US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.
CNN learned Monday that DHS’ cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.
A source familiar with the matter said that number is expected to increase in the coming hours and days.
While the exact scope and scale of the hack still remain to be seen, it is already becoming clear that this marks one of the most significant breaches of the US government in years. It also shows that Russia and other foreign actors continue to exploit US cyber vulnerabilities – an issue that will likely present a challenge for the incoming Biden administration.
Officials suspect a breach may have also occurred to the computer systems at the Treasury Department and US Postal Service, according to a senior administration official, who noted those investigations are ongoing.
Asked whether USPS system was breached, a spokesman for the Postal Service told CNN, “The U.S. Postal Service was made aware of the cyber incident at SolarWinds by the Department of Homeland Security (DHS) on Dec. 13, 2020. As with any notification of this nature, USPS is conducting a thorough review of its systems and processes to safeguard its network and ensure the integrity of its systems.”
The US Department of Agriculture didn’t immediately respond to a request for comment. CNN had previously confirmed the breach to Commerce and DHS, although DHS didn’t specify which of its departments had been affected.
Additionally, a defense official told CNN that an assessment is still underway to determine what impact there has been, if any, on Department of Defense networks. Acting Defense Secretary Christopher Miller was expected to receive a briefing on the attacks Monday, an official added.
If any defense networks were compromised, US Cyber Command “is postured for swift action,” a spokesperson said, adding that they “are in close coordination with our interagency, coalition, industry, and academic partners to assess and mitigate this issue.”
As part of its response, the government put into effect Presidential Policy Directive 41, an Obama-era plan for executing a Federal Government response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, the directive also establishes a plan for coordinating a response between the agencies and it requires the Departments of Justice and Homeland Security to assist entities affected by cyber incidents.
While US officials believe that a Russia-linked entity or Russian individuals are responsible for the attacks, they have not yet finalized their designation on which actors are responsible, a senior administration official said.
The National Security Council has decided to convene two meetings daily with the Cyber Response Group to determine the scope, scale and impact of the hack, they added.
In the first of its meetings on Monday, officials came closer to a determination that a Russian-backed group was responsible but forensic investigations are ongoing, the official told CNN.
A meeting scheduled for later Monday aims to determine which government agencies were compromised. So far, only the Commerce Department has said publicly that it experienced a breach but other agencies appeared to have been targeted as well.
“We have a hunch about who is behind the breaches,” another administration official said, also confirming Monday’s Emergency Cyber Response Group meeting. “But forensics like this take time to nail down, unless they were sloppy about it.”
Early statements issued by the technology company SolarWinds, whose system breached by the hackers, suggest the operation was sophisticated and “extremely targeted,” meaning it may take some time before blame is formally attributed.
But in the meantime, top US officials, including Secretary of State Mike Pompeo, are not shying away from suggesting Russia was involved.
When asked about the hack Monday, Pompeo cited consistent Russian efforts to breach servers belonging to American government agencies and businesses, but would not give any additional details.
“I can’t say much other than it’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses,” Pompeo said in an interview with Breitbart News Radio.
The Russian embassy in Washington, on the other hand, is forcefully denying any involvement in the hack, which was first reported by Reuters Sunday, saying in a statement: “We paid attention to another unfounded attempts of the US media to blame Russia for hacker attacks on US governmental bodies.”
“It’s too early to understand the depth and scale of the recent breach affecting the Commerce Department and other government agencies,” said Tony Lawrence, CEO and founder of VOR Technology and Light Rider. “The Russians have very advanced cyber programs and it’s likely there have been footholds in these systems that have gone undetected and unchallenged. In 2008, the Russians executed a cyberattack using thumb drives, commonly known as Buckshot Yankee, and it’s possible this breach is related to that previous attack.”
Linked to previous breach?
But despite the embassy’s claim that “Russia does not conduct offensive operations in the cyber domain,” Moscow has been linked to several recent breaches, including last week’s hack of FireEye, an attack that compromised the so-called “Red Team” tools it uses to protect clients, including government customers.
In two blog posts Sunday, the cybersecurity firm tied the SolarWinds vulnerability directly to its own announced breach, which a source familiar with the matter previously told CNN was likely carried out by a Russian-affiliated group known as APT29.
FireEye described a “global intrusion campaign” that takes advantage of a critical flaw in a network monitoring product sold by SolarWinds, an IT network management company. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East, the second blog post says, adding that they anticipate there are additional victims in other countries and verticals.
A source familiar with the attacks on both FireEye and those reported Sunday also told CNN that “it’s all related.”
“These sorts of attacks leveraging trusted relationships are extraordinarily difficult to detect and defend against in real-time,” the person said, adding that while the Commerce and Treasury Departments are the victims that have so far been identified, “there will no doubt be more.”
The US Commerce Department was the first agency to confirm it was the victim of a data breach in an attack that is believed to be linked to Russia.
“We can confirm there has been a breach in one of our bureaus,” the Commerce Department said in a statement to CNN Sunday. “We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”
CISA also confirmed the data security incident, though did not immediately reveal it experienced a breach, telling CNN in a statement, “We have been working closely with our agency partners regarding recently discovered activity on government networks.”
“CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” the statement continued.
CISA issued a directive late Sunday that tech company SolarWinds was compromised and it posed “unacceptable risks to the security of federal networks,” said CISA acting Director Brandon Wales.
SolarWinds Orion products are used by a number of federal civilian agencies for network management and CISA is urging the agencies to review their networks for any possible signs of a data breach. This is only the fifth emergency directive issued since 2015, when CISA was created by Congress in the Cybersecurity Act.
SolarWinds said in a statement Sunday night that the breach of their system was “was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
‘Massive national security failure’
On Monday, the technology company said it believes “fewer than 18,000” customers could have been affected by the software vulnerability.
In a new financial filing, SolarWinds said that out of a total of 300,000 customers, the company “believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.”
SolarWinds has released a software update addressing the flaw and anticipates providing a second software update by December 15 to “further address” the security gap, the company added.
Microsoft also responded to the hack in a blog post overnight, telling customers that it has updated its anti-spyware program to detect the SolarWinds vulnerability.
“We believe this is nation-state activity at significant scale, aimed at both the government and private sector… We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations,” the post said.
Sen. Ron Wyden, a Democrat from Oregon who serves on the Senate Intelligence Committee, warned Monday that the damage caused by the breach may be “far more significant than currently known.”
“If reports are true and state-sponsored hackers successfully snuck malware-riddled software into scores of federal government systems, our country has suffered a massive national security failure that could have ramifications for years to come,” he said in a statement to CNN. “I’m pressing the government for more information about the full scope of this breach and the steps that agencies are taking to mitigate it. I fear that the damage is far more significant than currently known.”
“I have warned for years that the government was falling down on the basics of securing federal systems, and this breach unfortunately proves me right. To start, it’s high time to scrap the lax practice of allowing agencies to install high-risk software on government systems without subjecting it to a thorough security review,” Wyden added.
This story has been updated with additional reporting.
CNN’s Alex Marquardt, Barbara Starr, Geneva Sands and Kylie Atwood contributed reporting