clock menu more-arrow no yes mobile

Filed under:

How Russian hackers infiltrated the federal government

Here’s what we know so far.

Russian soldiers march in Red Square, Moscow, Russia.
A joint task force of US security agencies says that Russia is “likely” the actor behind the massive malware attack on federal agencies last year.
Mladen Antonov/AFP via Getty Images
Sara Morrison is a senior Vox reporter who has covered data privacy, antitrust, and Big Tech’s power over us all for the site since 2019.
Open Sourced logo

Federal security agencies have finally confirmed that the massive hack of government and private computer systems that was uncovered in mid-December was likely Russian in origin. A statement from a joint task force issued January 5 was one of the first from an administration that has been reluctant to share many details about the hack thus far, possibly because President Trump refuses to acknowledge that Russia was its most likely perpetrator. The Department of Justice has now revealed that its email accounts were breached as well.

The hackers reportedly managed to break into multiple US government agencies in what could be the largest hack of government systems since the Obama administration — or perhaps ever. The intrusion went undetected until December, when a cybersecurity company that makes hacking tools discovered that its own systems were breached. This means malware inserted into third-party software may have given hackers access to various government systems for months.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) are working together to investigate the breach. On January 5, the joint task force released a statement confirming that they believe the hackers were Russian and that, despite efforts to stop the intrusions, the attacks are still “ongoing.”

“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the statement said. “At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”

The statement said the task force has found “fewer than 10” government agencies that were compromised so far, but it didn’t specify which ones. The Commerce, Energy, and Justice Departments have confirmed that they were hacked. The Treasury and State Departments, Department of Homeland Security, parts of the Pentagon, and the National Institutes of Health are reported to have been affected, too.

But the Trump administration, which has said little about the attack, has been reluctant to assign blame for it on Russia. The president even tweeted that it may have come from China and that it was under control. According to this new statement, however, it didn’t come from China, and it is certainly not under control.

What we know about Russia’s involvement — despite President Trump’s tweets suggesting otherwise

According to anonymous officials, the hackers are a Russian group called Cozy Bear, also known as APT29, that was also behind the hack of the Democratic National Committee and Hillary Clinton campaign staffers during her 2016 campaign, as well as the 2014 hack of the White House and State Department’s unclassified networks. Cozy Bear is also believed to be behind recent attacks on various organizations developing Covid-19 vaccines. The group is linked to Russian intelligence, although Russia has denied any involvement — a position it maintains now.

“Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy said in a statement in December. “Russia does not conduct offensive operations in the cyber domain.”

The Trump administration was initially hesitant to say much about the hack officially, or assign blame to a specific country. A day after CISA publicly acknowledged the hack, Secretary of State Mike Pompeo told Breitbart Radio News that Russia may have been behind it, but that it may also have been China or North Korea.

Senators from both parties had more to say at the time. Sen. Dick Durbin (D-IL) called it “virtually a declaration of war by Russia on the United States,” while Sen. Richard Blumenthal (D-CT) said the classified information he received about “Russia’s cyberattack” left him feeling “deeply alarmed, in fact downright scared.” Sen. Mitt Romney (R-UT) compared the attack to “Russian bombers ... repeatedly flying undetected over our entire country.” He criticized America’s “glaringly inadequate” cybersecurity defenses, as well as the president’s “inexcusable silence and inaction” in response to it.

Following those statements, Pompeo told another conservative radio talk show that the Russians were “pretty clearly” behind the hack.

President Donald Trump, however, seemed to have received different information than everyone else. In his first comments about the hack, nearly a week after it was first reported, Trump tweeted that it had been exaggerated in the press and was “under control,” adding that China “may” be behind it, and that the hack may have affected voting machines in the election, which he still falsely insists that he won. (There is no evidence that voting machines were affected by the hack or compromised in any other way.)

But Trump’s own former Department of Homeland Security adviser, Thomas Bossert, said in a New York Times op-ed in December that the “magnitude of this ongoing attack is hard to overstate” and that it would take years to understand how pervasive and damaging it was.

How a weak link in a supply chain gave hackers access to the most secure systems

The hacks are believed to have begun last March through network monitoring software called Orion Platform, which is made by a Texas company called SolarWinds. The hackers were somehow able to insert malware into Orion Platform software updates which, once installed, gave hackers access to those systems. This is called a supply chain attack.

SolarWinds says it has more than 300,000 customers around the world, including the American military, the Pentagon, the Department of Justice, the State Department, the Commerce Department, the Treasury Department, and more than 400 Fortune 500 companies. But not all of those clients used the Orion Platform. SolarWinds believes fewer than 18,000 customers were potentially affected, according to the Washington Post, with the New York Times saying that as many as 250 government and business networks were accessed. The Wall Street Journal identified two dozen companies, including Cisco, Intel, and Deloitte, that fell victim to the hack.

SolarWinds has now released software updates that fix the vulnerability and apologized “for any inconvenience caused.”

SolarWinds does not appear to be the only attack vector. After previous denials, Microsoft confirmed on New Year’s Eve that its Office 365 software was also targeted by “a very sophisticated nation-state actor,” through its software resellers, but the company didn’t believe hackers were able to do much more than view source code.

FireEye, a cybersecurity company that was also a victim of the SolarWinds hack, has named this malware “SUNBURST.” (Microsoft has named it “Solorigate.”) FireEye was reportedly the first to discover the hack — not, apparently, the government agencies charged with protecting the nation’s cybersecurity infrastructure.

The Commerce Department was among the first to confirm a breach of one of its agencies but has not specified which one was hit. Citing anonymous sources, Reuters reported that the National Telecommunications and Information Administration was the affected agency, and that hackers have had access to staff emails for months. The Department of Energy has also said it found malware in its business networks, but it had not affected the “mission essential national security functions.” Nearly a month after the initial reports of the hack, the Justice Department confirmed that about 3 percent of its Microsoft Office 365 email accounts were “potentially accessed,” but did not believe that any of its classified systems were breached.

The departments of Treasury, State, Agriculture, and Homeland Security, as well as the National Institutes of Health, are also believed to have been affected, but they have not officially confirmed whether this is the case. How extensive the hacks were or which systems were affected in those departments have also not been made public.

In contrast to the current president, President-elect Joe Biden was quick to respond to the news of the hack and forceful in his comments.

“My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said in a statement. “We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.