Intelligence agencies around the world are rushing to assess the extent of a wide-ranging espionage attack by a “nation-state attacker” on US federal agencies, companies and other groups.
The US issued an emergency warning on Sunday after learning that software that may have been used by most Fortune 500 companies and multiple federal agencies, including the US military and the Pentagon, had been hijacked to gain entry to secure IT systems.
“We urge all our partners — in the public [and] private sectors — to assess their exposure to this compromise and to secure their networks,” said the US Cybersecurity and Infrastructure Security Agency, after a cyber security company unearthed the “global intrusion campaign”.
The US government has not identified the attacker. However, FireEye, the US cyber security group that first flagged the hacking campaign last week and was itself hacked, attributed it to a nation-state.
SolarWinds, the software group whose “Orion” product was used to gain entry to government systems, said the hackers had inserted malware into software updates between March and June, which means hackers could have been lurking in systems for up to nine months. SolarWinds added that “fewer than 18,000” of its 275,000 customers may have been exposed.
The National Security Council at the White House said on Monday that it was working with CISA, the FBI, the intelligence community and affected departments and agencies “to co-ordinate a swift and effective whole-of-government recovery and response to the recent compromise”.
Jeremy Fleming, head of British signals intelligence agency GCHQ, said his staff were “working at pace” with its US partners and the private sector to understand the implications. The National Cyber Security Centre, GCHQ’s defensive cyber arm, is releasing advice for UK organisations which consider themselves at risk.
It is still unclear exactly which US government agencies have been compromised. The US commerce department confirmed that one of its bureaux had been breached and there were also media reports that the US Treasury had been hacked. A spokesperson declined to confirm the reports.
A spokesperson for the US Department of Homeland Security said it was “aware of reports of a breach. We are currently investigating the matter.”
Theresa Payton, former White House chief information officer and chief executive of cyber security consultancy Fortalice Solutions, said it was “very likely that [hackers] have access to months worth of data . . . which means staffer emails, messages, documents and more have been monitored, read, copied, intercepted”.
One person briefed on the investigation said the precision with which US government agencies had been targeted suggested that the motivation had been to gain intelligence from the heart of the US administration.
Mark Warner, the leading Democrat on the Senate select committee on intelligence, indicated that officials were still gathering information on the impact and goals of the attacks.
“[W]e should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors,” he said in a statement.
Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer, described the incident as “a very high-end attack” that could have a wider impact on the US’s Five Eyes intelligence-sharing partners.
She said the hack was most likely perpetrated by APT 29, a hacking group also known as Cozy Bear, which is known to have links to Russian intelligence.
“There’s a great deal of forensics work that’s going to have to be uncovered to determine the length and breadth of the damage done,” she said.
Dmitry Peskov, president Vladimir Putin’s spokesman, said Russia had “nothing to do” with the attack.
“If the Americans couldn’t do anything about it for several months, then they probably shouldn’t make groundless accusations that the Russians did everything,” Mr Peskov said, according to Interfax.