The extent of the hacking campaign on the federal government by suspected Russian operatives through vulnerabilities in SolarWinds’ Orion software is becoming more clear as agencies publicly acknowledge breaches in their systems.
The SolarWinds hack has put agencies at risk of being surveilled or having data stolen for up to nine months, as users of the software who updated between March and June inadvertently added malware into their networks.
The breach was first reported Dec. 13. And since then, the list of confirmed and potential victims within the federal government continues to grow.
Department of Commerce: The Commerce Department was one of the first to confirm a breach involving email accounts belonging to high ranking officials.
Department of Defense: A U.S. official told the New York Times that parts of the Pentagon were affected by the attack, but the extent isn’t clear yet. Some former DOD officials say the agency could have a better chance at recovering from the breach simply because the compromised software isn’t as popular in DOD agencies.
Department of Energy: Hackers accessed networks at the National Nuclear Security Administration, which houses the country’s nuclear weapons stockpile, Politico first reported Dec. 17. The activity was found in networks belonging to the Office of Secure Transportation at NNSA, Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, and the Richland Field Office of the DOE.
An ongoing investigation has found that the attack was isolated to business networks only, and not the “mission essential national security functions of the Department,” according to a statement from DOE spokesperson Shaylyn Hynes. When the department detected vulnerable software, Hynes said the department immediately disconnected it from the DOE network.
Department of Homeland Security: A DHS official confirmed to the New York Times that the department was affected by the attack. DHS issued a statement saying they are “aware of reports of a breach” and are “currently investigating the matter.”]
Department of Justice: The Justice Department confirmed on Jan. 6 that it was also a victim of the attack. The department said that about 3% of its Microsoft Office 365 email accounts could have been compromised.
“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment,” spokesperson Marc Raimondi said in a statement, adding that the department had “no indication that any classified systems were impacted.”
Department of State: The State Department is one of the breach’s victims, the Washington Post reported. The department’s unclassified email servers were also hacked in 2014 by the same Russian entity thought to be behind this campaign.
Department of the Treasury: Sen. Ron Wyden, D-Ore., confirmed that dozens of Treasury Department email accounts were compromised in the breach. After a briefing to the Senate Finance Committee staff by the IRS and Treasury Department, Wyden said that although it doesn’t seem like taxpayer data was compromised, the hack still “appears to be significant.” It most likely also involved the theft of encryption keys from government servers. “Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” Wyden said.
National Institutes of Health: The Washington Post also reported that NIH was caught up in the attacks. Over the summer, there were reports that Russia’s foreign intelligence service went after coronavirus vaccine research at NIH.
Editor’s Note: FedScoop will continue to update this story with developments from federal agencies impacted by the breach.