Reports: Suspected Russian Hackers Breach Commerce, Treasury Departments 

Editor's Note: CISA issued an emergency directive to agencies at nearly midnight Dec. 13. Get the details here. 

The Cybersecurity Infrastructure Security Agency and FBI are investigating a breach of at least two federal agencies believed to have been carried out by hackers likely working for Russia, according to a story first reported Sunday by Reuters.

According to the report, hackers have been monitoring internal emails at the Treasury Department and the National Telecommunications and Information Administration, a Commerce Department agency that creates internet policy. 

The report suggests the breach of federal systems is related to a recent hack of cybersecurity firm FireEye, and posits the culprits used a “supply chain attack” to gain access to the systems. An unnamed official in the Reuters report further added that the “highly sophisticated” hackers were able to trick Microsoft’s email platform authentication controls. Multiple officials told the Washington Post that hackers may have breached the agencies through software updates of a network management system operated by Texas-based IT company SolarWinds.

Microsoft declined to comment Sunday. 

SolarWinds released a statement Sunday acknowledging a possible vulnerability in one of their software products.  

“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” said Kevin Thompson, SolarWinds president and CEO, in a statement. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”

SolarWinds’ website says the company works with more than 300,000 customers, including many Fortune 500 companies, the National Security Agency, the Executive Office of the President, Defense Department agencies and military services, the Census Bureau, Justice Department, Veterans Affairs Department and some national labs. 

“Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope,” former CISA Director Chrisptoper Krebs tweeted. He also said to watch for a possible emergency directive from CISA and recommended “everyone should follow suit,” even though the agency’s authority applies only to the federal government. 

This year, CISA issued a handful of emergency directives, including one to mitigate a severe flaw in Microsoft Windows 10 that was disclosed by NSA and another instructed agencies to address a Windows Server’s Domain Name System within 24 hours.

The news of Treasury and NTIA breaches comes one week after the NSA issued a warning that state-sponsored Russian hackers were targeting virtual workspaces. Due to the coronavirus pandemic, hundreds of thousands of federal employees and contractors have been working outside traditional offices. 

The National Security Council met with the White House Saturday in response to the hack, according to multiple media reports.  

The Treasury and Commerce Departments did not respond to requests for comment by press time Sunday.