LONDON • The United States Department of Homeland Security (DHS) and thousands of businesses scrambled on Monday to investigate and respond to a sweeping hacking campaign that officials suspect was directed by the Russian government.
E-mails sent by officials at the DHS, which oversees border security and defence against hacking, were monitored by the hackers as part of the sophisticated series of breaches, three people familiar with the matter said.
The attacks also hit the US departments of Treasury and Commerce. Parts of the Defence Department (DOD) were breached, The New York Times reported, while The Washington Post said the State Department and National Institutes of Health were also hacked.
"For operational security reasons, the DOD will not comment on specific mitigation measures or specify systems that may have been impacted," a Pentagon spokesman said.
Technology firm SolarWinds, the key stepping stone used by the hackers, said up to 18,000 of its customers had downloaded a compromised software update that let hackers spy on businesses and agencies for almost nine months.
The US issued an emergency warning on Sunday, ordering government users to disconnect SolarWinds software that it said had been compromised by "malicious actors".
Moscow denied any connection to the attacks.
One of the people familiar with the hacking campaign said the critical network that the DHS' cyber-security division uses to protect infrastructure, including the recent election, had not been breached.
The DHS is a massive bureaucracy responsible for securing the distribution of the Covid-19 vaccine, among other things.
SolarWinds said it believed the attack was the work of an "outside nation state" that inserted malicious code into updates of its Orion network management software issued between March and June.
"SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000," it said.
The company said it is not aware of vulnerabilities in any of its other products, and that it is now investigating with help from US law enforcement and outside cyber-security experts.
SolarWinds boasts 300,000 customers globally, including the majority of America's Fortune 500 companies and some of the most sensitive parts of the US and British governments.
Because the attackers could use SolarWinds to enter a network and create a new backdoor, merely disconnecting the network management programme is not enough to boot the hackers out, experts said.
For that reason, thousands of customers are now looking for signs of the hackers' presence and trying to disable those extra tools.
A British government spokes-man said Britain is not aware of any impact from the hack but is still investigating.
Three people familiar with the investigation into the hack said that any organisation running a compromised version of the Orion software would have had a "backdoor" installed in their computer systems by the attackers.
Early indications suggest the hackers were discriminating about who they chose to break into, according to two people familiar with the investigations.
"What we see is far fewer than all the possibilities," said one person. "They are using this like a scalpel."
FireEye, a prominent cyber-security company that was breached in connection with the incident, said other targets included "government, consulting, technology, telecoms and extractive entities in North America, Europe, Asia and the Middle East".
"If it is cyber espionage, then it is one of the most effective cyber-espionage campaigns we have seen in quite some time," said Mr John Hultquist, FireEye's director of intelligence analysis.
REUTERS
