A Russian hacking campaign has struck several federal agencies, according to security companies and news reports.
A Russian intelligence agency is carrying out a sophisticated malware campaign, impacting US local, state and federal agencies as well as private companies including Microsoft, according to the State Department and the Cybersecurity and Infrastructure Security Agency (CISA), news reports and analysis from security firms. The massive breach, which reportedly included an email system used by senior leadership at the Treasury Department, started earlier this year, when hackers compromised software made by IT software firm SolarWinds.
The hacked company sells software that lets an organization see what’s happening on its computer networks. Hackers inserted malicious code into an updated version of the software, called Orion. Around 18,000 SolarWinds customers installed the tainted updates onto their systems, the company said. The compromised update process has had a sweeping effect, the scale of which keeps growing as new information emerges.
Editors’ top picks
Subscribe to CNET Now for the day’s most interesting reviews, news stories and videos.
Over the weekend, President Donald Trump floated on Twitter the idea that China might be behind the attack. Trump, who didn’t provide evidence to support the suggestion of Chinese involvement, tagged Secretary of State Mike Pompeo, who had earlier said in a radio interview that “we can say pretty clearly that it was the Russians that engaged in this activity.”
In a joint statement, US national security agencies have called the breach “significant and ongoing.” It’s still unclear how many agencies are affected or what information hackers might have stolen so far, but by all accounts the malware is extremely powerful. According to an analysis by Microsoft and security firm FireEye, both of which were infected, the malware gives hackers broad reach into impacted systems.
Microsoft said it had identified more than 40 customers that were targeted in the hack. More information is likely to emerge about the hack and its aftermath. Here’s what you need to know about the SolarWinds hack:
How did hackers sneak malware into a software update?
Hackers managed to access a system that SolarWinds uses to put together updates to its Orion product, the company explained in a filing with the SEC. From there, they inserted malicious code into otherwise legitimate software updates. This is known as a supply-chain attack, because it infects software while it’s being assembled.
It’s a big coup for hackers to pull off a supply-chain attack, because it packages their malware inside a trusted piece of software. Instead of having to trick individual targets into downloading malicious software with a phishing campaign, the hackers could rely on several government agencies and companies to install the Orion update at SolarWinds’ prompting.
The approach is especially powerful in this case because thousands of companies and government agencies around the world reportedly use the Orion software. With the release of the tainted software update, SolarWinds’ vast customer list became potential hacking targets.
Which government agencies were infected with the malware?
According to reports from Reuters, The Washington Post and The Wall Street Journal, the malware affected the US Homeland Security, State, Commerce and Treasury Departments, as well as the National Institutes of Health. Politico reported on Dec. 17 that nuclear programs run by the US Department of Energy and the National Nuclear Security Administration were also targeted.
As spotted by Reuters, on Dec. 23 the federal Cybersecurity and Infrastructure Security Agency (CISA) posted on its website that it is “tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations.”
It’s still unclear what information, if any, was stolen from the federal agencies, but the amount of access appears to be broad.
Though the Department of Energy and the Commerce Department have acknowledged the hacks to news sources, there’s no official confirmation that other specific federal agencies have been hacked. However, the US Cybersecurity and Infrastructure Security Agency put out an advisory urging federal agencies to mitigate the malware, noting that it’s “currently being exploited by malicious actors.”
In a statement on Dec. 17, President-elect Joe Biden said his administration will “make dealing with this breach a top priority from the moment we take office.”
Why is the hack a big deal?
In addition to gaining access to several government systems, the hackers turned a run-of-the-mill software update into a weapon. That weapon was pointed at thousands of groups, not just the agencies and companies that the hackers focused on after they installed the tainted Orion update.
Microsoft president Brad Smith called this “an act of recklessness” in a wide-ranging blog post that explored the ramifications of the hack. He didn’t directly attribute the hack to Russia, but described its previous alleged hacking campaigns as proof of an increasingly fraught cyber conflict.
“This is not just an attack on specific targets,” Smith said, “but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.” He went on to call for international agreements to limit the creation of hacking tools that undermine global cybersecurity.
Former Facebook cybersecurity chief Alex Stamos said on Twitter that the hack could lead to supply-chain attacks becoming more common. However, he questioned whether the hack was anything out of the ordinary for a well-resourced intelligence agency.
“So far, all of the activity that has been publicly discussed has fallen into the boundaries of what the US does regularly,” Stamos said.
Were private companies or other governments hit with the malware?
Yes. Microsoft confirmed on Dec. 17 that it found indicators of the malware in its systems, after confirming several days earlier that the breach was affecting its customers. A Reuters report also said that Microsoft’s own systems were used to further the hacking campaign, but Microsoft denied this claim to news agencies. On Dec. 16, the company began quarantining the versions of Orion known to contain the malware, in order to cut hackers off from its customers’ systems.
FireEye also confirmed that it was infected with the malware and was seeing the infection in customer systems as well.
On Dec. 21, The Wall Street Journal said it had uncovered at least 24 companies that had installed the malicious software. These include tech companies Cisco, Intel, Nvidia, VMware and Belkin, according to the Journal. The hackers also reportedly had access to the California Department of State Hospitals and Kent State University.
It’s unclear which of SolarWinds’ other private sector customers saw malware infections. The company’s customer list includes large corporations, such as AT&T, Procter & Gamble and McDonald’s. The company also counts governments and private companies around the world as customers. FireEye says many of those customers were infected.
What do we know about Russian involvement in the hack?
On Dec. 18 Pompeo attributed the hack to Russia. That came after news outlets reported throughout the week that government officials said a hacking group believed to be a Russian intelligence agency is responsible for the malware campaign. SolarWinds and cybersecurity firms have attributed the hack to “nation-state actors” but haven’t named a country directly.
In a statement on Facebook, the Russian embassy in the US denied responsibility for the SolarWinds hacking campaign. “Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the embassy said, adding, “Russia does not conduct offensive operations in the cyber domain.”
Nicknamed APT29 or CozyBear, the hacking group pointed to by news reports has previously been blamed for targeting email systems at the State Department and White House during the administration of President Barack Obama. It was also named by US intelligence agencies as one of the groups that infiltrated email systems at the Democratic National Committee in 2015, but the leaking of those emails isn’t attributed to CozyBear. (Another Russian agency was blamed for that.)
More recently, the US, UK and Canada have identified the group as responsible for hacking efforts that tried to access information about COVID-19 vaccine research.
Correction, Dec. 23: This story has been updated to clarify that SolarWinds makes IT management software. An earlier version of the story misstated the purpose of its products.