WASHINGTON—Multiple federal government agencies, including the U.S. Treasury and Commerce departments, have had some of their computer systems breached as part of a widespread global cyber espionage campaign believed to be the work of the Russian government, according to officials and people familiar with the matter.
Russia’s foreign-intelligence service is suspected of being behind the hacks of the U.S. government networks—in which some internal communications are believed to have been stolen—and the operation is related to a cyber breach disclosed last week of U.S.-based cybersecurity firm
one of the people familiar with the matter said.
The person added that several government agencies in total have likely been compromised.
The hacking operation exposed as many as hundreds of thousands of government and corporate networks to potential risk and alarmed national-security officials in the Trump administration as well as executives at FireEye, some of whom view it as far more significant than a routine case of foreign cyber espionage, people familiar with the matter said.
While those familiar with the hack couldn’t precisely specify its scope or the resulting damage to the U.S. government, several described it as among the most potentially worrisome cyberattacks in years, because it may have allowed Russia to access sensitive information from government agencies, defense contractors and other industries. One person familiar with the matter said the campaign was a “10” on a scale of one to 10, in terms of its likely severity and national-security implications.
The Commerce Department confirmed in a statement that one of its bureaus had been breached and that it was working with federal partners, including the Federal Bureau of Investigation, to probe the matter, but declined to comment further. The hack of Commerce systems includes the National Telecommunications and Information Administration, a unit that works on technology policy issues, the person familiar with the matter said.
The FBI said it was aware of public reporting about the hack and “appropriately engaged,” but declined to give further comment. The Treasury Department didn’t respond to requests for comment, nor did a spokesman for FireEye.
The Russian Embassy in Washington denied responsibility and said the allegations were “unfounded attempts of the U.S. media to blame Russia.”
The hackers were able to infiltrate the systems of government agencies as well as FireEye through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company, according to the companies and people familiar with the matter.
The apparent use of a flaw in SolarWinds technology could be problematic. The company says it has more than 300,000 customers world-wide, including more than 400 of the U.S. Fortune 500 companies.
Based in Austin, Texas, SolarWinds Worldwide LLC employs more than 3,200 people and counts
Booz Allen Hamilton,
the Secret Service, the Defense Department, the Federal Reserve,
Lockheed Martin Corp.
, PricewaterhouseCoopers LLP and the National Security Agency among its customers, according to the SolarWinds website.
A SolarWinds spokesman said the company was aware of a potential vulnerability related to updates of its Orion technology management software that were released between March and June of this year.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” the spokesman said in an email. The company is working with FireEye, the intelligence community and law enforcement on an investigation, he said.
In a sign of the severity of the threat, the Cybersecurity and Infrastructure Security Agency issued a rare emergency directive instructing all federal civilian agencies to review their networks for possible compromise and immediately shut down the use of SolarWinds Orion products.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, the agency’s acting director.
SolarWinds also operates a managed service provider business, but the company doesn’t believe that this business was affected by the security incident.
In a blog post late Sunday, FireEye said it had identified a “global campaign” using the SolarWinds attack vector that appeared to have compromised multiple customers dating back to the spring of this year.
FireEye didn’t identify Russia as the suspect, but said the hackers were highly sophisticated, gave priority to stealth, patiently conducted reconnaissance on their victims and used difficult-to-attribute cyber tools. The company said that the attacks weren’t like a worm that automatically attacks different systems and that, instead, each individual attempted intrusion required “meticulous planning and manual interaction.”
FireEye has so far seen customers compromised across the globe—in North America, Europe, Asia and the Middle East—and across a range of sectors including telecommunications, tech, health care, automotive, energy and government, a person familiar with the company investigation said.
Sophisticated hackers increasingly have sought to rely on so-called supply-chain attacks in which they can harness a vulnerability in a common product or service used widely across the internet to rapidly hack scores of victims before the compromises are detected.
Reuters reported earlier Sunday that the Treasury and Commerce agencies had been hacked by a group supported by a foreign government.
“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” National Security Council spokesman John Ullyot said.
FireEye said last week that it was hacked in what it said was an elite foreign-government attack that compromised its software tools used to test the defenses of its thousands of customers.
That announcement was met with concern in cybersecurity and intelligence circles, in part because FireEye services several businesses and government agencies that work in national-security fields, and a compromise of their systems potentially could be leveraged by hackers to break into the systems of FireEye’s customers more easily.
Russia’s foreign-intelligence service, known as the SVR, was seen as the leading suspect of the FireEye breach, the Journal previously reported. Hackers linked to that Russian group have previously been blamed for hacks on government agencies during the Obama administration.
News of the widespread hacking activity came a little more than a month before President-elect Joe Biden, who has pledged to respond forcefully to Russian aggression, will take office. Mr. Ullyot of the NSC didn’t elaborate on administration plans for a response.
Chris Krebs, who served as the top cybersecurity official at the Department of Homeland Security before being fired by President Trump last month because he said the presidential election was secure from tampering, said SolarWinds customers who used the Orion product should assume they have been compromised. Most customers were probably not affected because the hack was likely resource-intensive, he said, but he urged caution given the possible risk.
“Hacks of this type take exceptional tradecraft and time,” Mr. Krebs said on Twitter. “If this is a supply chain attack using trusted relationships, really hard to stop,” he said, adding that he believed the attack had been ongoing for “many months.”
—Robert McMillan contributed to this article.
Write to Dustin Volz at email@example.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8