Russian Govt. hackers breached the US Treasury & Commerce Depts., along with other US Govt. agencies, as part of a ‘global espionage campaign’ that stretches back many months, revealed sources.
Officials over the weekend were assessing the nature & extent of the intrusions, & implement effective countermeasures, but 1st signs revealed the breach was long-running & ‘significant’, people familiar observed.
Cozy Bear
These Russian hackers, known by the nicknames ‘APT29’ or ‘Cozy Bear’, are part of that country’s foreign intelligence service, the SVR, & they breached email systems in some cases, stated people familiar with the attacks, who spoke with anonymity because of sensitivity.
This same Russian group hacked the US State Dept. & the White House email servers during the Obama administration!
The FBI is investigating this attack, which could have begun as early as Spring, & had ‘no comment’ on Sun. Victims included govt., consulting, technology, telecom, & oil & gas companies in N. America, Europe, Asia & the ME, commented Fire Eye, a cyber company that itself became breached.
Update Server
All organisations were penetrated through the update server of a network management system produced by firm Solar Winds, Fire Eye stated by blog post Sun.
Solar Winds commented also in a statement Sun., that monitoring products it released in March & June of 2020 may have been ‘surreptitiously weaponised’ in a “highly-sophisticated, targeted . . . attack by a nation state.”
The extent of the Russian espionage operation appears to be huge, explained several individuals familiar. “This is looking very, very bad,” observed 1 unnamed person. Solar Winds products are used by more than 300,000 organisations across the world.
‘Big-Deal’
They include all the 5 branches of the US military, the Pentagon, US State Department, Justice Department, NASA, the Executive Office of the President & the National Security Agency (NSA), the world’s number 1 electronic spy agency, outlined the firm’s website.
Clients also include the top 10 US telecommunications companies.
“This is a ‘big deal’ & given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” suggested John Scott-Railton, a Senior Researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy.
‘Open Sesame’
“When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
Fire Eye had reported last week that it was breached, & that hacking tools it uses to test clients’ computer defences were stolen. The Washington Post reported that APT29 was the group behind that hack.
Fire Eye & Microsoft, which were investigating the breach, discovered the hackers were gaining access to victims through updates to SolarWinds’ Orion network monitoring software, Fire Eye suggested in its blog post, without publicly saying ‘Russians’.
So Serious
Reuters 1st reported these hacks of the US Treasury & Commerce Depts. on Sun., revealing they were carried out by a foreign govt.-backed group. The SVR link to the bigger campaign was previously unreported.
This was so serious that it caused an emergency National Security Council (NSC) meeting on Sat., as reported by Reuters .
National Security Council (NSC)
“The US Govt. is aware of these reports, & we are taking all necessary steps to identify & remedy any possible issues related to this situation,” explained National Security Council spokesperson John Ullyot. There was no comment on which country or group was responsible.
Within the US Commerce Dept., the Russians targeted the National Telecommunications & Information Administration (NTIA), which handles Internet & telecommunications policy, Reuters reported. They have also been linked to attempts to steal coronavirus vaccine research!
Wide-Ranging Espionage
During 2014 & 2015, the same group carried out a wide-ranging espionage campaign that targeted 1,000s of organisations, including US Govt. agencies, foreign embassies, energy companies, telecommunications firms & universities.
As an aspect of this, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff & also the US State Department.
“That was the 1st time we saw the Russians become much more aggressive, & instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” stated Michael Daniel, the ex-White House Cyber-Security Co-Ordinator then.
US Democratic National Committee (DNC)
One victim in 2015 was the US Democratic National Committee (DNC). Unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online ‘anti-secrecy organisation’ WikiLeaks in an operation that disrupted the Democrats’ National Convention in the middle of the presidential campaign.
The SVR, in contrast, usually steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans & motives of politicians & policymakers. Its players also have taken industrial data & also hacked foreign ministries.
Punitive Measures
Since the Obama Govt. saw the APT29 operation as traditional espionage, it did not consider taking ‘punitive’ measures, explained Daniel, who is currently President & CEO of the Cyber Threat Alliance, an information-sharing group for cyber-security companies.
“It was information collection, which is what nation states, including the US — do,” he suggested. “From our perspective, it was more important to focus on shoring up defences.”
Cyber Co-ordinator
Chris Painter, US State Department Cyber Co-ordinator in the Obama era, stated even if the Russian campaign is only about espionage, & there is no norm against spying, if the scope is broad there should be consequences. “We just don’t have to sit still for it & say ‘good job,’ ” he outlined.
Sanctions may be an answer, especially if done with allies who were also affected, he observed. “The problem is there’s not even been condemnation from the top. President Trump hasn’t wanted to say anything bad to Russia, which only encourages them to act irresponsibly across a wide range of activities.”
Vladimir Putin
At the very, very least, he suggested, “you’d want to make clear to Russian President Vladimir Putin that this is unacceptable — the scope is unacceptable.”
As yet there is no evidence that the current campaign is being waged for purposes of leaking information, or for disruption of critical infrastructure, e.g., electric grids.
Solar Winds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, meaning that hacking the tool would let the Russians freely explore victims’ systems.
Weaponised Update
APT29 compromised Solar Winds, so that any time a customer checked in to request an update, the Russians could take a ride on the weaponised update to get into a victim’s system. Fire Eye called the malware that the hackers used “Sunburst.”
“Mon. may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cyber-security expert & the founder of the Silverado Policy Accelerator Think Tank.