Enlarge (credit: Gregory Varnum )

The US Justice Department has become the latest federal agency to say its network was breached in a long and wide-ranging hack campaign that’s believed to have been backed by the Russian government.

In a terse statement issued Wednesday, Justice Department spokesman Marc Raimondi said that the breach wasn’t discovered until December 24, which is nine days after the the hack campaign came to light . The hackers, Raimondi said, took control of the department’s Office 365 system and accessed email sent or received from about 3 percent of accounts. The department has more than 100,000 employees.

Investigators believe the campaign started when the hackers took control of the software distribution platform of SolarWinds, an Austin, Texas-based maker of network management software that’s used by hundreds of thousands of organizations. The attackers then pushed out a malicious update that was installed by about 18,000 of those customers. Only a fraction of the 18,000 customers received a follow-on attack that used the backdoored SolarWinds software to view, delete, or alter data stored on those networks.

Enlarge (credit: Traitov | Getty Images )

Microsoft was hacked by the same group that compromised the networks of software maker SolarWinds and multiple federal agencies, Reuters reported , citing people familiar with the matter.

Citing the same people, the news service said that Microsoft’s own products were then used in follow-on hacks on others. It wasn’t immediately clear how many Microsoft users were affected or what Microsoft products were used. Microsoft representatives weren’t immediately available for comment.

Microsoft is just one of the recent additions to a rapidly growing list of victims in the wide-ranging and advanced hack that reportedly had the backing of the Russian government. Politico reported that the US Department of Energy and the National Nuclear Security Administration had evidence the same hackers accessed their networks. Bloomberg News said that three unidentified US states were hacked in the same campaign. The Intercept, meanwhile, said the hackers had been inside the city of Austin, Texas, for months .

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

Facebook said it has linked an advanced hacking group widely believed to be sponsored by the government of Vietnam to what's purported to be a legitimate IT company in that country.

The so-called advanced persistent threat group goes under the monikers APT32 and OceanLotus. It has been operating since at least 2014 and targets private sector companies in a range of industries along with foreign governments, dissidents, and journalists in South Asia and elsewhere. It uses a variety of tactics, including phishing, to infect targets with fully featured desktop and mobile malware that’s developed from scratch. To win targets’ confidence, the group goes to great lengths to create websites and online personas that masquerade as legitimate people and organizations.

Earlier this year, researchers uncovered at least eight unusually sophisticated Android apps hosted in Google Play that were linked to the hacking group . Many of them had been there since at least 2018. OceanLotus repeatedly bypassed Google’s app-vetting process, in part by submitting benign versions of the apps and later updating them to add backdoors and other malicious functionality.

Enlarge (credit: Getty Images)

Information relating to the one of the most promising coronavirus vaccines has been “unlawfully accessed” following a hack on the European regulatory body that’s in the final stages of approving it, the firms jointly developing the vaccine said on Wednesday.

The European Medicines Agency based in Amsterdam first disclosed the breach . The statement said only that the EMA had been subject to a cyberattack and that it had begun a joint investigation along with law enforcement. The agency didn’t say when the hack happened or whether the attackers sought vaccine information, to infect the network with ransomware, or to pursue some other purpose. An EMA spokesperson said in an email that “the Agency is fully functional and work continues.”

Around the same time on Wednesday, pharmaceutical company Pfizer and biotech company BioNTech, issued a joint release that said: “Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.”

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyberattacks, has itself been hacked, most likely by a well-endowed nation-state that made off with potent “red-team” attack tools used to pierce network defenses.

The revelation, made in a press release posted after the close of stock markets on Tuesday, is a stunning development. It suggests that a group that was already capable of penetrating a company with FireEye’s security prowess and resources is now in possession of new exploits, backdoor implants, or other tools, making the hackers an even greater threat to organizations all over the world.

So far, the company has seen no evidence the tools are actively being used in the wild and isn’t sure if the attackers plan to do so. Nonetheless, FireEye said it is releasing more than 300 countermeasures that customers can use to protect themselves in the event the tools are used. Such tools are used by so-called red teams, which mimic malicious hackers in training exercises that simulate real-world hack attacks.

Enlarge / This image was the profile banner of one of the accounts allegedly run by the Internet Research Agency, the organization that ran social media "influence campaigns" in Russia, Germany, Ukraine, and the US dating back to 2009. (credit: A Russian troll)

The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

The in-progress attacks are exploiting a security bug that remained unpatched until last Thursday, the agency reported on Monday . CVE-2020-4006, as the flaw is tracked, is a command-injection flaw , meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code that fails to filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.

A hacker’s Holy Grail

Attackers from a group sponsored by the Russian government are exploiting the vulnerability to gain initial access to vulnerable systems. They then upload a Web shell that gives a persistent interface for running server commands. Using the command interface, the hackers are eventually able to access the active directory, the part of Microsoft Windows server operating systems that hackers consider the Holy Grail because it allows them to create accounts, change passwords, and carry out other highly privileged tasks.