Hackers nabbed emails between congressional staff and Library of Congress
Robert Alexander/Getty Images
Affected staff were notified Friday afternoon, according to an internal email. Capitol Hill communications with the Congressional Research Service frequently involve confidential legislative drafts or policies still in the brainstorming stage.
A foreign adversary successfully accessed the contents of email communications between congressional legislative staffers and staff in the Library of Congress’s Congressional Research Service in an elaborate hack that occurred between January and September of this year, according to a person familiar with the matter and an email obtained by Nextgov/FCW.
Committees in the House and Senate that oversee the Library’s funding and operations were notified of the matter only on Thursday, said the person, who spoke on the condition of anonymity to be candid about the nature of the intrusion.
The number of emails accessed by the hackers is unknown at this time, added the person, but the incident is sounding alarms in Congress because they would have potentially viewed months of sensitive correspondence between Capitol Hill’s legislative staffers and the Library’s research agency responsible for supplying committees with policy and legal analysis.
Oftentimes, the contents of those emails revolve around legislative proposals that remain confidential or are still in the brainstorming phase, meaning that the intruders may have been granted an unauthorized preview of potential policymaking ideas.
A separate email obtained by Nextgov/FCW, sent agency-wide on Monday morning from Librarian of Congress Carla Hayden, says that staff impacted by the hack would have been notified on the afternoon of Friday, Nov. 15. Hayden’s email also advised Library of Congress workers to review hyperlinked guidance about phishing emails and email security, though it remains unclear whether the infiltration was carried out via a phishing scam.
NBC News first reported the hack on Saturday. It remains unclear which country the hackers were affiliated with, though the common “big four” nation-state cyber adversaries — Russia, China, Iran and North Korea — would likely be among the contenders.
In an internal email sent to congressional staff on Friday afternoon, the library said it mitigated the vulnerability used to access the communications and that the incident was referred to law enforcement. The FBI and the Cybersecurity and Infrastructure Security Agency declined to comment.
The Library is “currently analyzing what email communications were accessed and will contact impacted congressional staff and offices to provide additional information when it becomes available,” the email said. Specific email accounts of House and Senate networks were not compromised, nor was the U.S. copyright office, it noted.
Congressional committees that supervise the Library did not return a request for comment. Nextgov/FCW has also requested comment from House chief information officer Jamie Crotts — who declined to comment — and Senate CIO Chris Jordan.
Bill Ryan, the library’s communications director, confirmed the incident in a statement.
“The Library has mitigated the vulnerability that the adversary used to access these emails and has taken measures to prevent such incidents in the future. The Library has referred the matter to law enforcement and is also conducting its own analysis of the breach,” he said in an email.
In May, Nextgov/FCW reported that the Library of Congress was targeted in a cyberattack that occurred in parallel with a high-profile intrusion into the United Kingdom’s British Library last October, but the hackers ultimately failed to access the U.S. library’s systems.
Officials are on high alert for foreign adversary espionage attempts as news percolates about a sweeping Chinese hack into U.S. telecommunications providers and the infrastructure that underpins court-authorized wiretap requests, which has ensnared officials and people affiliated with both major 2024 presidential campaigns.
Over the weekend, the Wall Street Journal reported that T-Mobile is now included in the list of the ten or so telecommunications companies targeted by the group, dubbed Salt Typhoon by the cybersecurity community.
Editor's note: This article has been updated to correct when NBC News first reported the hack.