Suspected Russian hackers infiltrated dozens of email accounts at the Treasury Department and broke into systems used by the department’s highest-ranking officials, a Senator briefed on the matter said Monday.
Democratic Sen. Ron Wyden, of Oregon, provided new details of the hack following a briefing to the Senate Finance Committee by the IRS and Treasury Department.
Wyden, the ranking Democrat on the Senate Finance Committee, said the Treasury Department doesn’t know all of the activity the hackers engaged in or precisely what information was stolen.
Though there is no indication that taxpayer data was compromised, the hack ‘appears to be significant,’ Wyden continued.
Wyden said the hackers broke into systems in the Treasury Department’s Departmental Offices division, home to the highest-ranking officials, and infiltrated dozens of department email accounts.
In addition, the breach appears to involve the theft of encryption keys, Wyden said.
Democratic Sen. Ron Wyden (above), of Oregon, provided new details of the hack following a briefing to the Senate Finance Committee by the IRS and Treasury Department
The Treasury Department doesn’t know all of the activity the hackers engaged in or precisely what information was stolen
‘Cozy Bear’: The Russian hacker cell suspected in attack
Russia denies involvement in the SUNBURST attack, but US officials say the nation is behind the ‘Advanced Persistent Threat’ (APT) that carried out the audacious breach.
Sources say that one top suspect is APT29, the Kremlin-linked group also known as Cozy Bear.
Cozy Bear is best known as the group said to be responsible for the 2016 breach of the Democratic National Committee’s servers.
Experts believe that Cozy Bear operates as part of one of Russia’s intelligence agencies.
Some doubt the attribution of SUNBURST to Cozy Bear, through, noting that the tools used in the attack have never been seen before.
‘Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,’ Wyden said in a statement.
It is also not clear what Russian hackers intend to do with any emails they may have accessed, however Wyden called the breach a ‘goldmine for foreign adversaries looking to spy on or blackmail government officials.’
An aide to Wyden told The New York Times the department’s officials indicated that Treasury Secretary Steve Mnuchin’s email account had not been breached.
A Treasury Department spokeswoman declined to comment on Wyden’s statement.
Mnuchin addressed the hacking earlier on Monday and said the department’s classified systems had not been breached.
‘At this point, we do not see any break-in into our classified systems,’ he told CNBC. ‘Our unclassified systems did have some access.’
Mnuchin added that the hacking was related to third-party software. He sought to assure that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had the resources to protect the financial industry.
‘I can assure you, we are completely on top of this,’ he said, declining to specify how the alleged Russian hacks were able to go undetected for several months.
An aide to Wyden told The New York Times the department’s officials indicated that Treasury Secretary Steve Mnuchin’s (above) email account had not been breached
President Donald Trump (pictured with Putin) sought to downplay the severity of the hack last week, tweeting without any evidence that perhaps China was responsible instead of Russia
SolarWinds timeline: Company stocks and when they discovered attack
March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’
SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have
November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares
December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds
December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given
December 8: FireEye announces hackers broke into its servers
December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021
December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company
December 13: The infiltration of Orion becomes public
The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’
The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted
Treasury was among the earliest known agencies reported to have been affected in a breach tied to Russia’s SVR intelligence agency that now encompasses a broad spectrum of US government departments.
The effects and consequences of the hack are still being assessed, though the Department of Homeland Security’s cybersecurity arm said in a statement that the intrusion posed a ‘grave’ risk to government and private networks.
Wyden said the Treasury Department breach began in July. But experts believe the overall hacking operation began months earlier when malicious code was slipped into updates to popular software that monitors computer networks of businesses and governments.
The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access in organization’s networks so they could steal information.
It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked.
In the Treasury Department’s case, Wyden said that once the Russian hackers used the SolarWinds software update to infiltrate the agency’s systems, they performed a complicated ‘step inside’ Microsoft’s Office 365 system to create an encrypted ‘token’ that identifies a computer to the larger network.
The counterfeit token allowed the hackers to fool the system into think they were legitimate users of the system – permitting them to sign on without having to guess user names and passwords.
‘After years of government officials advocating for encryption backdoors, and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers, the [US Government] USG has now suffered a breach that seems to involve skilled hackers stealing encryption keys from USG servers,’ Wyden said.
The details Wyden shared are among the first to specifically describe what investigators know about what was compromised in the suspected Russian cyber espionage operation.
Microsoft said last week it has since fixed the flaw exploited by the Russians. The tech giant, which has helped respond to the breach, also revealed that it had identified more than 40 government agencies, think tanks, nongovernmental organizations and IT companies infiltrated by the hackers.
Microsoft notified the Treasury Department that dozens of email accounts were compromised.
President Donald Trump sought to downplay the severity of the hack last week, tweeting without any evidence that perhaps China was responsible.
At least two Cabinet members, Secretary of State Mike Pompeo and Attorney General William Barr, have stated publicly that they believe Russia was responsible, the consensus of others in the US government and of the cybersecurity community.
‘From the information I have…it certainly appears to be the Russians,’ Barr said at a press conference Monday.
Russian President Vladimir Putin’s spokesman has denied Kremlin involvement, and the Russian embassy said in a statement that the country ‘does not conduct offensive operations in the cyber domain.’
The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access in organization’s networks so they could steal information
The breach is being called the biggest cyberattack in American history, with Senate Minority Whip Dick Durbin, an Illinois Democrat, last week demanding a ‘response in kind’.
‘When adversaries such as Russia torment us, tempt us, breach the security of our nation, we need to respond in kind,’ said Durbin, though noting he was not calling for ‘all-out war’.
President-elect Joe Biden also vowed a tough response, saying in a statement: ‘Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.’
Biden vowed to ‘disrupt and deter’ future cyber attacks by ‘imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.’