Russia suspected in major cyber attack on U.S. Treasury, Commerce departments

Russian hackers working for the Kremlin are believed to be behind an attack into U.S. government computer systems at the departments of Treasury and Commerce that may have lasted months before it was detected, according to U.S. officials and media reports.

  • By Jaclyn Diaz/NPR

(Washington) — Russian hackers working for the Kremlin are believed to be behind an attack into U.S. government computer systems at the departments of Treasury and Commerce that may have lasted months before it was detected, according to U.S. officials and media reports.

The hackers reportedly broke into the email systems at those two government departments. But the full extent of the breach was not immediately clear as U.S. officials scrambled to make an assessment. There are concerns that hackers may have penetrated other government departments and perhaps private companies as well.

The National Security Council and the Department of Homeland Security both acknowledged the intrusion in brief statements Sunday that provided few details.

“We have been working closely with our agency partners regarding recently discovered activity on government networks,” said NSC spokesman John Ullyot. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”

The U.S. government did not name Russia or any other actor as being responsible.

Reuters first reported the story on Sunday, and subsequent reports identified Russia’s foreign intelligence service, the SVR, as the most likely culprit.

Russia’s SVR, the rough equivalent to the CIA in the U.S., was blamed for major hacks in 2014-15 that involved unclassified email systems at the White House, State Department and the Joint Chiefs of Staff.

Russia on Monday denied any involvement in the latest reported breach.

Emergency directive

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is part of Homeland Security, issued an emergency directive overnight calling on all federal civilian agencies to review their computer networks for signs of the compromise and to disconnect from SolarWinds Orion products immediately.

SolarWinds has government contracts, including with the military and intelligence services, according to Reuters. The attackers are believed to have used a “supply chain attack” method that embeds malicious code into legitimate software updates.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA’s Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”

SolarWinds, based in Austin, Texas, put out its own statement saying it was aware that its systems were experiencing a “highly sophisticated, manual supply chain attack” on specific versions of its Orion platform software released between March and June of this year.

“We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” the company said.

Kevin Thompson, SolarWinds president and CEO, said in a statement shared with NPR that the company is “acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”

Tech companies respond

Two other tech companies, Microsoft and FireEye, also weighed in.

Microsoft said in a blog post late Sunday, “We believe this is nation-state activity at significant scale, aimed at both the government and private sector.”

The Commerce Department and the Treasury Department use the Microsoft Office 365 platform, Reuters and The New York Times reported Sunday.

The Commerce and Treasury departments did not immediately respond to NPR’s request for comment.

FireEye reported last week that hackers, also believed to be Russians, stole the company’s key tools used to test vulnerabilities in the computer networks of its customers, which include government agencies.

FireEye said in a blog post late Sunday night that said it had identified “a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. The compromise is delivered through updates to a widely used IT infrastructure management software – the Orion network monitoring product from SolarWinds.”

Speaking in Moscow last Friday, Kremlin spokesman Dmitry Peskov dismissed the allegations that Russia was involved in the FireEye hack.

“Once again, I can reject these accusations and once again I want to remind you that it was President (Vladimir) Putin who proposed that the American side agree and conclude agreements (with Russia) on cyber security,” Peskov said, adding that Washington had ignored the offer.

“As for the rest, if there have been attacks for many months, and the Americans could not do anything about it, it is probably not worth immediately groundlessly blaming the Russians. We didn’t have anything to do with it,” he said.

Support for WITF is provided by:

Become a WITF sponsor today »

Up Next
National & World News

In a reversal, Trump says White House staff won't be 1st to receive COVID-19 vaccine