WASHINGTON — Hackers broke into the networks of the Treasury and Commerce departments as part of a monthslong global cyberespionage campaign revealed Sunday, just days after the prominent cybersecurity firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.
The FBI and the Department of Homeland Security’s cybersecurity arm were investigating what experts and former officials said appeared to be a large-scale penetration of U.S. government agencies — apparently the same cyberespionage campaign that also afflicted FireEye, foreign governments and major corporations.
“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.
The hacks were revealed less than a week after FireEye disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools, first reported by Reuters. Many experts suspect Russia is responsible. FireEye’s customers include federal, state and local governments and top global corporations.
The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the firm CrowdStrike.
FireEye, without naming any specific targets, said in a blog post that its investigation into the hack of its own network had identified “a global campaign” targeting governments and the private sector that, beginning in the spring, had slipped malware into a SolarWinds software update. Neither the company nor U.S. government officials would not say whether it believed Russian state-backed hackers were responsible.
The malware gave the hackers remote access to victims’ networks, and Alperovitch said SolarWinds grants “God-mode” access to a network, making everything visible.
“We anticipate this will be a very large event when all the information comes to light,” said John Hultquist, director of threat analysis at FireEye. “The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”
FireEye said it had confirmed infections in North America, Europe, Asia and the Middle East, including in the health care and oil and gas industry — and had been informing affected customers around the world in the past few days. It said that malware that rode the SolarWinds update did not seed self-propagating malware — like the 2016 NotPetya malware blamed on Russia — and that any actual infiltration of an infected organization required “meticulous planning and manual interaction.”