Hackers connected to the Russian government gained access to some of the most sensitive parts of the U.S. government and the list is growing. The hacking was first reported on December 13, with the Treasury and Commerce departments said to be compromised. On December 14, it turned out the Department of Homeland Security had also been hacked into. On December 15, the list scope grew to include parts of the Pentagon and State Department, according to the New York Times’ Nicole Perlroth. And on December 17, Politico reported that the National Nuclear Security Administration — the agency within the Department of Energy that oversees the nuclear stockpile — had also been hacked.
The list is likely to grow, because according to the Times, around 18,000 government servers and private users downloaded a software update that allowed hackers to access their information on a compromised network management system called SolarWinds. Because the SolarWinds system provides significant access to the workings of a given network, those who hacked in would have wide access once inside a system. At the moment, the motive for the attack is not known, though the hackers may have been in federal government systems as early as March. “This is a big deal,” according to cybersecurity expert John-Scott Railton, who spoke with the Washington Post. “Given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed. When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.” On December 17, Reuters reported the largest private firm breached in the scheme to-date: Microsoft, one of the largest companies in the world by market capitalization.
Though the National Security Agency is responsible for securing government agencies against this style of attack (and to hack into foreign networks on their own volition) the intelligence agency reportedly was not aware of the concern until last week when it was informed by a private cybersecurity firm called FireEye. The firm, based out of the Bay Area, found out about the breach when they were targeted in the scheme.
Known by the monikers APT29 or Cozy Bear, the infiltrators are connected to Russian foreign intelligence, and broke into unclassified email servers at the State Department and the White House during the Obama administration. Earlier this summer, national security officials in the United Kingdom also warned that the group “has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.”
Because SolarWinds is used widely in the government and private sectors, there’s great urgency in the search to determine which parties using the software may have been hacked: Its clients include the Centers for Disease Control and Prevention, the State Department, the Justice Department, Los Alamos National Laboratory, and most Fortune 500 companies. However, just because these departments and companies use the software that is corrupted does not automatically mean they were exposed to the attack. “We think the number who were actually compromised were in the dozens,” Charles Carmakal, a senior vice president at FireEye, told the Times. “But they were all the highest-value targets.”
It’s still unclear exactly when the intrusions began. However, Reuters reports that the breach was serious enough to warrant a National Security Council meeting on December 12. And on December 17, the Times reported that officials at the Department of Homeland Security’s cybersecurity arm have described the attacks as ““a grave risk to the federal government.” The Cybersecurity and Infrastructure Security Agency also added that they anticipate the scale of the hack to grow: “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures [which] have not yet been discovered.”
This post has been updated.