Government and industry reeling after Russian hackers pierce internal networks

WASHINGTON — The discovery this weekend that Russian hackers used sophisticated techniques to infiltrate a broad swath of government and corporate networks to steal sensitive information sent cybersecurity experts into a panic, leaving open the question of how the U.S. will respond.

The attribution was made on Sunday, according to one source familiar with the matter, who said the spy group responsible for the breach is known to the military and intelligence community. U.S. Cyber Command, the military combatant command charged with pursuing U.S. enemies in cyberspace, is closely involved in investigating the infiltration, as it may be asked “to respond” to the Russian espionage campaign at a future date, the source said.

The government has reportedly fingered APT29, or Advanced Persistent Threat 29, sometimes called Cozy Bear, a Russian hacking group associated with the Kremlin’s foreign intelligence service, SVR, as the culprit. Cozy Bear has also been tied to spying on COVID-19 vaccine data as well as U.S. and foreign government agencies and think tanks.

“They are going to have to respond,” said another national security official, who noted that the U.S. government might try and keep SVR offline or shut off their network connectivity, as retaliation.

One national security official described the atmosphere within the government as “chaos,” forcing cybersecurity workers to scramble to pick up the pieces over the weekend.

“We’re honestly just trying to get a handle on what it all means and what or how much was stolen or made vulnerable,” said one congressional aide.

The intrusions into government systems, which were first reported by Reuters, included the Department of Homeland Security and the U.S. Treasury and Commerce departments, and may be “only the tip of the iceberg,” according to one national security official. By Monday night, the Washington Post reported that the State Department and the National Institutes of Health were also among the victims.

According to a Securities and Exchange Commission filing from SolarWinds, the company whose software was used as a foothold to get into sensitive networks, “fewer than 18,000” customers were using the vulnerable product. The company says hackers “inserted a vulnerability” into its Orion monitoring products, malicious code that was included in new product downloads as well as security updates between March and June 2020.

Any customer who purchased or updated software during that period, including “more than 425 of the U.S. Fortune 500” and “all five branches of the U.S. military,” according to a recently removed list of the company’s customers, may have been compromised.

Cybersecurity experts fear the ramifications of the attack could be “really, really bad,” said one national security official, referring to the scope of access the attackers had to entire networks for months and months before being detected.

Another former intelligence officer involved in cyber operations said the Russian actors appeared to have spent significant time planning the operation and did an excellent job to “conceal their presence” on networks. Those responsible for identifying breaches are so busy that finding the time to investigate “what by all appearances is a legitimate account” or software update doesn’t make sense, they explained.

However, given that the government has been the victim of massive breaches a number of times over recent years, including the theft of millions of sensitive employee personal records from the Office of Personnel Management in 2015, something needs to change. “We can’t be having these once-in-a-decade breaches happening every couple years like this,” they said.

There are still a number of unanswered questions about who has been breached, how deep the penetrations go and what the hackers’ motivations were — pure espionage or something more.

The National Security Council reportedly met on Saturday to address the breach, and has been coordinating the agencies to respond to the still unfolding crisis, according to a tweet, though a spokesperson for the NSC declined to comment further on how severe the government believes the breach to be or whether the Trump administration is sharing details about its investigation with President-elect Joe Biden’s transition team.

One source familiar with the matter said determining a strategy to deter brazen foreign hacking campaigns is on the Biden team’s “to-do” list but did not elaborate. A spokesperson for Biden’s team declined to comment.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is “working closely with our agency partners regarding recently discovered activity on government networks,” as well as “providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” a spokesperson said in a statement. CISA issued an “emergency directive” on Sunday to instruct federal agencies on how to respond to the breach, requiring “disconnecting affected devices” from exploited SolarWinds products while waiting for a security patch.

CISA has been in upheaval in recent weeks. On Nov. 17, President Trump fired Chris Krebs, CISA’s director, for debunking conspiracy theories relating to the 2020 presidential election.

On Sunday, Microsoft also published a blog post advising its customers about the breach, including extensive technical details and indicators of compromise, some of which the company has now baked into its own security tools. Microsoft made the point that bad actors using the flaw in SolarWinds software ultimately gain “long term access” by moving through the networks, making it even more challenging to determine if they’ve been kicked out even after the SolarWinds vulnerability has been disclosed.

Additionally, last week, the National Security Agency published an announcement warning managers of national security networks of Russian hackers exploiting a vulnerability in virtual workspaces, software that can interact with SolarWinds’ network and performance monitoring tools. It’s unclear if the two announcements were in any way related.

Regardless of what else federal investigators uncover about the campaign involving SolarWinds software, it’s clear that adversaries will continue to take advantage of flaws in the supply chain — the companies that sell software, hardware and other products to sensitive government and corporate customers.

The intelligence community has highlighted the threat to the federal supply chain in recent years, warning that “foreign adversaries are attempting to access our nation’s key supply chains at multiple points — from concept to design, manufacture, integration, deployment, and maintenance — by inserting malware into important information technology networks and communications systems.”

Recent examples include a September DOJ indictment against Chinese nationals who penetrated software providers then modified their code to install “backdoors” in order to compromise those customers, as well as Chinese-government mandated tax software that included malware in its software upgrades that would launch a backdoor into victims’ networks.

“Supply chain attacks are a nightmare scenario for cyber-defenders and many organizations, as adversaries can gain access to internal networks by compromising devices or software prior to customer installation,” said Matt Ashburn, the former chief information security officer at the National Security Council, and now head of strategic initiatives at Authentic8, a company that sells cloud browsing tools. “Once installed, compromised items can activate malicious features to enable adversary actions, such as data theft and remote access.”

Sen. Mark Warner, the vice chair of the Senate Intelligence Committee, also emphasized the key role supply chains play in potential attacks, like NotPetya, a ransomware attack that cost large companies hundreds of millions of dollars. “As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects — whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies,” he wrote in statement.

Currently, it’s unclear how or whether the Trump administration will respond to the breach. Cybersecurity experts are split over whether to define it as an “attack” worthy of retaliation, given that there is no evidence yet that the hackers destroyed anything or plan to leak the information they stole, or as merely an impressive feat of espionage. Those definitions will likely evolve as more information becomes available about the campaign.

One cybersecurity expert at a private firm noted they were particularly worried about Russian hackers leaking stolen government emails, potentially altering them or selectively disclosing them to try to paint a misleading narrative.

The attack appears not to be just about spying but should also be defined as “industrial espionage” against U.S. companies, according to Rosa Smothers, a former CIA cyberthreat analyst. “I think the first question is going to be, how many companies are going to be willing to state that they’ve fallen victim to this malicious attack?” she asked. “They might be keeping the remediation private,” she noted.

Smothers, who is now a senior vice president of cyber operations at security company KnowBe4, said the Justice Department might consider pursuing action against the Russian actors “given the breadth and scope” of the breach.

“I think the issue of vendor software integrity is something that needs to be better and more fully addressed in government writ large,” she said.

Jamil Jaffer, the vice president for strategy and partnerships at cybersecurity firm IronNet Cybersecurity and former senior counsel to the House Intelligence Committee, argued that the Russian penetration is merely “intelligence collection” and “not the kind of attack” that would prompt anything other than spying in return, he said. “Unless there’s data destruction or data manipulation. Then we talk about red lines,” he concluded.

Likely, it will be left to the incoming Biden administration to determine how to respond.

“It clearly will be a continuing issue in a Biden administration,” said former top U.S. cyber diplomat Chris Painter, who has served in government with many of Biden’s incoming national security officials.

“If anything, [this breach] is a clarion call that cybersecurity is a major issue,” he concluded, “and it needs to be treated as a major national security and economic issue.”

_____

Read more from Yahoo News:

• The 2020 election wasn't 'stolen.' Here are all the facts that prove it.

• Trump's desperate gambit to stay in office alarms Europeans, who know about coups

• In liberal San Francisco, white responses to George Floyd's killing proved revealing

• What Biden's Cabinet picks signal about his presidency