The FBI and Department of Homeland Security are investigating a massive, months-long hacking campaign that was confirmed on Sunday to have affected the U.S. Treasury and Commerce departments.
The NSA's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Sunday around a piece of server software called SolarWinds Orion that was reported compromised several days ago. SolarWinds claims to have 300,000 customers worldwide, including many Fortune 500 companies, the top 10 U.S. telecommunications companies, and the top five U.S. accounting firms.
It also has contracts with multiple government agencies, including the U.S. military, the State Department, NASA, the NSA, CISA, the Department of Justice, FBI, and the White House.
"This vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation state," said SolarWinds CEO Kevin Thompson.
The developments come less than a week after one of the largest U.S. cybersecurity firms, FireEye, said it had been hacked using the SolarWinds exploit.
Cybersecurity experts have pointed to the Russian-linked group APT29 – also known as "Cozy Bear" – as a possible culprit behind the attack. The group was believed to have attacked multiple federal agencies during the Obama administration and hacked the Democratic National Convention in 2016.
Through the attack, the hackers were able to manipulate Microsoft Office 365, gaining access to emails by tricking the authentication system. The hackers are believed to have exploited an update to the software released sometime between March and June to gain access.
Cybersecurity expert Dmitri Alperovitch said the exploit would give a hacker "God-mode."
The attack led to an emergency meeting of the National Security Council at the White House on Saturday.
"The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation," said John Ullyot, a National Security Council spokesperson.