WASHINGTON -- Kremlin-backed hackers are behind a cyber-attack on a number of US government agencies, continuing Russia's worldwide cyber-espionage campaign, according to government and private sources familiar with the incident.
The US government on Sunday (December 13) confirmed its computer networks had been hit by hackers on behalf of a foreign government.
The hackers -- known by the nicknames APT29, the Dukes and Cozy Bear -- are part of Russia's Foreign Intelligence Service (SVR), the Washington Post reported Monday (December 14), citing sources familiar with the intrusions who spoke on the condition of anonymity because of the sensitivity of the matter.
The hacks were linked to an attack last week on cybersecurity firm FireEye, which said that sophisticated attackers who stole tools used to test customers' computer systems breached FireEye's defences, the newspaper reported.
The attack was likely state sponsored, said FireEye.
News of the breach, which was also reported by Reuters, came less than a week after the US National Security Agency (NSA) issued a warning that "Russian state-sponsored malicious cyber actors" were exploiting flaws in a system broadly used in the federal government.
Hackers breached all the organisations through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post December 13.
Victims have included government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye.
Products that SolarWinds released in March and June of this year may have been surreptitiously weaponised in a "highly-sophisticated, targeted . . . attack by a nation state", the company said in a statement December 13.
SolarWinds products are used by more than 300,000 organisations across the world, according to the company's website. They include all five branches of the US military, the Pentagon, US State Department, US Justice Department, National Aeronautics and Space Administration, the Executive Office of the President and the NSA.
Tip of the iceberg
The cyber-attack was vast and highly sophisticated, and US intelligence agencies are working to assess the full scope of the breach, with some fearing the attacks uncovered may be the tip of the iceberg.
APT29 and other Kremlin-backed hacking groups have a long history of cyber- attacks on Western targets.
The group spearheaded online attacks on various organisations involved in COVID-19 vaccine development earlier this year, Western intelligence agencies said in July.
"APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property," Britain's National Cyber Security Centre said July 16, adding that the US and Canadian security agencies shared this view.
It also hacked US State Department and White House email servers in 2014-2015 and then went on to hack the systems of the US Democratic Party National Committee (DNC) and top political officials.
The GU (know more commonly by its former acronym GRU), a Russian military intelligence agency, is suspected of making public the hacked emails at the DNC, spurring investigations that overshadowed the 2016 US presidential election.
"There appear to be many victims of this campaign, in government as well as the private sector," Dmitri Alperovitch, chairman of Silverado Policy Accelerator, a geopolitical think-tank, told The New York Times.
Alperovitch co-founded CrowdStrike, a cybersecurity firm that helped find the Russians in the DNC systems four years ago.
Russia's embassy in the United States has denied the mounting claims, despite clear evidence accumulated over years that points to Kremlin-backed hackers around the world.
"Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations," the embassy said in a statement on its official Facebook page.
Norway's Police Security Service (PST) last week blamed another Russian hacker group linked to Moscow's military intelligence for a cyber-attack on the Norwegian parliament earlier this year.
"Analyses show that it is likely that the operation was led by a cyber actor... known as APT28 or Fancy Bear," PST said in a statement December 8. "This actor has ties to GRU, Russia's military intelligence agency."
The six Russian agents were also accused of staging a 2017 malware attack called "NotPetya" that infected computers of businesses worldwide, causing nearly $1 billion in losses to three US companies alone.
In addition, they allegedly targeted international investigations into the nerve agent poisoning in England in 2018 of Russian former double agent Sergei Skripal and his daughter, as well as waging cyber-attacks on media outlets (2018) and parliament (2019) in Georgia.
At the same time, British Foreign Secretary Dominic Raab accused Russian military intelligence services of carrying out internet reconnaissance missions against targets linked to the Tokyo Olympics, before the coronavirus pandemic forced postponement of the games until 2021.
The 2017 NotPetya attacks struck businesses and critical infrastructure worldwide, and US targets included hospitals, a subsidiary of delivery giant FedEx and a pharmaceutical manufacturer.
In April 2018, spear phishing campaigns took place against investigations of the Skripal poisoning being conducted by the Organisation for the Prohibition of Chemical Weapons and the United Kingdom's Defence Science and Technology Laboratory.
In Georgia, a spear phishing campaign in 2018 targeted a major media company, and in 2019, hackers strove to compromise the computer network of the country's parliament, according to the US Justice Department.
The defendants launched destructive malware attacks on the electric power grid in Ukraine in December 2015 and December 2016, said US Assistant Attorney General John Demers in October.
"These were the first reported destructive malware attacks against the control systems of civilian critical infrastructure," he said.
"These attacks turned out the lights and turned off the heat in the middle of the Eastern European winter, as the lives of hundreds of thousands of Ukrainian men, women and children went dark and cold."