U.S. Homeland Security, thousands of businesses scramble after suspected
Russian hack
Send a link to a friend
 [December 15, 2020]
By Jack Stubbs, Raphael Satter and Joseph Menn
LONDON/WASHINGTON (Reuters) - The U.S.
Department of Homeland Security and thousands of businesses scrambled
Monday to investigate and respond to a sweeping hacking campaign that
officials suspect was directed by the Russian government.
Emails sent by officials at DHS, which oversees border security and
defense against hacking, were monitored by the hackers as part of the
sophisticated series of breaches, three people familiar with the matter
told Reuters Monday.
The attacks, first revealed by Reuters Sunday, also hit the U.S.
departments of Treasury and Commerce. Parts of the Defense Department
were breached, the New York Times reported late Monday night, while the
Washington Post reported that the State Department and National
Institutes of Health were hacked. Neither of them commented to Reuters.
"For operational security reasons the DoD will not comment on specific
mitigation measures or specify systems that may have been impacted," a
Pentagon spokesman said.
Technology company SolarWinds, which was the key steppingstone used by
the hackers, said up to 18,000 of its customers had downloaded a
compromised software update that allowed hackers to spy unnoticed on
businesses and agencies for almost nine months.
The United States issued an emergency warning on Sunday, ordering
government users to disconnect SolarWinds software which it said had
been compromised by "malicious actors."
That warning came after Reuters reported suspected Russian hackers had
used hijacked SolarWinds software updates to break into multiple
American government agencies. Moscow denied having any connection to the
attacks.
One of the people familiar with the hacking campaign said the critical
network that DHS' cybersecurity division uses to protect infrastructure,
including the recent elections, had not been breached.
DHS said it was aware of the reports, without directly confirming them
or saying how badly it was affected.
DHS is a massive bureaucracy among other things responsible for securing
the distribution of the COVID-19 vaccine.
The cybersecurity unit there, known as CISA, has been upended by
President Donald Trump's firing of head Chris Krebs after Krebs called
the presidential election the most secure in American history. His
deputy and the elections chief have also left.
SolarWinds said in a regulatory disclosure it believed the attack was
the work of an "outside nation state" that inserted malicious code into
updates of its Orion network management software issued between March
and June this year.
"SolarWinds currently believes the actual number of customers that may
have had an installation of the Orion products that contained this
vulnerability to be fewer than 18,000," it said.
The company did not respond to requests for comment about the exact
number of compromised customers or the extent of any breaches at those
organisations.
[to top of second column]
|
A hooded man holds a laptop computer as cyber code is projected on
him in this illustration picture taken on May 13, 2017. REUTERS/Kacper
Pempel
It said it was not aware of vulnerabilities in any of its other
products and it was now investigating with help from U.S. law
enforcement and outside cybersecurity experts.
SolarWinds boasts 300,000 customers globally, including the majority
of the United States' Fortune 500 companies and some of the most
sensitive parts of the U.S. and British governments - such as the
White House, defence departments and both countries' signals
intelligence agencies.
Because the attackers could use SolarWinds to get inside a network
and then create a new backdoor, merely disconnecting the network
management program is not enough to boot the hackers out, experts
said.
For that reason, thousands of customers are looking for signs of the
hackers' presence and trying to hunt down and disable those extra
tools.
Investigators around the world are now scrambling to find out who
was hit.
A British government spokesman said the United Kingdom was not
currently aware of any impact from the hack but was still
investigating.
Three people familiar with the investigation into the hack told
Reuters that any organisation running a compromised version of the
Orion software would have had a "backdoor" installed in their
computer systems by the attackers.
"After that, it's just a question of whether the attackers decide to
exploit that access further," said one of the sources.
Early indications suggest that the hackers were discriminating about
who they chose to break into, according to two people familiar with
the wave of corporate cybersecurity investigations being launched
Monday morning.
"What we see is far fewer than all the possibilities," said one
person. "They are using this like a scalpel."
FireEye, a prominent cybersecurity company that was breached in
connection with the incident, said in a blog post that other targets
included "government, consulting, technology, telecom and extractive
entities in North America, Europe, Asia and the Middle East."
"If it is cyber espionage, then it one of the most effective cyber
espionage campaigns we've seen in quite some time," said John
Hultquist, FireEye's director of intelligence analysis.
(Reporting by Jack Stubbs, Raphael Satter, Christopher Bing and
Joseph Menn; Editing by Lisa Shumaker)
[© 2020 Thomson Reuters. All rights
reserved.] Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
