2020 United States federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U ., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U . government, the European Parliament, Microsoft and others. The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U . Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U . Department of Commerce. In the following days, more departments and private organizations reported breaches. The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U . firms: Microsoft, SolarWinds, and VMware. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided an initial entry point. Microsoft cloud products provided another, allowing the attackers to also breach victims who were not SolarWinds customers. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure. In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution. U . senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for several days after the attack was publicly disclosed. He suggested that China, not Russia, might have been responsible for it, and that "everything is well under control".

Infobox

Date

Before October 2019 (start of supply chain compromise) March 2020 (possible federal breach start date) December 13, 2020 (breach acknowledged)

Duration

At least 8 or 9 months

Location

United States, United Kingdom, Spain, Israel, United Arab Emirates, Canada, Mexico, others

Type

Cyberattack, data breach

Theme

Malware, backdoor, advanced persistent threat, espionage

Cause

SolarWinds supply chain attack (SUNBURST trojan) Microsoft Outlook Web App software bug Microsoft supply chain attack (reseller compromise) VMware software bug Zerologon software bug

Target

U . federal government, state and local governments, and private sector

First reporter

FireEye (coordinated vulnerability disclosure) NSA (coordinated vulnerability disclosure) Reuters (public disclosure)

Suspects

Berserk Bear (Russia) Cozy Bear (Russia) FSB (Russia) SVR (Russia)

Tables

· Impact › List of confirmed connected data breaches › U . federal government

Executive

Branch

Executive

Institution

Department of Agriculture

Affected part(s) include

National Finance Center

Department of Commerce

Branch

Department of Commerce

Institution

National Telecommunications and Information Administration

Department of Defense

Branch

Department of Defense

Institution

Parts of The Pentagon, National Security Agency, Defense Information Systems Agency

Department of Energy

Branch

Department of Energy

Institution

National Nuclear Security Administration

Department of Health and Human Services

Branch

Department of Health and Human Services

Institution

National Institutes of Health

Department of Homeland Security

Branch

Department of Homeland Security

Institution

Cybersecurity and Infrastructure Security Agency

Affected part(s) include

e-mails of top officials

Department of Justice

Branch

Department of Justice

Affected part(s) include

~3000 Microsoft Office 365-hosted email accounts

Department of Labor

Branch

Department of Labor

Institution

Bureau of Labor Statistics

Department of State

Branch

Department of State

United States Department of Transportation

Branch

United States Department of Transportation

Institution

Federal Aviation Administration

Department of the Treasury

Branch

Department of the Treasury

Judicial

Branch

Judicial

Institution

Administrative Office of the United States Courts

Affected part(s) include

Case Management/Electronic Case Files

Assets accessed

Court documents, including sealed case files

Branch	Institution	Affected part(s) include	Assets accessed	Sources
Executive	Department of Agriculture	National Finance Center
	Department of Commerce	National Telecommunications and Information Administration
	Department of Defense	Parts of The Pentagon, National Security Agency, Defense Information Systems Agency
	Department of Energy	National Nuclear Security Administration
	Department of Health and Human Services	National Institutes of Health
	Department of Homeland Security	Cybersecurity and Infrastructure Security Agency	e-mails of top officials
	Department of Justice		~3000 Microsoft Office 365-hosted email accounts
	Department of Labor	Bureau of Labor Statistics
	Department of State
	United States Department of Transportation	Federal Aviation Administration
	Department of the Treasury
Judicial	Administrative Office of the United States Courts	Case Management/Electronic Case Files	Court documents, including sealed case files

· Impact › List of confirmed connected data breaches › U . state and local governments

Arizona

Department

Arizona

Affected part(s) include

Pima County

California

Department

California

Affected part(s) include

California Department of State Hospitals

Ohio

Department

Ohio

Affected part(s) include

Kent State University

Texas

Department

Texas

Affected part(s) include

City of Austin

Department	Affected part(s) include	Sources
Arizona	Pima County
California	California Department of State Hospitals
Ohio	Kent State University
Texas	City of Austin

· Impact › List of confirmed connected data breaches › Private sector

Belkin

Organization

Belkin

Cisco Systems

Organization

Cisco Systems

Cox Communications

Organization

Cox Communications

Equifax

Organization

Equifax

Fidelis

Organization

Fidelis

FireEye

Organization

FireEye

Assets accessed

Red team tools

Malwarebytes

Organization

Malwarebytes

Microsoft

Organization

Microsoft

Assets accessed

Product source code Reseller accounts

Mimecast

Organization

Mimecast

Assets accessed

Cryptographic certificate Microsoft Office 365-hosted email

Nvidia

Organization

Nvidia

Palo Alto Networks

Organization

Palo Alto Networks

Qualys

Organization

Qualys

SolarWinds

Organization

SolarWinds

Assets accessed

Microsoft Office 365-hosted email Build system

A think tank (unnamed as of December 15, 2020)

Organization

A think tank (unnamed as of December 15, 2020)

VMware

Organization

VMware

Organization	Assets accessed	Sources
Belkin
Cisco Systems
Cox Communications
Equifax
Fidelis
FireEye	Red team tools
Malwarebytes
Microsoft	Product source code Reseller accounts
Mimecast	Cryptographic certificate Microsoft Office 365-hosted email
Nvidia
Palo Alto Networks
Qualys
SolarWinds	Microsoft Office 365-hosted email Build system
A think tank (unnamed as of December 15, 2020)
VMware

References

The New York Times
https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html
The Wall Street Journal
https://www.wsj.com/articles/solarwinds-hack-leaves-market-sensitive-labor-data-intact-scalia-says-11610627053
"Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed"
https://www.bloomberg.com/news/articles/2020-12-17/u-s-states-were-also-hacked-in-suspected-russian-attack
The New York Times
https://www.nytimes.com/2020/12/16/us/politics/russia-hack-putin-trump-biden.html
Reuters
https://www.reuters.com/article/global-cyber-idUSKBN28O1Z3
"Why the US government hack is literally keeping security experts awake at night"
https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html
Ars Technica
https://arstechnica.com/information-technology/2021/01/doj-says-solarwinds-hackers-breached-its-office-365-system-and-read-email/
"SolarWinds Orion: More US government agencies hacked"
https://www.bbc.com/news/technology-55318815
The Washington Post
https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/
SecurityWeek
https://www.securityweek.com/solarwinds-likely-hacked-least-one-year-breach-discovery
Reuters
https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive-idUSKBN28N0PG
Houston Chronicle
https://www.chron.com/news/article/Explainer-How-bad-is-the-hack-that-targeted-US-15800740.php
The Telegraph
https://www.telegraph.co.uk/technology/2020/12/18/microsoft-warns-uk-companies-targeted-solarwinds-hackers/
"Microsoft, FireEye confirm SolarWinds supply chain attack"
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
Deep Instinct
https://www.deepinstinct.com/2020/12/16/sunburst-trojan-what-you-need-to-know/
SecurityWeek
https://www.securityweek.com/group-behind-solarwinds-hack-bypassed-mfa-access-emails-us-think-tank
Ars Technica
https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
The Washington Post
https://www.washingtonpost.com/national-security/russia-hack-microsoft-cloud/2020/12/24/dbfaa9c6-4590-11eb-975c-d17b8815a66d_story.html
Reuters
https://www.reuters.com/article/us-global-cyber-usa-idUSKBN28Y1BF
The New york Times
https://www.nytimes.com/2020/12/24/us/russia-microsoft-resellers-cyberattacks.html