The Washington PostDemocracy Dies in Darkness

DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign

On Dec. 13, it was reported that Russian government hackers breached U.S. government agencies as part of a global espionage campaign that stretches back months. (Video: Reuters)

The Department of Homeland Security, the State Department and the National Institutes of Health on Monday joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia whose damage remains uncertain but is presumed to be extensive, experts say.

The list of victims of the cyberespionage, which already included the Treasury and Commerce departments, is expected to grow and to include more federal agencies and numerous private companies, said officials and others familiar with the matter, who spoke on the condition of anonymity because it is under investigation.

SolarWinds, the maker of widely used network-management software that the Russians manipulated to enable their intrusions, reported in a federal securities filing Monday that “fewer than 18,000” of its customers may have been affected. That’s a small slice of the company’s more than 300,000 customers worldwide, including the Pentagon and the White House, but still represents a large number of important networks. Russia has denied any role in the intrusions.

The Cybersecurity 202: A Russian mega-hack is further damaging Trump’s cybersecurity legacy

The fact that the department charged with safeguarding the country from physical and cyber attacks was victimized underscores the campaign’s significance and calls into question the adequacy of federal cybersecurity efforts. The breach of the State Department was particularly embarrassing given that the same Russian spy agency thought to be behind this campaign, the SVR, hacked State’s unclassified email servers in 2014. And the NIH compromise follows reports this summer that that the SVR, Russia’s foreign intelligence service, went after coronavirus vaccine research

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an unusual appeal for further information, asking anyone with knowledge of a breach to contact

CISA on Sunday evening also directed all federal agencies to disconnect SolarWinds products immediately and to report that they’d done so by noon Monday.

DHS spokesman Alexei Woltornist said that the department is aware of reports of a breach and is investigating the matter. The compromise of that department’s networks was first reported by Reuters.

The State Department declined to comment Monday. The NIH could not be reached Monday evening for comment. The State and NIH breaches were previously unreported.

The hackers gained access to their victims’ systems through what is known as a “supply chain” attack, or taking advantage of routine software patches sent to these systems by SolarWinds, which ­provides network-management tools.

The nature of the hacks indicated that the attackers were focused on high-value targets, experts suggested.

“It’s not about quantity. It’s about quality” of targets, said John Hultquist, manager of analysis at FireEye, a cybersecurity consultancy that also was breached and that discovered through its own investigation the targeting of SolarWinds.

“SolarWinds was clearly a door that they could walk through,” he said. “We’re shutting this door. But they’re still in these organizations. There are a lot of information-security teams right now who are probably going to be working on this problem through Christmas.”

Cybersecurity experts described the Russian hacks as a sophisticated bit of online spying that left few clues of intrusion into networks. Investigators at FireEye marveled in a blog post that the meticulous tactics involved “some of the best operational security” its investigators had ever seen, using at least one piece of malicious software never previously detected.

“This is classic espionage,” said Thomas Rid, a political science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. “It’s done in a highly sophisticated way. . . . But this is a stealthy operation.”

FireEye described the victims as including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”

But the potentially good news is that stealthy attackers tend to prioritize surreptitious entrances and exits, while avoiding wholesale ransacking of computer systems that could tip off defenders. Such hackers typically are more focused on covering their tracks than simply backing up a digital truck and taking everything they can.

The potentially bad news, however, is that such careful, precise attacks can be effective at gathering sensitive information over the course of months or even years. While the details of what was taken and from whom are not yet public — the agencies and companies themselves may not even know for a while — the Russian operation dates at least as far back as March and was described as active as recently as Sunday.

That’s a nine-month stretch that included — to name just a few of the important events that would have created computer files interesting to spies — the worst of the coronavirus pandemic, the historically fast development of vaccines using novel technology, and the U.S. presidential and congressional elections.

But, as Rid pointed out, this so far appears to be classic digital spying of the sort that major nations, including the United States, engage in every day to gain geopolitical edges of various sorts. And it has been vastly less disruptive, so far, than a range of Russian efforts in 2016, when hackers from that nation penetrated state election systems, infiltrated American social media conversations with hundreds of fictitious accounts, and stole sensitive emails from Democrats and dumped them online at key moments in a hotly contested presidential campaign.

That 2016 effort, spearheaded by the Russian military’s intelligence unit, the GRU, and the semi-independent Internet Research Agency, left behind copious evidence that government and corporate investigators found. The 2020 effort, by contrast, appears to be the work of a part of Russian intelligence that has little known record for pushing online disinformation campaigns.

The recent hack emerged only after FireEye — one of the nation’s leading cybersecurity firms — was itself targeted by the hackers, who stole potent cyberattack tools that FireEye used for research purposes.

The hackers used multistep techniques that apparently started with the hack of SolarWinds. That allowed the Russians to manipulate software updates for systems reliant on the company’s Orion software, a popular monitoring tool that creates profound access across a computer network.

Software patches, which carry digital signatures verifying their authenticity, are an ideal target for hackers and are controversial because they can undermine faith in the updating process itself — a key to good cybersecurity hygiene for computers and systems worldwide.

The altered patches, delivered to Orion customers between March and May, didn’t necessarily trigger a hack in every system that received them, according to the detailed FireEye blog. Rather, it described a scenario in which the malware delivered through the SolarWinds patches created a back door that the Russians could open at will.

The hackers later entered targeted networks while maintaining a “light malware footprint” that involved creating and deleting files as they went along. They also stole and used authentic credentials and passwords from users of the hacked systems to further disguise their efforts while prowling through computer networks, according to FireEye.

Protecting all the hardware and software that goes into a computer network is a complex challenge, said Neil Jenkins, a senior DHS cybersecurity official during the Obama administration. “You have to do a lot of risk-management work to put yourself in the best position,” he said. “And even when you do, that might not prevent you from getting hacked at the end of the day.”

Nick Miroff, Joseph Marks, John Hudson and Lori Aratani contributed to this report.