Over the weekend, news leaked that federal law enforcement agencies are investigating a successful espionage focused cyberattack against the U.S. government.
A U.S. Department of Commerce spokesperson made the following cryptic confirmation:
"We have asked CISA [Cybersecurity and Infrastructure Security Agency] and the FBI to investigate, and we cannot comment further at this time."
Early information on the U.S. government cyberattack
Reuters, which covered the story, talked to several sources who confirmed a number of things about the reported cyberattack:
- The attack victim agencies known so far are the U.S. Department of Treasury and the Commerce Department's National Telecommunications and Information Administration (NTIA).
- "Three of the people familiar with the investigation said Russia is currently believed to be behind the attack," according to Reuters.
- The Washington Post reported that this may be part of a larger campaign which includes the recent theft of FireEye Red Team tools: "The Russian government hackers who breached a top cybersecurity firm are behind a global espionage campaign that also compromised the Treasury and Commerce departments and other U.S. government agencies, according to people familiar with the matter."
How did the successful cyberattack happen?
One thing that remains unclear is how the successful cyberattack occurred and which technology or tools were compromised.
For example, the Washington Post says it was an IT network monitoring tool:
"All of the organizations were breached through a network management system called SolarWinds, according to three people familiar with the matter, who spoke on condition of anonymity because of the issue's sensitivity."
However, others told Reuters the hackers defeated Office365 authentication for the attack:
"Hackers broke into the NTIA's office software, Microsoft's Office 365. Staff emails at the agency were monitored by the hackers for months, sources said."
Who was behind successful cyberattack against the U.S. government?
One area where sources appear to agree is around which nation-state is most likely behind these attacks against the U.S. Treasury Department and the NTIA.
Russian hackers—most likely the hacking group APT29, known as Cozy Bear—are believed to be behind the attack. This group is linked to the Russian foreign intelligence service, or SVR.
And there is real concern that we are only looking at the tip of the iceberg in this case because other agencies may also be victims.
"This is a huge cyber espionage campaign targeting the U.S. government and its interests," a source told Reuters.
It sounds like a National Security Council meeting convened at the White House over the weekend to discuss the breach.
We'll update this story as we learn more.