LONDON / WASHINGTON – The US Department of Homeland Security and thousands of companies on Monday attempted to investigate and respond to a sweeping hacking campaign that officials suspect was led by the Russian government.
Emails sent by officials at the DHS, which oversees border security and defenses against hacking, were checked by the hackers as part of the advanced breach series, three people familiar with the case told Reuters Monday.
The attacks, first revealed by Reuters on Sunday, also hit the US Treasury and Commerce Departments. Parts of the Department of Defense were violated, the New York Times reported late Monday evening, while the Washington Post reported that the State Department and National Institutes of Health had been hacked. Neither commented to Reuters.
“For operational security reasons, the DoD will not comment on any specific mitigation measures or specify systems that may have been in place,” a Pentagon spokesman said.
Technology company SolarWinds, the main springboard used by the hackers, said that up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy unnoticed at companies and agencies for nearly nine months.
The United States issued an emergency warning on Sunday, ordering government users to unplug the SolarWinds software that was said to have been compromised by “malicious actors.”
That warning came after Reuters reported that suspected Russian hackers had used hijacked SolarWinds software updates to break into multiple US government agencies. Moscow denied any connection to the attacks.
One of those familiar with the hacking campaign said that the critical network that DHS’s cybersecurity division uses to protect infrastructure, including the recent election, had not been breached.
DHS said it was aware of the reports, without directly confirming them or saying how badly it had been affected.
DHS is a huge bureaucracy responsible, among other things, for securing the distribution of the COVID-19 vaccine.
The cybersecurity unit there, known as CISA, was turned upside down by President Donald Trump’s firing of Chris Krebs after Krebs called the presidential election the safest in US history. His deputy and the head of the election have also left.
SolarWinds said in a legal statement that it believed the attack was the work of a “remote nation-state” that introduced malicious code into updates to its Orion network management software released between March and June this year.
“SolarWinds currently believes that the actual number of customers who may have had an installation of the Orion products containing this vulnerability is less than 18,000,” he said.
The company did not respond to requests for comment about the exact number of customers compromised or the extent of any breaches at those organizations.
It said it was unaware of vulnerabilities in any of its other products and was now investigating with the help of US law enforcement and third-party cybersecurity experts.
SolarWinds has 300,000 customers worldwide, including the majority of Fortune 500 companies in the United States and some of the most sensitive parts of the US and UK governments, such as the White House, defense and intelligence agencies of both countries.
Because the attackers could use SolarWinds to get inside a network and then create a new back door, simply disconnecting the network management program isn’t enough to get the hackers started, experts said.
For that reason, thousands of customers look for signs of the presence of hackers and try to track down and disable those additional tools.
Researchers around the world are now trying to find out who got hit.
A UK government spokesperson said the UK was currently unaware of the hack’s impact, but is still investigating.
Three people familiar with the hack’s investigation told Reuters that any organization using a compromised version of the Orion software would have installed a “back door” in their computer systems by the attackers.
After that, it remains to be seen whether the attackers will decide to further exploit that access, said one of the sources.
Initial clues suggest the hackers discriminated against who they chose to break into, according to two people familiar with the wave of cybersecurity investigations starting Monday morning.
“What we see is far less than all the possibilities,” said one person. “They use this like a scalpel.”
FireEye, a leading cybersecurity company breached in connection with the incident, said in a blog post that other targets were “government, advisory, technology, telecom and extractive agencies in North America, Europe, Asia and the Middle East.”
“If it is cyber espionage, then it is one of the most effective cyber espionage campaigns we’ve seen in a long time,” said John Hultquist, FireEye’s director of intelligence analysis.