At least five U.S. government agencies were breached by a cyber-espionage campaign launched by the Russian government, reporting this week revealed.
The attack, which dates back to March and possibly longer, successfully infiltrated the Departments of State, Defense, Commerce, Treasury and Homeland Security. The list of targets is expected to grow to include more agencies and private companies as more is learned about the scope of hack.
Described as “highly sophisticated,” the operation accessed U.S. networks through a corrupt software patch. The New York Times called it one of the “greatest intelligence failures of modern times.”
Last year Wired reported that a group of Chinese hackers used a similar software supply chain attack to compromise at least six companies over the prior three years.
This “represents one of the most insidious forms of hacking,” the Wired article states. “By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play.”
This latest attack underscores the sophistication of modern technological threats—and the challenges of girding against them.
“The federal government and private sector alike — even if they are in tune with supply chain security issues — are dependent on smaller organizations that can be quietly weaponized against them,” Cyber Scoop wrote this week of the challenge of supply chain vulnerabilities.