or APT 29 – carried out similar raids. This was initially believed to be the work of the FSB, the domestic spy agency which Vladimir Putin headed before he became president. It is now thought to be linked to the SVR, Russia’s foreign intelligence outfit.

 

In a statement posted on Facebook, the Russian foreign ministry described the allegations as another unfounded attempt by the US media to blame Russia for cyber-attacks against US agencies.

 

According to the New York Times, the hackers broke into the servers of the National Telecommunications and Information Administration. The commerce department body determines policy for internet-related issues. This includes blocking technology seen as a national security risk.

 

The attack appears to have begun in spring. It continued undetected throughout the US presidential election campaign. Officials suggest it is linked to a recently revealed raid against FireEye, a US cybersecurity company with government and commercial contracts.

 

The Russian hackers made off with sensitive FireEye tools used for detecting vulnerabilities in computer systems. They also targeted an IT company, SolarWinds, which serves US government customers, including the military, intelligence services, and the executive, officials said.

 

The cyber-spies appear to have inserted their own code into SolarWinds software, used to carry out updates. This “supply chain attack” is extraordinarily difficult to detect, officials added, and allowed the operatives to gain access to sensitive systems without being detected.

 

On Sunday SolarWinds admitted updates to its monitoring software may have been subverted between March and June. The breach was “highly sophisticated” and the work of a “nation state”, it said.

 

The company based in Austin, Texas, declined to offer details. But the diversity of SolarWind’s customer base has sparked concern within the US intelligence community that other government agencies may be at risk, according to four people briefed on the matter.

 

SolarWinds says on its website that its customers include most of America’s Fortune 500 companies, the top 10 US telecommunications providers, all five branches of the US military, the state department, the National Security Agency, and the Office of President of the United States.

 

Organisations outside the US are likely to have been affected as well. FireEye said the Solar Winds attack was “widespread, affecting public and private organisations around the world” and said it was working with the FBI as it scrambled to work out the impact of the attack.

 

Britain’s National Cyber Security Centre – which this summer accused Cozy Bear of targeting coronavirus vaccine secrets – said it was urgently investigating in conjunction with international partners, partly to determine if British government and companies were affected.

 

“Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact,” said the British agency, which is an offshoot of GCHQ. Companies needed to follow security mitigations promptly, it added.

 

Putin has repeatedly denied Russia is guilty of subverting American democracy and infrastructure. In their infamous 2018 summit in Helsinki Donald Trump said he “didn’t see any reason” why Moscow would have interfered in 2016 to help him win. Last year’s report by special counsel Robert Mueller laid out the GRU’s hacking and dumping operation in lurid detail.

 

This latest breach presents a major challenge to the incoming administration of Joe Biden as officials investigate what information was stolen and try to ascertain what it will be used for. It is not uncommon for large scale cyber-investigations to take months or years to complete.

 

“This is a much bigger story than one single agency,” said one of the people familiar with the matter. “This is a huge cyber-espionage campaign targeting the US government and its interests.“

 

Hackers broke into the commerce department via Microsoft’s Office 365. Staff emails at the National Telecommunications and Information Administration agency were monitored by the hackers for months, sources said.

 

The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident. “This is a nation state,” said a different person briefed on the matter.

 

A Microsoft spokesperson did not respond to a request for comment. Neither did a spokesman for the treasury department.

 

A spokesperson for the Cybersecurity and Infrastructure Security Agency said they had been “working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.“

 

The FBI and National Security Agency did not respond to a request for comment.

 

 

PUKmedia / The Guardian