LONDON / WASHINGTON – The U.S. Department of Homeland Security and thousands of businesses were stranded on Monday in response to a massive hacking campaign by authorities suspected of being run by the Russian government.
The emails, sent by DHS officers overseeing border security and anti-hacking, were monitored by hackers as part of a series of sophisticated violations, three people familiar with the matter told Reuters on Monday.
The attacks, which Reuters first exposed on Sunday, also hit the U.S. Treasury and Commerce Department. Parts of the Department of Defense were violated, the New York Times reported Monday night, while the Washington Post reported that the State Department and the National Institutes of Health had been hacked. Neither of them commented to Reuters.
“For operational security reasons, the DOT does not comment on specific mitigation measures or specify vulnerable organizations,” a Pentagon spokesman said.
Technology company Solar Winds said the main step used by hackers was to download a compromised software update to up to 18,000 of its customers, allowing hackers to spy on businesses and agencies unnoticed for nearly nine months.
The United States issued an emergency alert Sunday, ordering government users to disconnect from the Solar Winds software, which they said was compromised by “malicious actors.”
The warning came after Reuters reported that Russian hackers had used hijacked Solar Winds software updates to gain access to several U.S. government agencies. Moscow has denied any involvement in the attacks.
One of those familiar with the hacking campaign said the vital network used by DHS’s cyber security unit to protect infrastructure, including the recent elections, had not been breached.
The DHS said it was aware of the reports, without directly confirming them or saying how badly they had been affected.
The DHS is a major authority in securing the distribution of the COVID-19 vaccine.
After Griffs called the president’s history the most secure in American history, the cyber security unit known as CISA has been elevated by the shooting of President Donald Trump’s leader Chris Gripps. His deputy and election leader have also left.
Solar Winds said in a regulatory statement that it was the work of an “out-of-state government” that inserted malicious code in updates to its Orion network management software, which was released between March and June this year.
“Solar Winds currently believes the actual number of customers who have installed Orion products will be less than 18,000,” it said.
The company did not respond to requests for comment on the exact number of compromised customers or the extent of any breaches in those companies.
It said it was unaware of the vulnerabilities in any of its other products and was now investigating with the help of US law enforcement and external cyber security experts.
Solarwinds has 300,000 customers worldwide, including Fortune 500 companies in the United States and the most important parts of the US and British governments – the White House, the Department of Defense and the signal intelligence systems of both countries.
Because the attackers could use Solar Winds to go into a network and create a new door, experts said disrupting the network management plan was not enough to get rid of the hackers.
For that reason, thousands of customers are looking for signs of the presence of hackers, and are trying to hunt down and disable those extra tools.
Investigators around the world are now scrambling to find out who was attacked.
A British government spokesman said the United Kingdom was not immediately aware of any vulnerabilities from the hack, but was still investigating.
The three men, who are well versed in Harry’s investigation, told Reuters that any organization running a compromised version of the Orion software would have had the “door” installed on their computer systems by the attackers.
“After that, it is a question of whether the attackers decide to use that access further,” one of the sources said.
According to two people familiar with the wave of corporate cyber security investigations that began Monday morning, early signs suggest hackers are discriminating against who they are entering.
“What we see is far less than all possibilities,” one said. “They use it like a scalpel.”
Fire, a leading cybersecurity firm involved in the incident, said in a blog post that other targets “include government, consulting, technology, telecommunications and extraction companies in North America, Europe, Asia and the Middle East.”
“If this is cyber espionage, it’s one of the best cyber espionage campaigns we’ve seen in a while,” said John Hultkist, director of intelligence analysis at FireEye.