US officials are investigating a cyber attack that breached the systems of multiple government agencies, the federal government confirmed on Sunday night.
The National Security Council and the Cybersecurity and Infrastructure Security Agency both said they were looking into an attack on government networks, which reportedly stemmed one of the two Russian groups responsible for hacking the Democratic National Committee ahead of the 2016 election.
“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said John Ullyot, a spokesman for the NSC.
CISA said it was “working closely with our agency partners regarding recently discovered activity on government networks”.
The agency added that CISA was “providing technical assistance to affected entities as they work to identify and mitigate any potential compromises”.
The commerce department said one of its bureaus — which Reuters news agency reported to be the National Telecommunications and Information Agency — had been breached, and that it had asked CISA and the FBI to investigate.
The FBI did not respond to a request to comment. The Treasury, whose systems were also reportedly breached, referred queries back to the NSC.
The Washington Post reported on Sunday that the attack had been traced to one of two groups of Russian state-backed hackers responsible for attacks on Democratic party servers ahead of the 2016 presidential election, a campaign US intelligence officials believe was aimed at stopping Hillary Clinton from winning the race.
The group — which is known as Cozy Bear or APT29 — has recently made attempts to steal coronavirus vaccine research in the US, UK and Canada, authorities in those countries said over the summer.
Government officials did not comment on the potential link between the group and the latest attacks, but the Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability which allowed them to access government networks.
Two people familiar with the attacks on the government departments said the incursions were also linked to the successful recent hacking of FireEye, a cyber security group that often defends customers against attacks by nation states.
Last week, the company disclosed that attackers had breached its internal systems and targeted the data of its government customers, though there was no evidence that any government information was stolen.
However, the hackers did loot tools that could be used in attacks against other organisations, making it potentially one of the most damaging breaches since an attack on the National Security Agency four years ago.
Investigators were looking into whether the hackers had used fake identity certificates to trick Microsoft’s Office 365 software into letting them access the government systems, according to a person familiar with the case.
The attack was thought to have involved the spoofing of the identity tokens that systems connected to the internet use to verify that emails or other communications are from who they claim to be, this person said.
A week ago, the National Security Agency warned it had found a serious vulnerability which had been used to create fake tokens, and urged government information technology administrators to take immediate action to protect their systems.
The flaw had been found in software from VMware, the agency said, and attackers taking advantage of the bug had been able to trick Microsoft software into giving them “access to protected data”.
It was unclear whether the vulnerability highlighted by the NSA was the same one used in the attack on the Treasury and commerce departments. Microsoft and VMware both refused to comment.
Late on Sunday, SolarWinds, an IT company whose software is used by many government departments to manage their networks, disclosed its technology might have been involved. It said it was “aware of a potential vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state”.
The company, which lists many government agencies and companies among its customers, including all but one of the Fortune 500, did not say how widespread the issues were, or how many of its customers might be vulnerable.
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.