State-sponsored hackers have reportedly tapped into internal email systems at several U.S. federal agencies, including the Treasury Department and the Commerce Department’s internet and telecom branch, the National Telecommunications and Information Administration.
Three people briefed on the matter told Reuters under the condition of anonymity that the attackers are believed to have used a similar tool to hack into multiple agencies, though authorities are still determining the extent of the breach. The sources confirmed that the Treasury and NITA were hit, but didn’t name other agencies that may have been affected. The Trump administration acknowledged the attack on Sunday and said that hackers working with a foreign government, most likely a Russian intelligence agency, were behind it, the New York Times reports.
The National Security Council reportedly held a meeting at the White House on Saturday to discuss the alarming implications of this widespread breach, which is already looking to be one of the most sophisticated and largest attacks on federal systems in the past five years.
“This is a much bigger story than one single agency,” one source said in an interview with Reuters. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”
A team of “highly sophisticated” hackers purportedly broke into the NTIA’s Microsoft Office 365 software by tricking its authentication controls and spied on the agency’s internal correspondence for months. One person briefed on the matter told Reuters it was the work of a foreign government, “we just don’t know which one yet.”
The full scope of what intelligence was compromised remains unclear, but several federal agencies including the Federal Bureau of Investigation are in the “early stages” of an investigation. A senior U.S. official told Reuters that while the breach was only recently discovered, there’s evidence that NTIA’s emails may have been compromised since this summer.
SolarWinds, a Texas-based IT provider whose website claims it has contracts with five branches of the U.S. military, the State Department, the National Security Agency, and the White House, said on Sunday that it discovered its past software updates had been tampered with, per Reuters. Updates it released in March and June had been compromised by a “highly-sophisticated, targeted and manual supply chain attack by a nation state,” the company said. Two people familiar with the investigation told Reuters that the hackers likely exploited this vulnerability in their attack.
While details about the attack may still be under wraps, several federal agencies confirmed its existence on Sunday.
“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said National Security Council spokesman John Ullyot in a press statement.
A spokesperson for the Department of Homeland Security’s cybersecurity branch, the Cybersecurity and Infrastructure Security Agency, also confirmed that they had been “working closely with our agency partners regarding recently discovered activity on government networks.”
“CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” an agency spokesperson told Reuters.
The motive for the attack remains unclear, but the timing implicates Russia as a likely suspect. As the Times notes, the National Security Agency put out a warning last week that “Russian state-sponsored actors” were exploiting an authentication bug in a product widely used by federal agencies, but didn’t go into detail about what prompted the notice.
The breach comes at a particularly vulnerable period as federal officials try to coordinate the incoming administration of President-elect Joe Biden while the current president refuses to admit defeat. At the end of November, the Trump administration was reportedly withholding full cybersecurity support for Biden’s transition team, forcing them to rely on a fraction of the cybersecurity services allotted by the General Services Administration, which manages “ptt.gov” email accounts, and possibly miss out on classified briefings about potential cybersecurity threats.