Department of Energy says it was hacked in suspected Russian campaign

Kevin Collier and Laura Strickler
The US Department of Energy building is seen in Washington, DC, on July 22, 2019.
ALASTAIR PIKE | AFP | Getty Images

The Department of Energy was hacked as part of a massive, ongoing campaign against the U.S. government, a spokesperson said Thursday, making it the latest confirmed agency breached by Russian spies.

A number of federal agencies have been hit by a massive, months-long breach, which officials believe is the work of Russian intelligence, leaving the government scrambling to find out what was infected and how much information was stolen.

"The investigation is ongoing and the response to this incident is happening in real time," DOE spokeswoman Shaylyn Hynes said in a statement.

"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration," she said.

Much of the campaign came after the hacking of SolarWinds, an Austin, Texas-based firm that counts many government agencies and a number of major U.S. companies as customers. The hackers planted malicious code into software updates, which bypassed the federal cybersecurity scans.

The campaign is believed to have started in early March, at the latest, and was made public Dec. 8 when the cybersecurity company FireEye, which also does work for federal agencies, admitted it had been hacked. On Sunday, the U.S. Cybersecurity and Infrastructure Agency released an emergency directive to uninstall the compromised version of SolarWinds' software.

DOE was first notified by CISA on Sunday and immediately disconnected its systems, a federal official with knowledge of the situation said. Teams there are now working around the clock to assess what, if anything, was exfiltrated, which may take weeks.

It was "one of the most sophisticated hacks" they have ever seen, the official said, and called the fact that the government only learned of the breach after a private company was hacked and after it had been going on for months "truly breathtaking."

Hynes said in the department's statement that "immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network."

Only one other federal agency, the Department of Commerce, has formally acknowledged it was hacked as part of the SolarWinds campaign, but a number of other agencies, including the Homeland Security and Treasury departments, are reported to have also been breached.

On Wednesday, a joint statement from CISA, the FBI and the Office of the Director of National Intelligence said the campaign was "significant and ongoing."