How hackers, probably Russian, infiltrated the federal government

Here’s what we know so far.

Hackers reportedly linked to the Russian government managed to hack into multiple US government agencies in what could be the largest hack of government systems since the Obama administration — or perhaps ever.

Malware inserted into third-party software may have given hackers access to various government systems for months. Security agencies are currently assessing exactly which departments were breached and what information was accessed. So far, the Commerce Department has confirmed it was hacked, and the Treasury Department is another reported victim.

We don’t have a lot of other details yet, but here’s what we do know.

According to anonymous officials, the hackers are reportedly a Russian group called Cozy Bear, also known as APT29. It was also behind the hack of the Democratic National Committee and Hillary Clinton campaign staffers during her 2016 campaign, as well as the 2014 hack of the White House and State Department’s unclassified networks. Cozy Bear is also believed to be behind recent attacks on various organizations developing Covid-19 vaccines. The group is linked to Russian intelligence, although Russia has denied any involvement — a position it maintains now.

“Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy said in a statement. “Russia does not conduct offensive operations in the cyber domain.”

The US government has not officially stated which group or country it believes is behind the hack. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Sunday to federal civilian agencies to disconnect Orion products from their networks immediately.

The hacks are believed to have begun last March through a network monitoring software called Orion Platform, which is made by a Texas company called SolarWinds. SolarWinds says it has more than 300,000 customers around the world, including the American military, the Pentagon, the Department of Justice, the State Department, the Commerce and Treasury Departments, and more than 400 Fortune 500 companies (the webpage with this listing was showing an error message by Monday afternoon).

It’s not known which of those clients used Orion Platform. SolarWinds believes fewer than 18,000 customers were potentially affected, according to the Washington Post. The hackers were somehow able to insert malware into software updates which, once installed, gave hackers access to those systems. FireEye, a cybersecurity company that was also a victim of the SolarWinds hack, has named this malware “SUNBURST”. (Microsoft has named it “Solorigate.”) FireEye revealed last week that it was attacked “by a nation with top-tier offensive capabilities.”

SolarWinds has now released software updates that fix the vulnerability and apologized “for any inconvenience caused.”

The Commerce Department has confirmed a breach of one of its agencies but has not specified which one was hit. Citing anonymous sources, Reuters reported on Sunday that the National Telecommunications and Information Administration was the affected agency, and that hackers have had access to staff emails for months. The Treasury Department is also believed to have been affected, but has yet to publicly acknowledge this.

The government has been sparing with its public statements so far, only saying that its security agencies are investigating.

“The NSC is working closely with CISA, FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise,” National Security Council spokesperson John Ullyot said in a statement.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.