US government confirms cyber attack on Treasury and Commerce departments by state-backed hackers
By compromising SolarWinds monitoring software attackers gained unrestricted access to internal email systems of federal agencies
The US government on Sunday confirmed reports that hackers backed by a foreign government were able to breach the computer networks of the US Treasury Department and an agency within the Commerce Department.
"The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation," National Security Council (NSC) spokesman John Ullyot told the New York Times in a statement.
The Commerce Department also acknowledged that one of its agencies had been targeted, without disclosing the name. Media reports said that the National Telecommunications and Information Administration (NTIA), which helps in crafting internet and telecommunications policy, was targeted in these attacks.
The breach is so serious that it led to a NSC meeting at the White House on Saturday.
According to New York Times, the group behind these attacks had unrestricted access to internal email systems of federal agencies. It involved Microsoft's Office 365 and the NTIA's office software, enabling hackers to monitor staff emails for many months.
The FBI is currently investigating the possible role of advanced persistent threat group Cozy Bear, also known as APT29, which is said to work for the Russian Foreign intelligence service (SVR), in the attack.
The federal officials are also trying to determine if other parts of the government had been targeted in these attacks, which appears to be one of the most sophisticated cyber attacks against US federal agencies in the past five years.
According to The Washington Post, the cyber group responsible for the breach appears to be the same hacker who recently targeted FireEye, a major US cyber security firm with a large number of government contracts.
The company's CEO Kevin Mandia disclosed last week that the firm had been hit by a cyber attack, possibly from a state-sponsored threat group, which led to the theft of some of the company's internal hacking tools. Mandia did not say when the incident occurred, or which nation or group could be behind the attack, but noted that the attack was conducted by a "highly sophisticated threat actor" whose discipline, techniques and offensive capabilities suggest that it was most likely a nation-state operation.
In a blog post yesterday FireEye said that the attackers had compromised SolarWinds' network monitoring software Orion by: "Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim's environment". The company says it has found evidence of similar attacks on multiple organisations dating back to Spring 2020.
The attack against the US federal departments comes less than a month since President Donald Trump fired Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency (CISA), who had publicly contradicted the outgoing President's claims of widespread voter fraud during the presidential election.
Krebs had won bipartisan praise during his tenure at CISA, as the Agency coordinated efforts from various government departments to protect electoral systems from domestic or foreign interference.
"By firing Mr Krebs for simply doing his job, President Trump is inflicting severe damage on all Americans — who rely on CISA's defences, even if they don't know it," said Senator Angus King, an independent senator from Maine. Representative Adam Schiff called Trump's decision "pathetic" and criticised him for retaliating against officials who were doing their duty.