The intrusions of the government networks involved a sophisticated compromise of federal workers’ Microsoft email accounts, the U.S. official said. Microsoft’s email and office software is commonly used throughout the federal government.
“It's not entirely certain what vulnerability they're using, how they got in,” the official said, “but it continues to be a problem.”
Investigators believe that the hackers have been monitoring agency employees’ emails since June, according to the official, who described the level of concern inside the government as “very high.”
The NTIA, which oversees telecommunications policies including efforts to secure 5G wireless technology, declined to comment on the intrusion and referred questions to the Commerce Department. The department confirmed that “there has been a breach in one of our bureaus” and said it had requested assistance from the FBI and DHS’s Cybersecurity and Infrastructure Security Agency.
CISA said it has “been working closely with our agency partners regarding recently discovered activity on government networks” and is “providing technical assistance to affected entities.”
The FBI did not provide a comment, and Treasury did not respond to a request for comment.
The breaches, first reported by Reuters, prompted the NSC to hold Saturday’s emergency meeting, which included National Security Adviser Robert O’Brien and Federal Chief Information Security Officer Camilo Sandoval, the U.S. official said.
NSC spokesperson John Ullyot said the Trump administration was “taking all necessary steps to identify and remedy any possible issues related to this situation.”
The Office of the Director of National Intelligence and U.S. Cyber Command are both involved in the investigation, said the U.S. official, who described their engagement as indicative of “a nation-state confrontation.”
Investigators believe that the intrusions were the work of Russia’s foreign intelligence service, the SVR, according to The Washington Post. That same agency is suspected of breaching FireEye, which announced last week that “a highly sophisticated threat actor” had stolen the tools it uses to simulate cyberattacks on its clients.
The government suspects that the FireEye and agency hacks are connected and is now worried that “the same techniques … could have been leveraged against other agencies” because “everybody uses Microsoft products,” the U.S. official said.
The attack began with the IT vendor SolarWinds, according to The Post. In a statement, SolarWinds CEO Kevin Thompson said that “a highly-sophisticated, targeted and manual supply chain attack by a nation state” had compromised the software updates that it sent to users of its Orion IT monitoring platform between March and June.
SolarWinds’ other government customers include the Justice Department; the U.S. Census Bureau; several national laboratories; and state, local, and foreign customers such as the European Parliament and Britain’s National Health Service.
Daniel Lippman contributed to this report.