The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign and had no comment Sunday.
All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter.
The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously tampered with in a “highly-sophisticated, targeted . . . attack by a nation state.”
The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds is used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.
SolarWinds is also used by the top 10 U.S. telecommunications companies.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
Also compromised was a leading cybersecurity firm, FireEye, which last week reported it was breached. The Washington Post reported that APT29 was the group behind that hack.
It is not clear what information was accessed from the government agencies, though FireEye disclosed it has lost hacking tools that the company uses to test clients’ computer defenses.
Reuters first reported the hacks of the Treasury and Commerce agencies Sunday, saying they were carried out by a foreign government-backed group. The SVR link to the broader campaign is previously unreported.
The matter was so serious that it prompted an emergency National Security Council meeting on Saturday, Reuters reported.
“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said National Security Council spokesman John Ullyot. He did not comment on the country or group responsible.
At Commerce, the Russians targeted the National Telecommunications and Information Administration, an agency that handles Internet and telecommunications policy, Reuters reported.
The campaign is said to be quite broad, encompassing an array of targets, including government agencies in the United States and other countries. APT29 has also been linked to attempts to steal coronavirus vaccine research.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff and the State Department.
“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
Because the Obama administration saw the APT29 operation as traditional espionage, it did not consider taking punitive measures, said Daniel, who is now president and chief executive of the Cyber Threat Alliance, an information-sharing group for cybersecurity companies.
“It was information collection, which is what nation states — including the United States — do,” he said. “From our perspective, it was more important to focus on shoring up defenses.”
But Chris Painter, State Department cyber coordinator in the Obama administration, said even if the Russian campaign is strictly about espionage and there’s no norm against spying, if the scope is broad there should be consequences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.
Sanctions might be one answer, especially if done in concert with allies who were similarly affected, he said. “The problem is there’s not even been condemnation from the top. President Trump hasn’t wanted to say anything bad to Russia, which only encourages them to act irresponsibly across a wide range of activities.”
At the very least, he said, “you’d want to make clear to [Russian President Vladimir] Putin that this is unacceptable — the scope is unacceptable.”
So far there is no sign that the current campaign is being waged for purposes of leaking information, or for disruption of critical infrastructure, such as electric grids.
But the scope of the breaches is likely to be significant. The SolarWinds tool monitors a client’s network for performance, identifying problems like failing switches. It has extremely deep “administrative” access to a network’s core functions, which means that gaining access to the SolarWinds tool would allow the Russians were to freely root around victims’ systems.
APT29 compromised the SolarWinds server that sends updates so that any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim’s system, according to a person familiar with the matter.
“Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
Joseph Marks contributed to this report.