The U.S. Treasury and Commerce Departments have been attacked by hackers believed to be linked to the Russian government, according to multiple reports today.

The hack, according to The Washington Post, came from advanced persistent threat group 29, also known in cybersecurity circles as Cozy Bear. That’s the same Russian linked group that was targeting COVID-19 research in July.

Neither the Commerce Department nor the Treasury has formally confirmed the reports, which are said to have started roughly Dec. 12. The U.S. Federal Bureau of Investigation is reported to be investigating but has made no official comment. A spokesperson for the National Security Council did in part confirm the report, however, telling Reuters that they “are taking all necessary steps to identify and remedy any possible issues related to this situation.”

Where the story takes an interesting twist is that the hack is reported to have involved the compromise of software from SolarWinds Worldwide LLC, which offers monitoring products. Although it didn’t say its software was being used by U.S. government departments, the company said today that its monitoring products released in March and June may have been “surreptitiously tampered” with in a “highly sophisticated, targeted and manual supply chain attack by a nation-state.”

SolarWinds also noted that it’s working with FireEye Inc., the FBI, the intelligence community and other law enforcement to investigate the hack. “We are limited as to what we can share at this time,” the company added, certainly giving credence to the reports that the hack involved high levels of the U.S. government.

The spokesperson for the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency said separately that “we have been working closely with our agency partners regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”

The hack may not be limited to the Commerce Department and Treasury. The Post report said the compromised SolarWinds software is used by more than 300,000 organizations across the world, including the U.S. military. The Post claimed “all five branches of the U.S. military,” but there are six branches; the Pentagon, the State Department, the Justice Department, the National Aeronautics and Space Administration, the Executive Office of the President and the National Security Agency.

That SolarWinds is working with FireEye may also be notable. FireEye is a leading Nasdaq-listed cybersecurity company, but it was also hacked earlier this month with security testing tools stolen by what the company believes were state-sponsored hackers. Although FireEye didn’t point the finger at Russia, the odds that it could have been Russian hackers are fairly good, since any report of state-sponsored hackers usually comes down to a choice of Russia, China, Iran or North Korea.

“Attribution of sophisticated APT attacks, as reportedly affected SolarWinds and subsequently its customers, remain a highly complicated, time-consuming and costly task,” Ekaterina Khrustaleva, chief operating officer at web security company ImmuniWeb, told SiliconANGLE. “Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable.”

Photo: Pixabay