The Department of Commerce confirmed on Sunday that it was one of the U.S. agencies who experienced a data breach. File Photo by Roger Wollenberg/UPI | License Photo
Dec. 14 (UPI) -- At least three U.S. federal agencies, including the Department of Homeland Security, were breached by hacking linked to weaknesses in network security software from SolarWinds and possibly orchestrated by Russia, authorities said Monday.
The Russian intelligence service, SVR, is believed to be behind the attacks. Russian officials have denied involvement.
The Commerce and Treasury Departments also reported being hacked in the sophisticated "supply chain" attack that began in the spring, investigators said.
The Russian hackers, nicknamed APT29 or Cozy Bear, breached email systems in a scheme similar to an attack on White House and State Department email servers during the Obama administration, officials told The Washington Post on Monday.
On Sunday, the cybersecurity arm of DHS issued an emergency directive for all federal civilian executive branch agencies to search their networks stating cybersecurity products by Austin, Texas-based SolarWinds are "being exploited by malicious actors."
"CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk," it said, stating the impact of a successful attack could be "grave."
SolarWinds products are used by more than 300,000 customers, including more than 400 of the U.S. Fortune 500 companies, five branches of the U.S. military and the Departments of Defense, State and Justice, as well as the office of the president, according to the company's website.
The company described the attack in a statement as "highly sophisticated" and likely conducted by an outside nation state that targeted specific entities.
John Ullyot, the spokesman for the National Security Council, said in a statement that the U.S. government was aware of the reports and was "taking all necessary steps to identify and remedy any possible issues related to the situation."
The breach comes less than a week after leading U.S. cybersecurity firm FireEye, which works with government and private-sector clients, announced on Tuesday it had been hacked by "a nation with top-tier offensive capabilities" who stole tools it uses to mimic the behavior of malicious cyberactors to test security systems.
On Sunday, the company said its investigation uncovered the "global campaign" targeting the networks of public and private organizations that was delivered through updates to the network-monitoring products developed by SolarWinds.
"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," Kevin Mandia, CEO of FireEye, said in a statement.
The company said it has identified multiple organizations that have indications they were breached as far back as the spring, stating each attack required "meticulous planning and manual interaction."
SolarWinds said the updates in question were released between March and June. The company also said hackers may have used Microsoft's Office 365 email as "an attack vector."
The attack comes a week after the National Security Agency issued a warning that "Russian state-sponsored malicious cyberactors" were exploiting vulnerabilities in software used by departments in the U.S. government.
Russia responded to speculation it was behind the attack revealed on Sunday, stating "malicious activities in the information space" contradict its foreign policy, national interests and understanding of interstate relations.
"Russia does not conduct offensive operations in the cyber domain," the Embassy of Russia in the United States said in a statement published on Facebook.
CISA said in the emergency directive that agencies operating SolarWinds products have until noon Monday to provide it with a complete report of its analysis of potential compromises.
"Tonight's directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation," Brandon Wales, CISA acting director, said in a statement.