US Treasury and commerce department targeted in cyber-attack

Published
Image source, Getty Images
Image caption,
The US has not said who is behind the attack on its treasury and commerce departments

US federal agencies have been hacked in a way that may have let a foreign power monitor government communications.

The Treasury and commerce department have both been attacked.

And all federal civilian agencies have been told to disconnect from SolarWinds Orion, a computer network tool being exploited by "malicious actors".

FireEye, a company that provides US government cyber-security, says it identified the problem after its own hacking tools were stolen last week.

Government, technology and telecom organisations across North America, Europe, Asia and the Middle East had all fallen victim to "a global campaign" employing "top-tier operations tradecraft and resources", FireEye said.

And this was consistent with state-sponsored attackers "patiently conducting reconnaissance [and] consistently covering their tracks".

The UK's National Cyber Security Centre (NCSC) said it was working closely with FireEye.

"Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact," it said.

'Highly sophisticated'

SolarWinds said its 300,000 global customers included all five branches of the US military, the Pentagon, the State Department and the Office of the President of the United States - and all users of its Orion platform should upgrade immediately to address a "security vulnerability".

Updates to keep the system secure had been compromised with malicious code, in a "highly sophisticated... extremely targeted" attack, probably by a nation state, between March and June this year, it said.

The powerful monitoring software allows IT staff remote access to computers on corporate networks.

And the fact the attackers had been able to monitor internal Treasury Department emails may be just the "tip of the iceberg", the Reuters news agency reported.

The head of GCHQ has described the compromises as "serious events" and British intelligence officials are now racing to see what exposure the UK may have.

A number of UK government departments and other organisations use SolarWinds. The first task is to establish whether they were using a particular software package - Orion.

If they do and they have it configured in a particular way and took an update since the end of March they may have a backdoor installed in their system.

The next question will be whether hackers used that access to steal data. Not everyone may be seen as a target worth exploiting.

The US was a few days ahead in learning about the compromise and checking its systems.

The UK has begun that process but it could take days or weeks to find answers since the scale, sources say, is huge. The impact is potentially significant but no one can be sure yet.

This was, intelligence officials say, a highly sophisticated operation but they are wary of attributing it to a particular group or state.

Some US reports have identified Russia's SVR intelligence agency but UK officials say it is too early to comment.

'Necessary steps'

Three people familiar with the investigations into the attack told Reuters Russia was believed to be behind it.

But Russia's foreign ministry described the allegations as "baseless", in a statement on Facebook.

In an emergency order, the US Cybersecurity and Infrastructure Security Agency (Cisa) said the attack had a high potential to compromise government systems.

And the US Department of Homeland Security ordered all federal agencies to disconnect and power down any device connected to SolarWinds products until further notice.

US National Security Council official John Ullyot said the government was "taking all necessary steps to identify and remedy any possible issues related to this situation".

In the world of cyber-security it's often hard to work out the scale of hacks.

We are told as little as possible and often the victims don't know much themselves at first.

So when, last week, it was revealed FireEye had been hacked, it was like watching a horror film where the main character is looking through a dark basement and her torch lights up something sinister.

The latest news is akin to a switch being flicked and the full horror scene being revealed.

It turns out FireEye was just a small part of a much larger and more serious hack attack.

The so-called supply-chain attack means hackers effectively have access to all of SolarWinds's customers.

And looking at its client list - with some household-name companies and the US military - is truly chilling.

US government cyber-teams are in full crisis mode now - but once a hack has been discovered, it's often too late.

You may also be interested in:

Media caption,
Watch: The factory brought to its knees by ransomware hackers

More on this story