In one of the most sophisticated and perhaps largest hacks in more than five years, email systems were breached at the Treasury and Commerce Departments. Other breaches are under investigation.
Dec. 13, 2020
The New York Times
The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government — almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.
Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal systems in the past five years. Several said national security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material.
The Trump administration said little in public about the hack, which suggested that while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration — and unrelated to the election — were actually the subject of a sophisticated attack that they were unaware of until recent weeks.
“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement. The Department of Homeland Security’s cybersecurity agency, whose leader was fired by President Trump last month for declaring that there had been no widespread election fraud, said in a statement that it had been called in as well.
The Commerce Department acknowledged that one of its agencies had been affected, without naming it. But it appeared to be the National Telecommunications and Information Administration, which helps determine policy for internet-related issues, including setting standards and blocking imports and exports of technology that is considered a national security risk.
The motive for the attack on the agency and the Treasury Department remains elusive, two people familiar with the matter said. One government official said it was too soon to tell how damaging the attacks were and how much material was lost, but according to several corporate officials, the attacks had been underway as early as this spring, meaning they continued undetected through months of the pandemic and the election season.
News of the breach, reported earlier by Reuters, came less than a week after the National Security Agency, which is responsible for breaking into foreign computer networks and defending the most sensitive U.S. national security systems, issued a warning that “Russian state-sponsored actors” were exploiting flaws in a system broadly used in the federal government.
At the time, the N.S.A. refused to give further details of what had prompted the urgent warning. Shortly afterward, FireEye, a leading cybersecurity firm, announced that hackers working for a state had stolen some of its prized tools for finding vulnerabilities in its clients’ systems — including the federal government’s. That investigation also pointed toward the S.V.R., one of Russia’s leading intelligence agencies. It is often called Cozy Bear or A.P.T. 29, and it is known as a traditional collector of intelligence.
FireEye’s clients, including the Department of Homeland Security and intelligence agencies, hire the firm to conduct ingenious but benign hacks of their systems using the company’s large database of techniques it has seen around the world. Its “red team” tools — essentially imitating a real hacker — are used to plug security holes in networks. So the hackers who stole FireEye’s tools have added to their arsenal. But it appears that FireEye was hardly their only victim.
The global campaign, investigators now believe, involved the hackers inserting their code into periodic updates of software used to manage networks by a company called SolarWinds. Its products are widely used in corporate and federal networks, and the malware was carefully minimized to avoid detection.
The company, based in Austin, Texas, says it has more than 300,000 customers, including most of the nation’s Fortune 500 firms. But it is unclear how many of those use the Orion platform that the Russian hackers invaded, or whether they were all targets.
If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since a two-year spree in 2014 and 2015, in which Russian intelligence agencies gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff. It took years to undo the damage, but President Barack Obama decided at the time not to name the Russians as the perpetrators — a move that many in his administration now regard as a mistake.
Emboldened, the same group of hackers went on to invade the systems of the Democratic National Committee and top officials in Hillary Clinton’s campaign, touching off investigations and fears that permeated both the 2016 and 2020 contests. Another, more disruptive Russian intelligence agency, the G.R.U., is believed to be responsible for then making public the hacked emails at the D.N.C.
“There appear to be many victims of this campaign, in government as well as the private sector,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a geopolitical think tank, who was the co-founder of CrowdStrike, a cybersecurity firm that helped find the Russians in the Democratic National Committee systems four years ago.
“Not unlike what we had seen in 2014-2015 from this actor, when they ran a massive campaign and successfully compromised numerous victims.”
Russia has been one of several countries that have also been hacking American research institutions and pharmaceutical companies. This summer, Symantec Corporation warned that a Russian ransomware group was exploiting the sudden change in American work habits because of the pandemic and were injecting code into corporate networks with a speed and breadth not previously seen.
According to private-sector investigators, the attacks on FireEye led to a broader hunt to discover where else the Russian hackers might have been able to infiltrate both federal and private networks. FireEye provided some key pieces of computer code to the N.S.A. and to Microsoft, officials said, which went hunting for similar attacks on federal systems. That led to the emergency warning last week.
Most hacks involve stealing user names and passwords, but this was far more sophisticated. Once they were in the SolarWinds network management software, the Russians, investigators said, were able to insert counterfeit “tokens,” essentially electronic indicators that provide an assurance to Microsoft, Google or other providers about the identity of the computer system its email systems are talking to. By using a flaw that is extraordinarily difficult to detect, the hackers were able to trick the system and gain access, undetected.
It is unclear exactly what they extracted; the situation is reminiscent of the Chinese hack of the Office of Personnel Management, which went on for a year in 2014 and 2015, with the loss eventually tallied at more than 22 million security-clearance files and more than five million fingerprints.
That turned out to be part of a much broader data-gathering effort by Beijing, which involved theft from the Starwood Hotels division of Marriott, the Anthem insurance database and Equifax, the credit reporting agency.
The history of Russian theft of critical data from the United States government stretches more than two decades and resulted in the creation of United States Cyber Command, the Pentagon’s quickly expanding cyberwarfare force. As early as the mid-1990s, the F.B.I. was called in for an investigation into networks that included Los Alamos and Sandia National Laboratories, which work on nuclear weapons design, among other issues.
In the minds of some experts, that Russian operation, soon called Moonlight Maze, never really ended.
“The activity described by the name — Russian cyberoperations against a wide variety of American targets — continues to this day,” Ben Buchanan, now at Georgetown University, and Michael Sulmeyer, now a senior adviser at Cyber Command, wrote for the Carnegie Endowment for International Peace in 2016.
Reporting was contributed by Alan Rappeport, Maggie Haberman, Julian Barnes and Zolan Kanno-Youngs.