On Monday, December 14, various news media outlets reported that the National Institutes of Health were among the growing list of federal agencies that have been victimized by a mysterious cyberespionage campaign that appears to have originated in Russia, with other federal agencies and other entities potentially also targets.
The Reuters news agency’s Jack Stubbs, Raphael Satter, and Joseph Menn wrote that “The U.S. Department of Homeland Security and thousands of businesses scrambled Monday to investigate and respond to a sweeping hacking campaign that officials suspect was directed by the Russian government. Emails sent by officials at DHS, which oversees border security and defense against hacking, were monitored by the hackers as part of the sophisticated series of breaches, three people familiar with the matter told Reuters Monday. And, they added, “The attacks, first revealed by Reuters Sunday, also hit the U.S. departments of Treasury and Commerce. Parts of the Defense Department were breached, the New York Times reported late Monday night, while the Washington Post reported that the State Department and National Institutes of Health were hacked. Neither of them commented to Reuters.”
The Washington Post’s Ellen Nakashima and Craig Timberg wrote that “The Department of Homeland Security, the State Department and the National Institutes of Health on Monday joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia whose damage remains uncertain but is presumed to be extensive, experts say. The list of victims of the cyberespionage, which already included the Treasury and Commerce departments, is expected to grow and to include more federal agencies and numerous private companies, said officials and others familiar with the matter, who spoke on the condition of anonymity because it is under investigation,” they wrote.
“SolarWinds, the maker of widely used network-management software that the Russians manipulated to enable their intrusions, reported in a federal securities filing Monday that “fewer than 18,000” of its customers may have been affected. That’s a small slice of the company’s more than 300,000 customers worldwide, including the Pentagon and the White House, but still represents a large number of important networks. Russia has denied any role in the intrusions,” they added. “The fact that the department charged with safeguarding the country from physical and cyber attacks was victimized underscores the campaign’s significance and calls into question the adequacy of federal cybersecurity efforts.”
What’s more, they wrote, “DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an unusual appeal for further information, asking anyone with knowledge of a breach to contact [email protected]. CISA on Sunday evening also directed all federal agencies to disconnect SolarWinds products immediately and to report that they’d done so by noon Monday.”
Also, late on Monday night, the New York Times’s David E. Sanger, Nicole Perlroth, and Eric Schmitt wrote that “The scope of a hack engineered by one of Russia’s premier intelligence agencies became clearer on Monday, when some Trump administration officials acknowledged that other federal agencies — the State Department, the Department of Homeland Security and parts of the Pentagon — had been compromised. Investigators were struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected by the highly sophisticated attack. United States officials did not detect the attack until recent weeks, and then only when a private cybersecurity firm, FireEye, alerted American intelligence that the hackers had evaded layers of defenses.”
What’s more, the Times’s reporters wrote, “It was evident that the Treasury and Commerce Departments, the first agencies reported to be breached, were only part of a far larger operation whose sophistication stunned even experts who have been following a quarter-century of Russian hacks on the Pentagon and American civilian agencies. About 18,000 private and government users downloaded a Russian tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised. Among those who use SolarWinds software are the Centers for Disease Control and Prevention, the State Department, the Justice Department, parts of the Pentagon and a number of utility companies. While the presence of the software is not by itself evidence that each network was compromised and information was stolen, investigators spent Monday trying to understand the extent of the damage in what could be a significant loss of American data to a foreign attacker.” They added that “Two of the most embarrassing breaches came at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the American election system last month.”
Also late Monday night, the Wall Street Journal’s Dustin Volz and Robert McMillan reported that “The Russian operation was disclosed Sunday and was met with alarm by current and former intelligence officials, security experts and lawmakers, some of whom said they were stunned an apparently widespread attack appeared to have evaded recognition for so long. As early as March of this year, customers of SolarWinds Inc., a U.S. network-management company, began unwittingly installing malicious software as part of a routine and seemingly benign update issued for a software product known as Orion, according to the company,” Volz and McMillan wrote.
Further, they wrote, “That update, which would have been especially difficult to identify as a threat, contained what investigators called a back door that could have granted easy access to nearly 18,000 entities that downloaded it. Investigators expect the number of fully compromised victims to be smaller, perhaps totaling hundreds. Both the U.S. Commerce and Treasury departments had some of their systems compromised in the breach, according to officials and people familiar with the continuing investigation.”
And POLITICO’s Eric Geller quoted an unnamed U.S. official, who told him that “’This is probably going to be one of the most consequential cyberattacks in U.S. history,’ after the National Security Council held its second meeting in three days about the attacks, which security experts have linked to Russian intelligence. ‘That's the view from inside government — that we're dealing with something of a scale that I don't think we've had to deal with before.’”