It is likely now that Russian authorities knew before anyone else did that U.S. President Donald Trump would fire Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, which was announced on Twitter.
For at least the past nine months, while the U.S. authorities were consumed with political spats and the pandemic, further complicated by various, daily personnel changes within the agencies, a hacker group said to be linked to the Russian government reportedly breached an unknown number of businesses and state agencies, including the Office of President of the United States.
According to media reports, Russian hackers got inside the server of a network management system called SolarWinds, whose client list includes all five branches of the U.S. military and the White House. The software company is also used by the top U.S. telecommunications companies.
There are more than 300,000 clients on this list, including "more than 425 of the U.S. Fortune 500," as well as the U.S. Treasury and Commerce departments; however, the full scope of the breach still remains unclear.
SolarWinds said up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy on them for almost nine months.
The White House confirmed that hackers had gained access to the two departments and monitored internal emails.
The U.S. Cybersecurity and Infrastructure Security Agency issued a rare emergency directive and instructed all federal civilian agencies to power down SolarWinds products immediately.
The hackers also broke into FireEye, a top cybersecurity firm with government and commercial contracts, and stole hacking tools the firm uses to test clients’ computer defenses.
As reported by Reuters, this cyber-espionage campaign dates back months and appears to be the work of the hacking group known as “Cozy Bear” or “APT29”.
The group is thought to be linked to Russia’s foreign intelligence service, or the SVR RF, which collaborates with the country’s Federal Security Service (FSB).
In its own statement, the U.S. government did not name Russia or any other actor as being responsible. Yet, the Russian Embassy in the U.S. posted on its Facebook page that this is another “unfounded attempt of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies”.
Still, the Cozy Bear group is not a stranger to U.S. authorities. According to security firm CrowdStrike, Cozy Bear was involved in the hack on the Democratic National Committee (DNC) during the U.S. presidential election in 2016.
Some of its hackers were publicized by special counsel Robert Mueller following his 2018 investigation into Russian interference during the campaign.
With the start of the pandemic outbreak, many cybercriminals pledged not to attack health-care providers. But this “honor amongst thieves” never included state-sponsored cyberattacks, and clearly plenty of hackers failed to get the memo. Since March, phishing attacks have jumped more than 600%, targeting businesses, individuals and various levels of governmental agencies.
In July, British, American, and Canadian intelligence agencies accused Cozy Bear hackers of using phishing emails to deceive researchers at universities, private companies, and elsewhere.
Separately, the researchers at Barracuda Networks tracked almost 10,0000 attempted phishing email cyberattacks linked to the coronavirus crisis since the beginning of March. The hackers have also targeted the US Department of Health, prompting an FBI warning that hackers had attempted to infiltrate medical facilities associated with COVID-19 vaccine research.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said that state-sponsored Chinese hackers were targeting US researchers, both state-run and private, in cyberattacks seeking information on vaccines for COVID-19. "China's efforts to target these sectors pose a significant threat to our nation's response to COVID-19," CISA and the FBI said.