The SolarWinds hackers have been shown to have unrestricted access to approximately 3% of Office 365 mailboxes belonging to the US Justice Department in a wide-ranging hack campaign believed to be the work of the Russian Government.
“On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment.”
The United States Department of Justice, which has over 110.000 employees and an annual budget of close to 30 billion dollars, is among more than half a dozen federal agencies discovered so far to have been targeted by the attack.
A joint statement issued on Tuesday by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Intelligence (ODNI), and the National Security Agency (NSA) officially confirms that Russia was behind the breach.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the statement mentions. “At this time, we believe this was and continues to be, an intelligence-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
APT29 is a codename in the cyber-security industry for a group of hackers associated with Russian intelligence agencies. In summer 2014 the Dutch General Intelligence and Security Service (AIVD) managed to infiltrate the group and provided crucial intel from security camera footage that the group might be led by the Russian Foreign Intelligence Service (SVR).
Back then, the targets were the U.S. Democratic Party, the State Department, as well as the White House and the evidence provided by the AIVD prompted the FBI to open an investigation into the matter.
The Advanced Persistent Threat has been given several nicknames by Cybersecurity companies, such as Cozy Bear, Office Monkeys, CozyCar, Iron Hemlock, The Dukes, Grizzly Steppe, and CozyDuke. And these are just a few.
Other known attacks by the group include the 2015 cyber-attack against the Pentagon email system which resulted in the shut down of the entire Joint Staff unclassified email system along with Internet access, and the data-stealing attempt from July 2020 when NSA, NCSC, and the CSE have accused Cozy Bear of trying to steal information about the COVID-19 vaccine being developed in Canada, UK and US.
So far, the list of compromised US agencies includes the U.S. Department of the Treasury, the U.S. National Telecommunications and Information Administration (NTIA), the U.S. Department of State, The National Institutes of Health (NIH) which is part of the U.S. Department of Health), the U.S. Department of Homeland Security (DHS), the U.S. Department of Energy (DOE) and the U.S. National Nuclear Security Administration (NNSA).