How Hackers, Probably Russian, Infiltrated the Federal Government

By Sara Morrison, Vox

16 December 20

ackers reportedly linked to the Russian government managed to hack into multiple US government agencies in what could be the largest hack of government systems since the Obama administration — or perhaps ever.

Malware inserted into third-party software may have given hackers access to various government systems for months. It went undetected until last week, when a cybersecurity company that makes hacking tools discovered that its own systems were breached. Security agencies are currently assessing exactly which departments were breached and what information was accessed. So far, the Commerce Department has confirmed it was hacked, and the Treasury and State Departments, Department of Homeland Security, parts of the Pentagon, and the National Institutes of Health are reported to have been affected. There will likely be more.

We don’t have a lot of other details yet, but here’s what we do know.

According to anonymous officials, the hackers are a Russian group called Cozy Bear, also known as APT29. It was also behind the hack of the Democratic National Committee and Hillary Clinton campaign staffers during her 2016 campaign, as well as the 2014 hack of the White House and State Department’s unclassified networks. Cozy Bear is also believed to be behind recent attacks on various organizations developing Covid-19 vaccines. The group is linked to Russian intelligence, although Russia has denied any involvement — a position it maintains now.

“Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy said in a statement. “Russia does not conduct offensive operations in the cyber domain.”

The US government has not officially stated which group or country it believes is behind the hack. Consistent with the Trump administration’s downplaying of Russian cybersecurity threats, Secretary of State Mike Pompeo told Breitbart Radio News on Monday: “It’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses,” then adding “we see this even more strongly from the Chinese Communist Party, from the North Koreans as well.”

The hacks are believed to have begun last March through a network monitoring software called Orion Platform, which is made by a Texas company called SolarWinds. SolarWinds says it has more than 300,000 customers around the world, including the American military, the Pentagon, the Department of Justice, the State Department, the Commerce and Treasury Departments, and more than 400 Fortune 500 companies (the webpage with this listing was showing an error message by Monday afternoon).

But not all of those clients used the Orion Platform. SolarWinds believes fewer than 18,000 customers were potentially affected, according to the Washington Post. The hackers were somehow able to insert malware into software updates which, once installed, gave hackers access to those systems. FireEye, a cybersecurity company that was also a victim of the SolarWinds hack, has named this malware “SUNBURST”. (Microsoft has named it “Solorigate.”) FireEye revealed last week that it was attacked “by a nation with top-tier offensive capabilities,” and was reportedly the first to discover the hack — not, apparently, the government agencies charged with protecting the nation’s cybersecurity infrastructure.

SolarWinds has now released software updates that fix the vulnerability and apologized “for any inconvenience caused.”

The Commerce Department has confirmed a breach of one of its agencies but has not specified which one was hit. Citing anonymous sources, Reuters reported on Sunday that the National Telecommunications and Information Administration was the affected agency, and that hackers have had access to staff emails for months. The Treasury Department, State Department, Department of Homeland Security, and National Institutes of Health are also believed to have been affected, but have yet to publicly acknowledge the breaches. How extensive the hacks were or which systems were affected in those departments has also not been made public.

The government has been sparing with its statements so far, only saying that its security agencies are investigating. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Sunday to federal civilian agencies to disconnect affected products from their networks immediately.

“The NSC is working closely with CISA, FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise,” National Security Council spokesperson John Ullyot said in a statement.