Skip to content

Illustration by Security Management

U.S. Agencies Warned of Widespread Cyber-Espionage Hack

U.S. government agencies are hunting for signs of compromise and malware after authorities learned that the Treasury and Commerce departments were hacked as part of a months-long cyber-espionage campaign.

In an emergency directive issued Sunday, the U.S. Department of Homeland Security (DHS) warned of an “unacceptable risk” to the executive branch from a feared largescale penetration of government agencies that could date back six months or longer, according to The Washington Post. The possible campaign was discovered after cybersecurity firm FireEye disclosed it had been breached—which signaled potential compromises of government agencies and major corporations, as well.

Reuters broke the story of the breach of U.S. agencies after originally breaking the story of the FireEye hack last week, noting that an arsenal of hacking tools used in penetration tests had been stolen. However, cybersecurity experts warn that the latest discoveries around new vulnerabilities and hacking methods used in the FireEye attack are likely to uncover deeper vulnerabilities and compromises as the investigation continues.

While the attacks have not been attributed by FireEye or the government to any particular threat actor, signs point to Russian involvement, especially given the careful tradecraft. Russia’s foreign ministry has refuted the allegations as “baseless.”

The investigation so far has discovered that the conduit for all these attacks is server software product SolarWinds Orion, which is used by the Pentagon, all branches of the U.S. military, numerous other government agencies, telecommunications companies, accounting firms, and educational institutions. SolarWinds issued a security advisory on Sunday, recommending all customers upgrade their software.

"SolarWinds has just been aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020," the company said. "We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack."

The DHS directive told U.S. agencies to immediately disconnect or power down any machines using the affected SolarWinds software. All agencies using SolarWinds products need to provide a completion report to the DHS Cybersecurity & Infrastructure Security Agency (CISA) by noon, Eastern Standard Time, today.

The malware in question gives hackers remote access to victims’ networks, potentially enabling malicious actors monitor government communications, the BBC reported