The networks of the Treasury and Commerce departments were hacked as part of a monthlong global cyberespionage campaign that. This was revealed on Sunday just days after FireEye— a popular cybersecurity firm— reported that it had been breached in an attack which had the signature of Russian tradecraft, according to industry experts.
Responding to what may turn out to be a large-scale breach of the U.S. government agencies, the cybersecurity arm of the Department of Homeland Security sent out an emergency directive which called on all the federal civilian agencies to search their networks for any compromise.
Apparently, the threat emanated from the same cyberespionage campaign that had also affected FireEye, foreign governments and some other major corporations. The FBI is investigating the matter.
‘This can turn into one of the most impactful espionage campaigns on record’, said Dmitri Alperovitch, a cybersecurity expert.
Information of the hacks came less than a week after FireEye reported that foreign government hackers had intruded in its network and stolen their hacking tools. A lot of experts suspect Russia’s involvement in the matter. FireEye’s clients include federal, state and local governments as well as prominent global corporations.
The conduit for the Treasury and Commerce Department hacks is a popular piece of server software called SolarWinds. It is used by thousands of organizations, including a lot of Fortune 500 companies and U.S. government agencies which will now be hustling to repair their networks, Alperovitch said. He was the former chief technical officer of the cybersecurity firm, CrowdStrike.
The DHS directive ordered the U.S. agencies to disconnect or power down any machine or system using the affected SolarWinds software.
FireEye said in a blog post that its own investigation had revealed ‘a global campaign’ with governments and the private sector as targets, had snuck in malware to a SolarWinds software update. The company and U.S. government officials did not confirm or deny if it believed Russia was responsible for the hack.
The malware gave the hackers remote access to the networks of victims and Alperovitch said SolarWinds gives ‘God-mode’ access to a network, which makes everything in it visible.
‘We anticipate this will be a very large event when all the information comes to light. The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in’, said John Hultquist, the Director of Threat Analysis at FireEye.
On the SolarWinds website, it says that its 300,000 clients all over the world include the five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House. It also says 10 prominent U.S. telecommunication companies and 5 U.S. accounting firms are its customers.
FireEye disclosed that there were confirmed infections in North America, Europe, Asia and the Middle East, in the healthcare and oil and gas industry— they had been informing the customers for the past few days and noticed that the malware did not seed self-propagating software— much like the 2016 NotPetya malware that caused over $10 billion in damages and was blamed on Russia— and that any breach of an affected organization required ‘meticulous planning and manual interaction’.
This means that it’s likely the hackers were spying on some of the affected organizations. Each country has their cyberespionage priorities, which includes the development of a COVID-19 vaccine.
Last week, cybersecurity experts disclosed Russian state hackers were the main suspects in the FireEye hack.
On Sunday, the Russian U.S. embassy responded to them, describing as ‘unfounded’ the ‘attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies’ in a post on Facebook.
Prior to this, National Security Council spokesperson John Ullyot reported in a statement that the government was ‘taking all necessary steps to identify and remedy any possible issues related to this situation’. The Cybersecurity and Infrastructure Security Agency at DHS said it was collaborating with other agencies to ‘identify and mitigate any potential compromises’.
Last month, President Donald Trump fired the Director of CISA, Chris Krebs after Krebs negated Trump’s claim of widespread electoral fraud.
In a tweet on Sunday, Krebs said ‘hacks of this type take exceptional tradecraft and time’. He also added that its impact was only beginning to be comprehended.
For a long time, federal government agencies have been attractive targets for foreign hackers.
In 2014, Russia-linked hackers broke into the State Department’s email system and infected it so badly that it had to be caught off from the internet while it was repaired.
One of the intrusions disclosed on Sunday was the Commerce Department’s agency for internet and telecommunications policy.
A Commerce spokesperson confirmed a ‘breach in one of our bureaus’ and said ‘we have asked CISA and the FBI to investigate’. The FBI said it was occupied in a response but did not comment any further.
Austin, Texas-based SolarWinds confirmed on Sunday a ‘potential vulnerability’ linked to the updates that was released between March and June for some software products called Orion that monitors networks for problems.
‘We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state’, Kevin Thompson, CEO of SolarWinds said in a statement. According to him, they are working with the FBI, FireEye and the Intelligence community.
On Tuesday, FireEye announced that it had been hacked, saying that foreign state hackers with ‘world-class capabilities’ had breached the network and stolen tools used to probe the defences of its customers. The hackers ‘primarily sought information related to certain government customers’, said Kevin Mandia, CEO of FireEye, without naming the customers.
Ex-NSA hacker and current President of the cybersecurity firm Rendition Infosec, Jake Williams said FireEye definitely told the FBI and other federal partners how it was hacked and it was determined that Treasury had a similar compromise.
‘I suspect that there’s a number of other (federal) agencies we’re going to hear from this week that have also been hit’, Williams added.
FireEye gave a response to the Sony and Equifax data breaches and assisted Saudi Arabia to foil an oil industry cyberattack. They have played a primary role in the identification of Russia as the protagonist in various aggressions in the world of digital conflict.
Mandia said there existed no indication that they collected customer information from the intelligence that company collects.
By Marvellous Iwendi.
Source: AP News