US federal agencies have been hacked in a way that may have let a foreign power monitor government communications.
The treasury and commerce departments have both been attacked. And all federal civilian agencies have been told to disconnect from SolarWinds Orion, a computer network tool being exploited by “malicious actors”.
FireEye, a company that provides US government cyber-security, says it identified the problem after its own hacking tools were stolen last week.
Government, technology and telecom organisations across North America, Europe, Asia and the Middle East had all fallen victim to “a global campaign” employing “top-tier operations tradecraft and resources”, FireEye said. And this was consistent with state-sponsored attackers “patiently conducting reconnaissance [and] consistently covering their tracks”.
The UK’s National Cyber Security Centre (NCSC) said it was working closely with FireEye. “Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact,” it said.
SolarWinds said its 300,000 global customers included all five branches of the US military, the Pentagon, the State Department and the Office of the President of the United States – and all users of its Orion platform should upgrade immediately to address a “security vulnerability”. Updates to keep the system secure had been compromised with malicious code, in a “highly sophisticated… extremely targeted” attack, probably by a nation state, between March and June this year, it said.
The powerful monitoring software allows IT staff remote access to computers on corporate networks. And the fact the attackers had been able to monitor internal Treasury Department emails may be just the “tip of the iceberg”, the Reuters news agency reported. Three people familiar with the investigations into the attack told Reuters Russia was believed to be behind it. But Russia’s foreign ministry described the allegations as “baseless”, in a statement on Facebook.
In an emergency order, the US Cybersecurity and Infrastructure Security Agency (Cisa) said the attack had a high potential to compromise government systems. And the US Department of Homeland Security ordered all federal agencies to disconnect and power down any device connected to SolarWinds products until further notice.
US National Security Council official John Ullyot said the government was “taking all necessary steps to identify and remedy any possible issues related to this situation”.