The U.S. Treasury Department and Commerce Department's National Telecommunications and Information Administration have been breached by hackers working for a foreign government, possibly Russia, stealing unknown data in an embarrassing security issue for the U.S. government.
A breach was alleged to have taken place, affecting both the U.S. Treasury Department and the Commerce Department's National Telecommunications and Information Administration, an agency that works on policy relating to the Internet and telecommunications. While details of the attack are largely unknown, it is thought to be serious enough to have forced a meeting of the National Security Council on Saturday.
Sources of Reuters advised of the attack, which was conducted by a sophisticated group who were backed by a foreign government. Similar tools used in the attack were previously employed to gain access to other government agencies, the sources claimed.
It is said by three people with knowledge of the investigation that Russia is believed to be the source of the attack.
"The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation," advised National Security Council spokesperson John Ullyot.
Multiple sources within the Department of Defense not authorized to speak on behalf of the government have confirmed the attack to AppleInsider. They all declined comment on how much data has been taken, or on which federal agencies the attack targeted.
Originally, according to people familiar with the matter, the hack of the NTIA was performed via Microsoft's Office 365, with emails of staff at the agency monitored by the hacking group for months. The attacks included tricking authentication protocols put in place by Microsoft, indicating it is by a very skilled group.
Further investigation showed the attack was centered on a SolarWinds networking product, specifically related to technology management software, which was then used to compromise Microsoft logins. SolarWinds has more than 300,000 customers worldwide, and is in use by 412 of the US Fortune 500 companies.
Other federal customers of FireEye include the Secret Service, the Department of Defense as a whole, the National Security Agency. Large federal contractors include Lockheed Martin, Booz Allen Hamilton, and PricewaterhouseCoopers.
One senior US official suggested the email compromise may have occurred during the summer, but was only just spotted.
"This is a nation state," a person briefed on the incident advised, adding that at this time it is unclear which government is to blame. Federal agencies including the FBI are starting to investigate the matter.
Another person, also familiar with the event, calls it a "much bigger story than one single agency," characterizing it as a "huge cyber espionage campaign targeting the U.S. government and its interests."
Two report sources said the breaches are connected to another recently-revealed hack of cybersecurity company FireEye, which involved the theft of hacking tools and exploits, and possibly data relating to its government clients. That attack, which used methods seemingly tailor-made to go against FireEye, is also thought to have been tied to Russian intelligence.
The Cybersecurity and Infrastructure Security Agency is "working closely with our agency partners regarding recently discovered activity on government networks," a spokesperson advised. "CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises."
Given the seriousness of the intrusion, it is possible that the investigations could take months or years to become public.
Updated December 14 7:08 AM ET with further information about the specific vector of compromise