LONDON / WASHINGTON – The U.S. Department of Homeland Security and thousands of companies fought Monday to investigate and respond to an extensive piracy campaign that officials suspect was led by the Russian government.
Emails sent by DHS officials, who oversee border security and anti-piracy defense, were monitored by hackers as part of the sophisticated series of offenses, three people familiar with the case told Reuters on Monday. subject.
The attacks, revealed by Reuters on Sunday, also affected U.S. Treasury and Commerce departments. Parts of the Department of Defense were breached, the New York Times reported Monday night, while the Washington Post reported that the State Department and National Institutes of Health were hacked. Neither commented to Reuters.
“For operational security reasons, the Department of Defense will not comment on specific mitigation measures or specify systems that may have been affected,” a Pentagon spokesman said.
Technology company SolarWinds, which was the key stone used by hackers, said up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy unnoticed on companies and agencies for nearly nine months.
The United States issued an emergency warning on Sunday, ordering government users to disconnect from SolarWinds software, which it said had been compromised by “malicious actors.”
The warning came after Reuters reported that alleged Russian hackers had used hijacked SolarWinds software updates to break into several U.S. government agencies. Moscow denied having any connection to the attacks.
One person familiar with the hacking campaign said the critical network that DHS’s cybersecurity division uses to protect infrastructure, including the recent election, had not been breached.
DHS said it was aware of the reports, without directly confirming them or saying to what extent it was affected.
DHS is a massive bureaucracy, among other things, responsible for ensuring the distribution of the COVID-19 vaccine.
The cybersecurity unit there, known as CISA, has been disrupted by the dismissal of President Donald Trump, Chris Krebs, after Krebs called the safest presidential election in American history. His deputy and election chief have also left.
SolarWinds said in a regulatory statement that it believed the attack was the work of a “state outside the nation” that inserted malicious code into updates to its Orion network management software issued between March and June of this year. year.
“SolarWinds currently believes that the actual number of customers who may have had an installation of Orion products that contained this vulnerability is less than 18,000,” he said.
The company did not respond to requests for comment on the exact number of committed customers or the extent of defaults in these organizations.
He said he was unaware of the vulnerabilities of any of his other products and was now investigating with the help of US police and external cybersecurity experts.
SolarWinds has 300,000 customers worldwide, including most of the U.S. Fortune 500 companies and some of the most sensitive parts of the U.S. and British governments, such as the White House, defense departments and law enforcement agencies. signal intelligence from both countries.
Because attackers could use SolarWinds to break into a network and then create a new backdoor, just disconnecting the network management program is not enough to boot hackers, experts said.
For this reason, thousands of customers are looking for signs of the presence of hackers and trying to find and disable these additional tools.
Investigators around the world are now fighting to find out who was hit.
A British government spokesman said the UK was not currently aware of any impacts from piracy, but was still investigating.
Three people familiar with the hacking investigation told Reuters that any organization running a compromised version of Orion software would have had a “back door” installed on its computer systems by the attackers.
“After that, it’s just a matter of whether the attackers decide to exploit that access even more,” one source said.
Early indications suggest that hackers were discriminating against who they chose to enter, according to two people familiar with the wave of corporate cybersecurity investigations that began Monday morning.
“What we see is much less than all the possibilities,” one person said. “They’re using this as a scalpel.”
FireEye, a major cybersecurity company that was breached in connection with the incident, said in a blog post that other targets include “government, consulting, technology, telecommunications and extractive entities in North America, Europe, Asia and the Middle East. “
“If it’s cyber espionage, it’s one of the most effective cyber espionage campaigns we’ve seen in a long time,” said John Hultquist, director of intelligence analysis at FireEye.