Justice Department was hacked by Russians in ongoing cyberespionage campaign - officials
By Ellen Nakashima
Washington - The Justice Department has become the latest known victim of Russian hackers, who are engaged in an ongoing campaign of cyberespionage that has afflicted federal agencies and the private sector.
A department spokesman said Wednesday that the department's Office of the Chief Information Officer (OCIO), which handles network security, on Dec. 24 learned of malicious activity linked to the hacking campaign.
The intrusions into other federal agencies and technology firms were discovered earlier last month, and in the Justice Department's case it involved its unclassified Office 365 email system, spokesman Marc Raimondi said.
Office 365 email is hosted on Microsoft's Azure cloud, or servers, operated by the tech giant.
"After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment," Raimondi said in a statement.
"At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted," the said.
The Justice Department joins the departments of Treasury, Commerce, State, Homeland Security and Energy with known breaches, which were carried out by the Russian Foreign Intelligence Service, the SVR, according to U.S. officials who, like others, spoke on the condition of anonymity to discuss an open investigation.
The U.S. intelligence community said Tuesday that the intrusions were "likely Russian in origin" - the agencies' first formal acknowledgment that they believe Moscow is behind the campaign.
Russia has denied involvement.
The cyberspies leveraged an update made by the Texas-based company SolarWinds, which provides network monitoring software, to gain access to victims' networks. Once inside, the hackers were able to steal users' log-ins and passwords to enable them to roam freely in unclassified networks, including email systems, without being detected.
Using the SolarWinds update system is an example of what's called a "supply chain" attack. Many organizations use SolarWinds to optimize their networks' performance and were unaware of the company's apparently lax software security.
SolarWinds is a customer of JetBrains, a software company founded in Russia and now headquartered in the Czech Republic. Private cybersecurity firms are probing whether JetBrains, which makes software that allows developers to test code ahead of its release, played any role in the Russian breaches, according a person familiar with the matter.
Specifically they want to know whether Russian hackers were able to insert back doors into software that was then used by SolarWinds or other companies, enabling the compromises, the person said. The inquiry was first reported by The New York Times.
In response to The Times's story, JetBrains CEO Maxim Shafirovsaid in a blog post that "JetBrains has not taken part or been involved in this attack in any way." He said SolarWinds "has not contacted us with any details regarding the breach."
If the firm's software, called TeamCity, has been used in the breaches, he said, "it could very well be due to misconfiguration, and not a specific vulnerability." He added that "we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation."
Last month the Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued an alert saying it had evidence that the attackers were using additional means besides the SolarWinds update to gain entry into computers.
The Washington Post reported last month that the Russian hackers compromised some Microsoft cloud customers through a corporate partner or "reseller" that handles cloud-access services. There may be other means not publicly identified that have been used to hack victims' networks, said people familiar with the matter.
The intelligence community also said Tuesday that investigators have identified fewer than 10 federal entities whose networks have been breached, though as the investigation continues, more federal agencies may turn out to have been compromised.
As many as 250 government and private-sector entities have been compromised, though investigators are working to ascertain the exact scope of the hacks.
The Washington Post