Russian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.
Officials were scrambling over the weekend to assess the nature and extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said.
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign, which may have begun as early as spring, and had no comment Sunday. The victims have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached.
The Russian Embassy in Washington on Sunday called the reports of Russian hacking “baseless.” In a statement on Facebook it said, “attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain.
All of the organizations were breached through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post Sunday.
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.