WASHINGTON (AP) — Hackers broke into the networks of the Treasury and Commerce departments as part of a monthslong global cyberespionage campaign revealed Sunday, just days after the prominent cybersecurity firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.

In response to what may be a large-scale penetration of U.S. government agencies, the Department of Homeland Security’s cybersecurity arm issued an emergency directive calling on all federal civilian agencies to scour their networks for compromises.

The threat apparently came from the same cyberespionage campaign that has afflicted FireEye, foreign governments and major corporations, and the FBI was investigating.

“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

News of the hacks, first reported by Reuters, came less than a week after FireEye disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia is responsible. FireEye’s customers include federal, state and local governments and top global corporations.

The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.

The DHS directive — only the fifth since they were created in 2015 — said U.S. agencies should immediately disconnect or power down any machines running
the impacted SolarWinds software.

FireEye, without naming any specific targets, said in a blog post that its investigation into the hack of its own network had identified “a global campaign” targeting governments and the private sector that, beginning in the spring, had slipped malware into a SolarWinds software update. Neither the company nor U.S. government officials would not say whether it believed Russian state-backed hackers were responsible.

The malware gave the hackers remote access to victims’ networks, and Alperovitch said SolarWinds grants “God-mode” access to a network, making everything visible.

“We anticipate this will be a very large event when all the information comes to light,” said John Hultquist, director of threat analysis at FireEye. “The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”

On its website, SolarWinds says its 300,000 customers worldwide including all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House. It says the 10 leading U.S. telecommunications companies and top five U.S. accounting firms are also among customers.

FireEye said it had confirmed infections in North America, Europe, Asia and the Middle East, including in the health care and oil and gas industry — and had been informing affected customers around the world in the past few days. It said that malware that rode the SolarWinds update did not seed self-propagating malware — like the 2016 NotPetya malware blamed on Russia that caused more than $10 billion in damage globally — and that any actual infiltration of an infected organization required “meticulous planning and manual interaction.”

That means it’s a good bet only a subset of infected organizations were being spied on by the hackers. Nation-states have their cyberespionage priorities, which include COVID-19 vaccine development.

Cybersecurity experts said last week that they considered Russian state hackers to be the main suspect in the FireEye hack.

On Sunday, Russia’s U.S. embassy described as “unfounded” in a post on its Facebook page the “attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies.”

Earlier, National Security Council spokesperson John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible issues related to this situation.” The Cybersecurity and Infrastructure Security Agency at DHS said it was working with other agencies to help “identify and mitigate any potential compromises.”

President Donald Trump last month fired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump’s claims of widespread electoral fraud.

In a tweet Sunday, Krebs said “hacks of this type take exceptional tradecraft and time,” adding that he believed that its impact was only beginning to be understood.

Federal government agencies have long been attractive targets for foreign hackers.

Hackers linked to Russia were able to break into the State Department’s email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.

The intrusions disclosed Sunday included the Commerce Department’s agency responsible for internet and telecommunications policy.

Treasury deferred comment to the National Security Council. A Commerce spokesperson confirmed a “breach in one of our bureaus” and said “we have asked CISA and the FBI to investigate.” The FBI said it was engaged in a response but declined to comment further.

Austin, Texas-based SolarWinds confirmed Sunday a “potential vulnerability” related to updates released between March and June for software products called Orion that help monitor networks for problems.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” said SolarWinds CEO Kevin Thompson said in a statement. He said it was working with the FBI, FireEye and intelligence community.

FireEye announced on Tuesday that it had been hacked, saying foreign state hackers with “world-class capabilities” broke into its network and stole tools it uses to probe the defenses of its thousands of customers. The hackers “primarily sought information related to certain government customers,” FireEye CEO Kevin Mandia said in a statement, without naming them.

Former NSA hacker Jake Williams, the president of the cybersecurity firm Rendition Infosec, said FireEye surely told the FBI and other federal partners how it had been hacked and they determined that Treasury had been similarly compromised.

“I suspect that there’s a number of other (federal) agencies we’re going to hear from this week that have also been hit,” Williams added.

FireEye responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack — and has played a key role in identifying Russia as the protagonist in numerous aggressions in the burgeoning netherworld of global digital conflict.

Mandia said there was no indication they got customer information from the company’s consulting or breach-response businesses or threat-intelligence data it collects.

___

Bajak reported from Boston and O’Brien from Providence, Rhode Island.

Copyright © 2020 . All rights reserved. This website is not intended for users located within the European Economic Area.

WASHINGTON (Reuters) -Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.

U.S. officials have not said much publicly beyond the Commerce Department confirming there was a breach at one of its agencies and that they asked the Cybersecurity and Infrastructure Security Agency and the FBI to investigate.

National Security Council spokesman John Ullyot added that they “are taking all necessary steps to identify and remedy any possible issues related to this situation.”

The U.S. government has not publicly identified who might be behind the hacking, but three of the people familiar with the investigation said Russia is currently believed to be responsible for the attack. Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.

In a statement posted here to Facebook, the Russian foreign ministry described the allegations as another unfounded attempt by the U.S. media to blame Russia for cyberattacks against U.S. agencies.

The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

In a statement released late Sunday, the Austin, Texas-based company said that updates to its monitoring software released between March and June of this year may have been subverted by what it described as a “highly-sophisticated, targeted and manual supply chain attack by a nation state.”

The company declined to offer any further detail, but the diversity of SolarWind’s customer base has sparked concern within the U.S. intelligence community that other government agencies may be at risk, according to four people briefed on th
e matter.

SolarWinds says on its website that its customers include most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States.

‘HUGE CYBER ESPIONAGE CAMPAIGN’

The breach presents a major challenge to the incoming administration of President-elect Joe Biden as officials investigate what information was stolen and try to ascertain what it will be used for. It is not uncommon for large scale cyber investigations to take months or years to complete.

“This is a much bigger story than one single agency,” said one of the people familiar with the matter. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”

Hackers broke into the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.

A Microsoft spokesperson did not respond to a request for comment. Neither did a spokesman for the Treasury Department.

The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident, who spoke on condition of anonymity because they were not allowed to speak to the press.

“This is a nation state,” said a different person briefed on the matter.

The full scope of the breach is unclear. The investigation is still its early stages and involves a range of federal agencies, including the FBI, according to three of the people familiar with the matter.

A spokesperson for the Cybersecurity and Infrastructure Security Agency said they have been “working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”

The FBI and U.S. National Security Agency did not respond to a request for comment.

There is some indication that the email compromise at NTIA dates back to this summer, although it was only recently discovered, according to a senior U.S. official.

Updated at 6 a.m. ET

Russian hackers working for the Kremlin are believed to be behind an attack into U.S. government computer systems at the departments of Treasury and Commerce that likely lasted months, according to reports Sunday.

The Kremlin has denied the allegation.

The agencies’ Microsoft Office 365 platform was used to monitor staffers emails, potentially since the spring, Reuters and The New York Times reported
Sunday.

A spokesman for the National Security Council, John Ullyot, appeared to broadly confirm the breach, but offered no specifics about which country may have been involved.

“We have been working closely with our agency partners regarding recently discovered activity on government networks,” Ullyot said in a statement Sunday. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”

Microsoft said in a blog post late Sunday, “We believe this is nation-state activity at significant scale, aimed at both the government and private sector.”

Representatives from the two departments that were targeted did not immediately respond to NPR’s request for comment.

Speaking in Moscow on Friday, Kremlin spokesman Dmitry Peskov dismissed the allegations.

“Once again, I can reject these accusations and once again I want to remind you that it was President (Vladimir) Putin who proposed that the American side agree and conclude agreements (with Russia) on cyber security,” Peskov said, adding that Washington had ignored the offer.

“As for the rest, if there have been attacks for many months, and the Americans could not do anything about it, it is probably not worth immediately groundlessly blaming the Russians. We didn’t have anything to do with it,” he said.

The hackers are believed to have gotten into the government systems by tampering with software updates from the IT company SolarWinds. The company has government contracts, including with the military and intelligence services, according to Reuters. The attackers are believed to have used a “supply chain attack” method that embeds malicious code into legitimate software updates. The attack focused on the SolarWinds Orion products.

SolarWinds said in a statement that it was aware of its systems experiencing a “highly sophisticated, manual supply chain attack” on specific versions of its Orion platform software released between March and June of this year.

“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” the company said.

SolarWinds advised users to update to a newer version as soon as possible.

Members of the National Security Council, the Department of Homeland Security, and the FBI are investigating the breach and whether other government systems could have been hacked as well.

Overnight, the Cybersecurity and Infrastructure Security Agency (CISA), which is overseen by the Department of Homeland Security, issued an emergency directive calling on all federal civilian agencies to review their networks for signs of the compromise and to disconnect from SolarWinds Orion products immediately.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

The agency said in its directive that, “Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.”

News of the breach comes less than a week after an attack into FireEye, a major U.S. cybersecurity company, was made public. The hackers in that attack, also believed to be Russians, stole the company’s key tools used to test vulnerabilities in the computer networks of its customers, which include government agencies.

If government officials are able to confirm the Russian government as the source of the attack, it would be considered the biggest theft of U.S. government data since a breach in 2014 and 2015, the Times reports.

During those earlier breaches, Russian intelligence has been blamed for accessing unclassified email systems at the White House, State Department and the Joint Chiefs of Staff. Russian actors are also responsible for the 2016 hacking of emails from the Democratic National Committee and Hillary Clinton’s presidential campaign. Moscow also denied these earlier allegations.

NPR’s National Security Correspondent Greg Myre contributed to this report.