'Massively disruptive' cyber crisis engulfs multiple agencies
The sophisticated cyber campaign that breached email accounts across the federal government created a deepening crisis Monday as signs multiplied about the scope of the foreign intruders’ reach.
"This is probably going to be one of the most consequential cyberattacks in U.S. history,” one U.S. official said, after the National Security Council held its second meeting in three days about the attacks, which security experts have linked to Russian intelligence. “That's the view from inside government — that we're dealing with something of a scale that I don't think we've had to deal with before."
The breaches are also focusing new pressure on the executive branch’s Cybersecurity and Infrastructure Security Agency, which had already taken heat from President Donald Trump for refusing to support his election conspiracy theories. CISA, an arm of the Department of Homeland Security, has been without a permanent leader since Trump fired its widely respected director, Chris Krebs, in mid-November. And some government officials have already questioned whether it has the staffing and other resources to help the rest of the executive branch respond to such a sprawling attack.
DHS itself appears to have been one of the agencies the intruders breached, officials said Monday.
Agencies throughout the government scrambled Monday to assess the full scope of the breaches, as did executives in industries including energy and health care. The NSC activated an Obama-era emergency plan and convened a virtual meeting of its Cyber Response Group on Monday to formulate a plan for assessing the damage.
The intruders may have gained access to the email accounts as far back as June, POLITICO and other publications reported Sunday. Such an extended duration raises a huge red flag about the attacks' impact on the government, said Sue Gordon, a former top deputy in the Office of the Director of National Intelligence.
“It is massively disruptive once you have long-term penetration by a nation-state," Gordon said in an interview.
Monday's NSC meeting yielded some progress. "We have a full understanding of who's compromised so far," said the official, who requested anonymity to speak candidly about the sensitive discussions. But the person acknowledged that this was "obviously subject to change as agencies continue to hunt through their systems."
The new Cyber Response Group will activate a subsidiary body, known as a Unified Coordination Group, to streamline crisis collaboration between affected agencies. The NSC will also hold two daily communications meetings to ensure that all agencies are speaking with one voice.
"We're declaring this a significant cyber event," the official said, referring to a term in the presidential directive governing the response process.
As part of an increased "[operational] tempo," the official said, the FBI, CISA and the Office of the Director of National Intelligence "will lead a large-scale, U.S. government-wide response and recovery effort."
Agencies spent Monday trying to determine whether they had been breached in the cyber campaign, which officials said gave hackers access to emails at agencies including DHS, the Treasury Department and the Commerce Department’s telecommunications policy body.
The breaches are not believed to have exposed the nation's most sensitive secrets, according to the U.S. official. "We haven't seen any evidence that any classified systems have been compromised."
On the other hand, the official added, "We don't know what has been taken."
The Trump administration suspects that the campaign is the work of Russia’s foreign intelligence service, the SVR, according to a second U.S. official, who also requested anonymity to speak freely. The SVR unit dubbed “Cozy Bear” was one of the teams that hacked the Democratic National Committee during the 2016 cycle.
CISA is playing a central role in the response to the attacks, the existence of which first became publicly known Sunday. As the investigation got underway, CISA’s efforts yielded perhaps inevitable criticism from within the government about its speed in deploying incident response teams to help other agencies identify and contain any intrusions.
There is “massive frustration with CISA on a sluggish response to agency breaches,” said the first U.S. official.
Cybersecurity professionals have consistently warned that CISA — a two-year-old agency tasked with defending civilian federal networks from hackers, assisting agencies in recovering from breaches, and helping to defend critical infrastructure such as power plants and election systems — lacks enough personnel and resources to effectively fight massive digital fires inside the government. Only a small portion of the agency’s roughly 2,200 employees are tasked with that work.
“They are overwhelmed,” the U.S. official said.
CISA rejected the criticism.
“That’s inaccurate,” spokesperson Sara Sendek said, adding that the agency is confident that it has enough personnel to handle a potential surge in agencies reporting breaches. “CISA has been providing support and assistance to all of our federal partners who have requested it. There has been no delay in responding to any request.”
But a CISA employee, who spoke anonymously because they were not authorized to talk to reporters, acknowledged that the scope of the crisis could overtake the agency.
“We’re doing OK right now,” this person said, but “that seems likely to change. … Many agencies don’t know how on fire they are yet.”
The U.S. official said that CISA’s incident responders, who swoop into agencies to help them understand and mitigate breaches, were “too few.”
CISA’s incident response teams, including private contractors, are not as large as many people might assume, according to the CISA employee. “NSA we aren’t,” this person said, referring to the spy agency’s massive workforce.
Exactly how much the leadership void at CISA has affected its response remains unclear.
Krebs tweeted Sunday that he had “the utmost confidence” in his former employees, who “know how to do this.”
But some lawmakers are still worried.
“The firing of the extremely capable director of CISA in the middle of this moment of vulnerability, it undermines national security,” said Sen. Angus King (I-Maine), who co-chaired a congressionally chartered commission that recommended sweeping changes to the government’s cyber activities.
The attacks appear to have originated with a compromise of an IT vendor whose products are widely used across the federal government, raising new fears about the systemic risk posed by the government’s supply chain.
Investigators believe that the hackers added malicious code to software updates for an IT product used across the federal government, used that code to pry open doors into agency networks and then used a sophisticated technique to access federal workers’ emails.
Although the investigations remain in the very early stages, the breaches appear to have begun between March and June, when the hackers compromised the software company SolarWinds, which sells IT management products to hundreds of government and private-sector clients, including federal agencies and Fortune 500 companies.
By infecting the software updates that SolarWinds distributed to users of its Orion IT monitoring system, the hackers gained a foothold in those users’ networks. From there, they appear to have broken into victims’ Microsoft email servers by forging the authentication tokens that tell the system who should be granted access.
Late Sunday night, CISA issued a rare emergency directive ordering agencies to immediately disconnect all SolarWinds products from their networks.
SolarWinds believes that fewer than 18,000 of the 33,000 organizations that were eligible to receive Orion software updates during the relevant time period actually received the infected code, the company said Monday in a Securities and Exchange Commission filing. The company added that it planned to distribute a fix “on or prior to” Tuesday.
Orion products accounted for roughly 45 percent of SolarWinds’ total revenue during the first three quarters of 2020, the company said.
The manner in which the hackers breached government agencies by compromising a vendor in their supply chain is reminiscent of a global malware outbreak in 2017, known as NotPetya, the largest and most destructive digital attack in history. That incident began when Russian hackers infected the software updates of the Ukrainian tax software maker M.E.Doc. Security researchers believe that the Russians only intended to spy on certain Ukrainian targets, but the NotPetya malware quickly spread around the world, causing as much as $10 billion in damage for victims that included the shipping giant Maersk and the pharmaceutical titan Merck.
Security professionals do not expect a repeat of NotPetya this time. Everything about the recent breaches indicates an espionage operation rather than a destructive rampage, they said, and intelligence collection requires individual attention that even Moscow cannot apply to all of the hundreds of potentially compromised SolarWinds clients.
“No adversary has enough human resources to effectively exploit every potential victim,” tweeted Dmitri Alperovitch, the co-founder of the security firm CrowdStrike. “They pretty much HAVE to focus on those they care most about.”
Even so, companies in critical infrastructure sectors have begun assessing their systems to see if they, too, were affected. Executives in the electric power sector held a “situational awareness call” on Monday, and the Department of Health and Human Services held a conference call Monday afternoon with health care organizations to explain the SolarWinds vulnerability, according to an invitation seen by POLITICO.
Even after SolarWinds clients close that door, they will still need to check their systems for signs that the hackers got inside.
“These organizations are still going to have an uphill battle getting this actor out of their networks,” said John Hultquist, senior director of intelligence analysis at FireEye. “It won’t be easy.”
The first U.S. official agreed. "We are in very, very early days," they said, "and there's a sense that ... the news is going to get worse."
Daniel Lippman and Martin Matishak contributed to this report.
