How Russian hackers infiltrated the federal government

The Treasury Department is reportedly one of the victims of a potentially massive hack of government systems. | Ting Shen/Xinhua News Agency/Getty Images

Here’s what we know so far.

Open Sourced logo

Hackers reportedly linked to the Russian government managed to hack into multiple US government agencies in what could be the largest hack of government systems since the Obama administration — or perhaps ever.

Malware inserted into third-party software may have given hackers access to various government systems for months. It went undetected until last week, when a cybersecurity company that makes hacking tools discovered that its own systems were breached.

Security agencies are currently assessing exactly which departments were breached and what information was accessed. So far, the Commerce Department has confirmed it was hacked, and the Treasury and State departments, Department of Homeland Security, parts of the Pentagon, and the National Institutes of Health are reported to have been affected. There will likely be more.

According to anonymous officials, the hackers are a Russian group called Cozy Bear, also known as APT29. It was also behind the hack of the Democratic National Committee and Hillary Clinton campaign staffers during her 2016 campaign, as well as the 2014 hack of the White House and State Department’s unclassified networks. Cozy Bear is also believed to be behind recent attacks on various organizations developing Covid-19 vaccines. The group is linked to Russian intelligence, although Russia has denied any involvement — a position it maintains now.

“Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy said in a statement. “Russia does not conduct offensive operations in the cyber domain.”

The Trump administration was initially reluctant to say much about the hack officially, or assign blame to a specific country. Secretary of State Mike Pompeo told Breitbart Radio News on Monday that Russia may have been behind it, but it may also have been China or North Korea.

Democrats had more to say. Illinois Sen. Dick Durbin called it “virtually a declaration of war by Russia on the United States,” while Sen. Richard Blumenthal (D-CT) said the classified information he received about “Russia’s cyberattack” left him feeling “deeply alarmed, in fact downright scared.”

Sen. Mitt Romney (R-UT) came forward on Thursday to compare the attack to “Russian bombers … repeatedly flying undetected over our entire country.” He criticized America’s “glaringly inadequate” cybersecurity defenses, as well as the president’s “inexcusable silence and inaction” in response to it.

Following these accusations by senators, Pompeo had become more definitive by the end of the week,

“We can say pretty clearly that it was the Russians that engaged in this activity,” he said in an interview on Friday.

President Donald Trump, however, seemed to have received different information than everyone else. In his first comments about the hack, nearly a week after it was first reported, Trump tweeted that it had been exaggerated in the press and was “under control,” adding that China “may” be behind it, and that the hack may have affected voting machines in the election, which he still falsely insists that he won.

But Trump’s own former Department of Homeland Security adviser, Thomas Bossert, said in a New York Times op-ed that the “magnitude of this ongoing attack is hard to overstate” and that it would take years to understand how pervasive and damaging it was.

The hacks are believed to have begun last March through a network monitoring software called Orion Platform, which is made by a Texas company called SolarWinds. SolarWinds says it has more than 300,000 customers around the world, including the American military, the Pentagon, the Department of Justice, the State Department, the Commerce and Treasury departments, and more than 400 Fortune 500 companies (the webpage with this listing was showing an error message by Monday afternoon).

But not all of those clients used the Orion Platform. SolarWinds believes fewer than 18,000 customers were potentially affected, according to the Washington Post. The hackers were somehow able to insert malware into software updates which, once installed, gave hackers access to those systems.

FireEye, a cybersecurity company that was also a victim of the SolarWinds hack, has named this malware “SUNBURST.” (Microsoft has named it “Solorigate.”) FireEye revealed last week that it was attacked “by a nation with top-tier offensive capabilities,” and was reportedly the first to discover the hack — not, apparently, the government agencies charged with protecting the nation’s cybersecurity infrastructure.

SolarWinds has now released software updates that fix the vulnerability and apologized “for any inconvenience caused.”

The Commerce Department was among the first to confirm a breach of one of its agencies but has not specified which one was hit. Citing anonymous sources, Reuters reported that the National Telecommunications and Information Administration was the affected agency, and that hackers have had access to staff emails for months. The Department of Energy has also said it found malware in its business networks, but it had not affected the “mission essential national security functions.”

The departments of Treasury, State, Agriculture, and Homeland Security, as well as the National Institutes of Health, are also believed to have been affected, but they have not officially confirmed whether this is the case. How extensive the hacks were or which systems were affected in those departments have also not been made public.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 13 to federal civilian agencies to disconnect affected products from their networks immediately.

“The NSC is working closely with CISA, FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise,” National Security Council spokesperson John Ullyot said in a statement.

In contrast to the current president, President-elect Joe Biden was quick to respond to the news of the hack and forceful in his comments.

“My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said in a statement on Thursday. “We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Wishlist 0
Continue Shopping