US Treasury Breached By Foreign-Backed Hackers
Hackers suspected to be working for the Russian government have been monitoring emails at the U.S. Treasury Department and a U.S. agency responsible for deciding policy around the internet and telecommunications, Reuters reported, citing people familiar with the matter. US Treasury Breached By Foreign-Backed Hackers
“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.
A Commerce Department spokesperson confirmed there was a breach “in one of our bureaus,” which Reuters identified as the National Telecommunications and Information Administration. The attacks were so concerning that the National Security Council met at the White House Saturday, Reuters reported.
The cyber-attacks against the U.S. government were part of a broader campaign that involved the recent hack of cybersecurity company FireEye Inc., in which sensitive tools were stolen that are used to find vulnerabilities in clients’ computer networks, according to Reuters.
The Washington Post reported that the Russian hacking group known as Cozy Bear, or APT 29, was behind the campaign. That is the same hacking group that was behind the cyber-attacks on the Democratic National Committee going back to 2015. It was also accused by U.S. and U.K. authorities in July of infiltrating organizations involved in developing a Covid-19 vaccine.
“We have been working closely with our agency partners regarding recently discovered activity on government networks,” said a spokesperson for the Cybersecurity and Infrastructure Security Agency, or CISA, part of the Department of Homeland Security. “CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”
The Treasury had no immediate response to questions.
‘Bitcoin Never Gets Hacked’ — Crypto Players Respond To US Treasury Breach
“Bitcoin means trusting a SHA256 algorithm more than the U.S Treasury,” quipped Blockfolio.
Crypto players were quick to respond to the news that hackers breached the U.S. Treasury Department.
According to a report from Reuters, a “sophisticated hacking group” backed by a foreign government — reportedly Russia, according to three people familiar with the investigation — was able to breach the U.S. Treasury Department as well as the National Telecommunications and Information Administration, or NTIA, with the Department of Commerce.
The incident happened less than a month after Donald Trump fired Department of Homeland Security cybersecurity chief Chris Krebs. However, Reuters stated that the hackers had been monitoring NTIA staff emails run on Microsoft’s Office 365 “for months.” Other government agencies may also have been breached, but sources did not provide additional details.
In response to the attack on such a powerful government agency, crypto players pointed out the advantages of Bitcoin (BTC).
“Bitcoin never gets hacked,” said Kraken’s head of business Dan Held on Twitter. Bitcoin bull Anthony “Pomp” Pompliano echoed Held’s sentiment, saying “Bitcoin has never been hacked.”
Blockfolio took aim at the NTIA’s cybersecurity, implying the agency used dated algorithms for its cryptographic security:
Bitcoin means trusting a SHA256 algorithm more than the U.S Treasury.
— Blockfolio (@blockfolio) December 13, 2020
It’s unclear whether any funds have been compromised as a result of the breach. At the time of publication, the hack seems to be limited to information potentially stolen from government agencies’ emails.
“Jokes on them,” said MyCrypto founder and CEO Taylor Monahan. “The treasury’s already been hacked by internal actors.” The statement may reflect the United States government printing more money in 2020 than for nearly entirety of the country’s existence.
The highly sophisticated attack targeted updates in widely used software from Austin, Texas-based SolarWinds Corp., which sells technology products to a Who’s Who list of sensitive targets. These include the State Department, the Centers for Disease Control and Prevention, the Naval Information Warfare Systems Command, the FBI, all five branches of the U.S. military, and 425 corporations out of the Fortune 500, according to the company’s website and government data.
SolarWinds said in an SEC filing Monday that as many as 18,000 customers may have been exposed to the cyber-attack, in which hackers “inserted a vulnerability within its Orion monitoring products.” The company said it alerted relevant customers and provided mitigation steps, including a “hotfix” update. A second update is expected to be released on Dec. 15, the company said.
“SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited,” according to the filing. Orion products represented 45% of the company’s revenue during the first nine months of year.
The series of attacks could rank as among the worst in recent memory, though much remains unknown, including the motive and scope of the hacks.
“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain,” FireEye said in a blog post late Sunday, without naming a specific group for the breach.
FireEye told clients on Sunday that it was aware of at least 25 entities hit by the attack, according to people briefed by the company.
John Ullyot, a spokesman for the National Security Council, said in a statement, “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”
All federal civilian agencies were ordered by the U.S. Cybersecurity and Infrastructure Security Agency to review their networks and disconnect or power down SolarWinds’s Orion software products immediately. The emergency directive late Sunday in Washington also asked for an assessment from these agencies by noon eastern time on Monday.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”
The U.K. National Cyber Security Centre is also examining possible threats from the campaign. “The NCSC is working closely with FireEye and international partners on this incident,” said a spokesperson in an emailed statement. “Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.”
Kremlin spokesman Dmitry Peskov rejected allegations of Russian involvement, saying, “If there were attacks over a period of months and the Americans couldn’t do anything about it, there’s no need to immediately blame the Russians for everything without basis.”
According to FireEye, the hackers hit organizations across the globe — in North America, Europe, Asia and in the Middle East — and in multiple sectors including government, technology, consulting, telecommunications, as well as oil and gas. The company believes that this list will grow.
“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” FireEye said in the blog post. “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020.”
All this suggests that as the U.S. government was focused over the last several months on detecting and countering possible Russian interference in the U.S. presidential election — an effort that was largely viewed as successful — suspected Russian hackers were quietly working their way into the computer networks of American government agencies and sensitive corporate victims undetected.
“If it is cyber espionage, it is one of the most effective cyber espionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye.
SolarWinds issued a statement appearing to confirm that the software update system for one of its products had been used to send malware to customers.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products.
We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds President and Chief Executive Officer Kevin Thompson said in the statement Sunday evening.
Thompson said his company was working with the FBI as well as others on the investigation. The FBI said it’s “appropriately engaged,” declining further comment.
The hackers appear to have concentrated on the most attractive and sensitive targets first, so that the harm suffered by various victims may vary widely, according to two people briefed on the probe, who asked not to be identified because the information isn’t public.
The quickly broadening investigation broke into public view on Dec. 8 when FireEye announced that it had been breached in a highly sophisticated attack that it attributed to hackers backed by U.S. adversaries.
As investigators followed the attackers’ digital tracks, it now appears that FireEye may have simply been the first victim to detect — or at least disclose — the attack. U.S. government investigators are now racing to determine which agencies may have also been breached and to what extent the hackers accessed sensitive information — a process that could take days or weeks.
FireEye said last week the attackers took extreme care not to be detected, and in its case had managed to steal tools the security firm uses to test the security of its clients’ networks. FireEye also said the hackers sought information related to government customers but didn’t appear to steal customer data.
The FBI is investigating whether Russia’s APT 29, also known as Cozy Bear, carried out the FireEye attack, but hasn’t ruled out other culprits like China, according to a person familiar with the investigation. The U.S. government has told FireEye that Russia was behind the attack, but the cybersecurity firm hasn’t independently verified that, according to a person familiar with the discussions.
APT 29 is one of the Russian hacking groups that was behind the cyber-attacks on the Democratic National Committee prior to the 2016 presidential election. It was also accused by U.S. and U.K. authorities in July of infiltrating organizations involved in developing a Covid-19 vaccine.
A Commerce Department spokesperson confirmed there was a breach “in one of our bureaus,” which Reuters identified as the National Telecommunications and Information Administration. The attacks were so concerning that the National Security Council met at the White House Saturday, Reuters reported. The Treasury Department didn’t respond to requests for comment.
The last time the U.S. government was caught so thoroughly by surprise may have been five years ago, when Chinese hackers stole information related to anyone who had applied for or received a national security clearance from the computers of the Office of Personnel Management.
That investigation lasted for months, cost some U.S. officials their jobs, and resulted in a massive and expensive push to increase the security of unclassified U.S. government computer networks.
This attack — and the next several weeks — will tell to what extent those measures were successful.
Suspected Russian Hack Said To Have Gone Undetected For Months
The hack of U.S. agencies and firms was met with alarm by current and former intelligence officials and others.
A suspected Russian hack of U.S. government agencies and private businesses across the globe festered for months, going largely undetected by the Trump administration and cybersecurity firms until the past week, according to people familiar with the matter.
The Russian operation was disclosed Sunday and was met with alarm by current and former intelligence officials, security experts and lawmakers, some of whom said they were stunned an apparently widespread attack appeared to have evaded recognition for so long.
As early as March of this year, customers of SolarWinds Inc., a U.S. network-management company, began unwittingly installing malicious software as part of a routine and seemingly benign update issued for a software product known as Orion, according to the company.
That update, which would have been especially difficult to identify as a threat, contained what investigators called a back door that could have granted easy access to nearly 18,000 entities that downloaded it. Investigators expect the number of fully compromised victims to be smaller, perhaps totaling hundreds.
Both the U.S. Commerce and Treasury departments had some of their systems compromised in the breach, according to officials and people familiar with the continuing investigation.
On Monday the list of known impacted agencies grew substantially. The Department of Homeland Security, the National Institutes of Health and the State Department were all hacked as well, people familiar with the matter said.
All three agencies declined to comment about their breaches. The Washington Post first reported the intrusions at the NIH and the State Department late Monday.
The hacks identified so far appear to be a fraction of the total number of federal and private networks that were compromised by Russian spies intent on monitoring internal communications.
Senators Press IRS For SolarWinds Hack Briefing
Grassley, Wyden cite concerns about security of taxpayer data in wake of multiple-agency intrusion.
A bipartisan pair of senior senators asked the Internal Revenue Service to immediately provide them with a briefing about the SolarWinds hack that has ripped through several federal agencies, citing concerns that personal taxpayer information may have been stolen in the breach.
Sens. Chuck Grassley (R., Iowa) and Ron Wyden (D., Ore.), the chairman and top Democrat on the Senate Finance Committee, sent a letter to IRS Commissioner Charles Rettig on Thursday requesting the briefing about the suspected Russian cyber-espionage operation.
“Given the extreme sensitivity of personal taxpayer information entrusted to the IRS, and the harm both to Americans’ privacy and our national security that could result from the theft and exploitation of this data by our adversaries, it is imperative that we understand the extent to which the IRS may have been compromised,” the senators wrote.
The lawmakers asked for details about how the IRS was mitigating potential damage, ensuring the hackers didn’t “still have access to internal IRS systems,” and what it was doing to prevent future hacks of taxpayer data.
The U.S. Treasury Department, where the IRS is housed, was breached in the hack, according to people familiar with an investigation into the hack, along with many other agencies, including the Commerce Department, State Department and Department of Homeland Security.
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the intelligence community are all investigating the intrusion, as are private sector firms.
It isn’t known whether the IRS was specifically compromised, but the tax collecting agency is the largest Treasury bureau. Former intelligence officials have said that the Russians likely burrowed deeply into a range of systems and that the IRS would have been a lucrative target for them.
The Treasury Department has so far ignored private requests from Sens. Grassley and Wyden for a briefing on the hack, according to Senate Finance staffers. An IRS spokeswoman has referred questions about the hack to the Treasury Department, which has declined to provide details. Russia has denied responsibility for the hack.
In their letter, the senators noted a concern that the IRS appeared to have been a customer of SolarWinds, a Texas-based network-management firm whose software has been identified as the cause of the hack.
Investigators believe the hackers used a malicious update to a SolarWinds product called Orion beginning in March to compromise not just U.S. agencies but scores of private businesses across the globe. It couldn’t be determined whether the IRS specifically used the Orion software.
IRS executives have long been worried about potential breaches of the agency’s computer systems, which hold information about criminal investigations and audits along with Social Security numbers and financial data on hundreds of millions of Americans.
“The IRS is responsible for safeguarding a vast amount of sensitive financial and personal data involving every taxpayer and business in the nation,“ Mr. Rettig said last year in announcing the agency’s six-year information technology modernization plan. ”This is an area where we cannot fail for the safety of our nation, and modernizing our technology is critical to stay ahead of constant cyberattacks on our systems.”
The IRS has struggled to replace outdated computer systems that are more vulnerable and more expensive to maintain, but it hasn’t suffered a major breach that exposed its core taxpayer data. The 2019 plan said the IRS faces 1.4 billion cyberattacks each year.
An inspector general’s report in September found some satisfactory performance but deficiencies in other areas. The report warned that some taxpayer data could be vulnerable.
Congress has been cutting the IRS budget or holding it flat for much of the past decade. Mr. Rettig and his predecessors have been urging lawmakers to spend more for technology modernization as well as enforcement.
Government officials and cybersecurity experts are still working to understand the scope and the severity of the hack, but many believe it is likely one of the most significant intelligence failures on record. In a statement late Wednesday, multiple security agencies investigating the hack described it as a “significant” and “ongoing” intrusion.
U.S. Sees A ‘Grave Risk’ In Scope Of Russia-Linked Hacking
The suspected Russian hacking spree that has roiled U.S. government agencies poses a “grave risk” to federal, state and local governments as well as critical infrastructure and the private sector, according to an advisory posted Thursday.
The Cybersecurity and Infrastructure Security Agency, or CISA, said the hackers demonstrated “sophistication and complex tradecraft” in the attacks. Removing the attackers from compromised networks will be “highly complex and challenging,” according to the advisory.
Although President Donald Trump has yet to comment on the attacks, President-elect Joe Biden issued a statement Thursday on “what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities.”
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said, pledging to impose “substantial costs on those responsible for such malicious attacks.”
Despite Trump’s silence, Robert O’Brien, his national security adviser, cut short a multicountry trip to Europe to return to the U.S. to address the suspected Russian hack, signaling growing alarm within the Trump administration about a cyber espionage campaign considered potentially one of the most damaging in years.
The attackers got into computer networks by installing a vulnerability in Orion software from SolarWinds Corp., which is widely used by government agencies and the private sector. CISA said it has evidence that the hackers also used other methods to infiltrate networks, in addition to Orion software. Those remain under investigation.
“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” CISA said in its bulletin.
Without mentioning Russia, CISA attributed the attack to an “advanced persistent threat actor,” a term used to describe hacking teams associated with nation-states.
CISA’s parent organization, the Department of Homeland Security, was among those breached in the attack, in addition to the departments of Treasury, Commerce and State, according to a person familiar with the matter.
Hackers Tied To Russia Hit U.S. Nuclear Agency, Three States
The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber-attack that struck a number of federal government agencies. Reuters reported that Microsoft Corp. was also breached, but the company denied its products were used to further attacks on others.
The Energy Department and its National Nuclear Security Administration, which maintains America’s nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn’t affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.
“At this point, the investigation has found that the malware has been isolated to business networks only,” Hynes said. The hack of the nuclear agency was reported earlier by Politico. Microsoft spokesman Frank Shaw said the company had found malicious code “in our environment, which we isolated and removed.”
“We have not found evidence of access to production services or customer data,” he said in a tweet. “Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
In addition, two people familiar with the broader government investigation into the attack said three state governments were breached, though they wouldn’t identify the states. A third person familiar with the probe confirmed that state governments were hacked but didn’t provide a number.
In an advisory Thursday that signaled the widening alarm over the the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector. The agency said the attackers demonstrated “sophistication and complex tradecraft.”
While President Donald Trump has yet to publicly address the hack, President-elect Joe Biden issued a statement Thursday on “what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities.”
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said, pledging to impose “substantial costs on those responsible for such malicious attacks.”
Russia has denied any involvement in the attack.
Hynes, the Department of Energy spokeswoman, said that efforts were immediately taken to mitigate the risk from the hack, including disconnecting software “identified as being vulnerable to this attack.”
Although many details are still unclear, the hackers are believed to have gained access to networks by installing malicious code in a widely used software program from SolarWinds Corp., whose customers include government agencies and Fortune 500 companies, according to the company and cybersecurity experts.
The departments of Homeland Security, Treasury, Commerce and State were breached, according to a person familiar with the matter.
“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” the cybersecurity agency said in its bulletin.
Biden Calls Cybersecurity A ‘Top Priority’ After Russian Hack
President-elect Joe Biden said he intends to make cybersecurity “a top priority” amid reports of a widespread cyberattack across U.S. government agencies and private companies led by suspected Russian hackers.
Biden’s pledge came as President Donald Trump has been silent on the hack, which exploited widely used Orion software from SolarWinds Corp.
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Biden said in a statement.
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” he said.
The Cybersecurity and Infrastructure Security Agency earlier Thursday said the hack posed a “grave risk” to federal, state and local governments in addition to critical infrastructure and the private sector. The agency said the hackers demonstrated “sophistication and complex tradecraft” and ousting them from compromised networks will be “highly complex and challenging.”
The attackers got into computer networks by installing a vulnerability in Orion software from SolarWinds Corp., which is widely used by government agencies and the private sector.
CISA said it has evidence that the hackers also used other methods to infiltrate networks, in addition to Orion software. Those remain under investigation.
Computer Hack Blamed On Russia Tests Limits Of U.S. Response
It appears spying, not destruction, was the aim; U.S. officials have yet to define precise impact of the suspected Kremlin intrusion.
Despite its size, a sprawling computer hack blamed on Russia could leave President Trump and the incoming Biden administration struggling to find the right response, former U.S. cybersecurity officials and experts said.
While Sen. Dick Durbin (D., Ill.) called the breaches that hit at least six cabinet-level departments as well as private companies “virtually a declaration of war,” the former officials said the intrusions fell more along the lines of classic digital espionage, however brazen.
As far as is known from descriptions of the hack, no data was altered or destroyed, and no computer systems or other infrastructure damaged.
Further complicating any consideration of response options is that U.S. officials are only now beginning to understand the breadth and severity of the hack. Because of the careful and stealthy nature of the incursion, a full damage assessment and recovery operation “is a months, if not yearslong, ordeal,” a senior intelligence official said.
“The scope of it is pretty stunning,” the official said. “The most disconcerting thing is the uncertainty around what [computer] systems they are in.” The official added that there was no evidence that classified systems had been violated, but cautioned that was a preliminary conclusion.
Past U.S. responses to Russian hacking and disinformation operations—sanctions, property seizures, diplomatic expulsions, even the cyber equivalent of warning shots—appear to have done little to dissuade the Kremlin. Moscow has denied responsibility for the latest incursion.
“It’s a clear dilemma for this nation about how we continue to be pounded by other countries…and don’t have a response,” said a former top U.S. intelligence official with decades of cybersecurity experience. “We’re incredibly vulnerable, and nothing that any administration has been able to do has changed that.”
Mr. Trump has made no public comment on the hack, nor given any hint about whether or how he would retaliate before leaving office Jan. 20.
The U.S. sometimes doesn’t respond, at least overtly, even to major computer incursions, such as the 2014-2015 theft of personal data on an estimated 22 million people from the federal Office of Personnel Management, which U.S. authorities blamed on China.
White House national security adviser Robert O’Brien is overseeing the U.S. response. In a statement late Wednesday, the Federal Bureau of Investigation, Department of Homeland Security and Office of the Director of National Intelligence called the hacking campaign “significant and ongoing.”
Current and former officials said the response from the Trump administration has been slow and disjointed, in part because the hack was discovered during the presidential transition.
“Just a bad and odd time in any administration for a crisis to happen,” a U.S. official involved in the response said.
The National Security Council didn’t immediately respond to a request for comment.
While some Capitol Hill briefings have been held, lawmakers in both parties in recent days expressed frustration at the lack of information being shared by the administration about the scope and severity of the espionage.
At a Tuesday evening NSC meeting, senior agency officials were instructed not to grant briefings to Congress on the issue without direct permission from the White House, the U.S. official said.
The breach appeared to have begun when hackers compromised systems belonging to SolarWinds Corp. , a U.S. network-management company that counts national security agencies, local governments, large corporations and defense contractors among its 300,000 customers.
SolarWinds has said it is working with FireEye Inc., a U.S.-based cybersecurity firm that also was breached, and with intelligence and law-enforcement officials to investigate.
Computer systems at the departments of State, Commerce, Treasury, Energy, Homeland Security and the National Institutes of Health, part of the Department of Health and Human Services, were penetrated, according to people familiar with the matter, although the compromise is thought to be far broader.
“It’s a hack. It’s a breach. It’s espionage. It’s not an attack,” said former White House and Justice Department official Jamil Jaffer, executive director of George Mason University’s National Security Institute. “I don’t think some major offensive response is warranted based on what we know now.”
U.S. intelligence agencies engage in cyberspying all the time, although U.S. officials say they don’t generally conduct destructive attacks or steal intellectual property. Because traditional cyber espionage is typically considered fair intelligence activity by most countries—even, sometimes, among allies—retaliation or public condemnation isn’t usually an option that is considered.
Others said the sheer breadth of the SolarWinds hack makes it different from traditional cyberspying.
“The fact that this took place on such a massive scale sort of puts it in a different category,” said John Dermody, counsel at the O’Melveny law firm and former deputy legal adviser at the National Security Council. The economic costs could be enormous, as companies scour their networks to determine whether the perpetrators installed additional malware, he said.
The Trump administration likely is considering sanctions against those responsible, as well as criminal investigations and prosecutions in response, Mr. Dermody said. But there are limits to both.
Some Russian entities and individuals may have been sanctioned already, he said, and “double-sanctioning them doesn’t really have an impact on their behavior.” Criminal charges have limited impact “if you can’t get handcuffs on someone,” he said, because the U.S. is seldom able to arrest hackers working in places such as Russia, China and Iran.
The U.S. has retaliated against Russian cyber actions before, but with unclear results.
Then-President Barack Obama ejected several dozen Russian diplomats, closed two Russian compounds and sanctioned Russian intelligence agencies and officials in response to Moscow’s interference in the 2016 U.S. presidential election.
During the 2018 midterm election, the Pentagon’s Cyber Command took offensive cyber action to disrupt the St. Petersburg-based Internet Research Agency, which U.S. officials said had played a central role in the election interference two years earlier.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank, said that Washington should exact a penalty for the SolarWinds hack.
He cited the Cyber Command’s Task Force ARES, which in 2016 disrupted Islamic State’s ability to communicate, spread propaganda and recruit for the terrorist network, one of the first instances of U.S. offensive cyberwarfare.
“You interfere with the opponents’ ability to conduct operations. You sit on their networks,” Mr. Lewis said. “We really have to take a look at taking some kind of action against the Russians.”
Hack Suggests New Scope, Sophistication for Cyberattacks
Suspected Russian hack involving SolarWinds software that compromised parts of the U.S. government was executed on a scale that has surprised even veteran security experts.
The suspected Russian hack that compromised parts of the U.S. government was executed with a scope and sophistication that has surprised even veteran security experts and exposed a potentially critical vulnerability in America’s technology infrastructure, according to investigators.
As the probe continues into the massive hack—which cast a nearly invisible net across 18,000 companies and government agencies—security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years.
The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.
The hackers used the digital equivalent of a spy’s disguise to blend in with the flood of data flowing through government and corporate networks and remain undetected. They snatched up years-old but abandoned internet domains and repurposed them for hacking, and they named their software to mimic legitimate corporate tools.
Most devastatingly, they sneaked their malicious code into the legitimate software of a trusted software maker—an Austin-based company called SolarWinds Corp. and its software called Orion.
The Cybersecurity and Infrastructure Security Agency tasked with protecting U.S. networks, in an alert Thursday, said it had evidence that the hackers have managed to break into computer networks using bugs other than the SolarWinds software. The alert labeled the hack a “grave threat” to compromised victims, which it said include multiple government agencies, critical infrastructure entities and private sector companies.
Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers.
The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.
Government officials and cybersecurity experts have concluded that Russia is likely responsible for the hack, in part due to the extreme skill involved as well as other classified clues, according to people familiar with the matter. At least two senators who have received briefings in recent days have openly referred to it as a Russian operation. Moscow has denied responsibility.
Government officials and lawmakers are still working to understand the full consequences of the hack, which is viewed as a classic but highly successful attempt to spy on internal communications and steal information that could be valuable to Moscow’s intelligence agencies. It isn’t considered a destructive attack that damaged or shut down computer systems, as some major cyberattacks have done in the past
Cybersecurity company FireEye Inc. says private sector customers across the globe likely have been impacted. Investigators say that the bulk of the companies affected by the attack are based in the U.S. and Western Europe.
No foreign governments have announced compromises of their own systems. A former senior British intelligence official said Western governments other than the U.S. expect to find evidence of compromises in their systems in the coming weeks.
The SolarWinds attack so eluded U.S. security measures that it was discovered not by intelligence officials but, almost accidentally, thanks to an automated security alert sent in recent weeks to an employee at FireEye, which itself had been quietly compromised.
The warning, which was also sent to the company’s security team, told the employee of FireEye that someone had used the employee’s credentials to log into the company’s virtual private network from an unrecognized device—the kind of security message that corporate workers routinely delete. Had it not triggered scrutiny from FireEye executives, the attack would likely still not be detected, officials say.
The stealth of the attack has slowed efforts to determine how far-reaching the cyber intrusion has been, and new revelations have emerged daily. On Thursday, the Energy Department said its business networks had been compromised. Mission critical national security functions, including those of the National Nuclear Security Administration, haven’t been impacted, a department spokeswoman said.
While U.S. government agencies were clearly a target, Microsoft Corp. released research Thursday showing that of the more than 40 customers it had identified as victims of the SolarWinds hack, 44% were IT services companies.
While 80% of the victim companies were based in the U.S., Microsoft said that targets were also hit in the U.K., Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates.
Taken together, the information investigators have uncovered indicates the suspected Russia hacking operation is more widespread than even feared just days ago, with the hallmarks of a historic espionage campaign.
Some security experts now believe there are clues to suggest preparations for the attack may date back four years.
The hackers found their way into the Department of Homeland Security, the sprawling State Department, the Treasury and Commerce departments and others, according to people familiar with the matter. As many as 18,000 companies downloaded the malicious SolarWinds update.
Investigators suspect the hackers likely burrowed into dozens or perhaps hundreds using the flaw, due to the resources and time required to quietly infiltrate a network.
But because it went undetected for so long and due to the expertise of the hackers, thousands of potential victims may never be able to know for sure whether they were compromised, security experts say.
“It’s very broad in scope, and potentially very damaging to our economic security,” said J. Michael Daniel, chief executive of the Cyber Threat Alliance, an industry information-sharing group, and the former White House cybersecurity coordinator in the Obama administration.
“It’s going to take a long time to figure out the full scope and extent of the damage, and it’s probably going to cost a lot of money to fix.”
It’s also a black eye for the U.S. intelligence community, which spent much of the year worrying about a hack by Russia or others targeting the U.S. presidential election and was in a celebratory mood when that didn’t occur. The actual attack ended up with a different target—government and corporate networks—and went undetected and discovered almost by luck by FireEye and not government security agencies.
The warning about the login attempt set off a red alert at the cyber vendor, which is charged with helping to protect the networks of some of the biggest companies. FireEye put more than 100 cyber sleuths on the job out of its roughly 3,400 total staff. Trained to investigate breaches at other companies, they now found themselves scouring the company’s own networks.
“It came in crisp and clean,” FireEye Chief Executive Kevin Mandia said of the apparent intrusion. “After years of responding to breaches, years of just understanding the details, something felt different about this one.”
Charles Carmakal, senior vice president of FireEye’s incident response unit, led the company’s investigation. Early into the process, Mr. Carmakal said he realized the company was contending with one of the most advanced and disciplined hacking groups he had ever seen.
Among the worrying signs, the attacker seemed to have an understanding of the red flags that typically help companies like FireEye find intrusions, and they navigated around them: They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence.
More alarmingly, FireEye, other security companies and partners in the intelligence community and law enforcement could find no evidence linking that infrastructure to attacks on other victims. Hackers, even good ones, often reuse their cyber tools because doing so is easier, cheaper and faster.
The laser focus made the attack harder to detect, FireEye and others said. Mr. Mandia likened the activity to “a sniper round through a bulletproof vest.”
Once they noticed suspicious activity emanating from SolarWinds’ Orion product, the company’s malware analysts scoured some 50,000 lines of code in search for “a needle in a stack of needles,” Mr. Carmakal said, eventually spotting a few dozen lines of suspicious code that didn’t appear to have any reason to be there. Further analysis confirmed it as the source of the hack.
On Saturday, the company notified SolarWinds, the software vendor that had unwittingly sent out contaminated software since March, about its discovery, and updated the U.S. government. “We mobilized our incident response team and quickly shifted significant internal resources to investigate and remediate the vulnerability,” SolarWinds said Thursday.
SolarWinds said it released a quick fix that patched the security issue for customers this week. But experts have warned that merely cutting off the access point for hackers won’t guarantee their removal, especially because they would have used their time inside those networks to further conceal their activity.
While intelligence officials and security experts generally agree Russia is responsible, and some believe it is the handiwork of Moscow’s foreign intelligence service, FireEye and Microsoft, as well as some government officials, believe the attack was perpetrated by a hacking group never seen before, one whose tools and techniques had been previously unknown.
“We were lucky to catch them when we did,” said Glenn Gerstell, the former general counsel of the National Security Agency. Despite powerful espionage capabilities and a commitment to persistently monitoring what foreign hackers are doing overseas, legal restrictions make U.S. intelligence agencies ill-suited to follow capable adversaries who set up camp on domestic computer infrastructure, as the SolarWinds hackers did, Mr. Gerstell said.
The complexity and broad success of the SolarWinds hack represents a new frontier for cybersecurity, but the technique of using a trusted software provider as a Trojan Horse to break into one of its customers has been used before.
In 2017 hackers also linked to Russia put malicious software in an obscure Ukrainian tax program leading to a world-wide outbreak of the destructive software known as NotPetya. FedEx Corp. later said that the incident cost the company $400 million. Another victim, Merck & Co. put the cleanup price tag at $670 million.
With the SolarWinds attack, stealth and not destruction was the priority. This allowed it to go undetected for so long, and it also showed how far hackers could go by gaining access to the software development tools of a medium-size company with footholds in the networks of the U.S. government and Fortune 500 companies.
How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.
Key building blocks for the SolarWinds hack were being put in place already last year when the hackers acquired internet domains that would serve as outside launching points for its attack, according to Joe Slowik, a researcher with threat intelligence company DomainTools LLC.
Once installed, the malicious software connected to a server located on these domains that allowed them to launch further attacks against the SolarWinds customers and to steal data.
The cybersecurity firm Volexity Inc. has traced the actions of the SolarWinds hackers back at least four years, according to Steven Adair, the company’s president.
In July, he investigated a break in at a think tank, which he declined to name, that was using SolarWinds software. The think tank had been under attack for four years as hackers attempted to read the emails of specific employees, Mr. Adair said.
The first time they gained access, they used an unknown method; the second time they took advantage of a bug in Microsoft Exchange software. When FireEye publicly released its SolarWinds findings on Sunday, Mr. Adair said he knew “within seconds” that it was related to the incident he had investigated in the summer.
FireEye has fielded calls in recent days from customers who believe they have been infiltrated by the same hackers even though they never installed SolarWinds software on their networks, according to Mr. Carmakal.
“It would be foolish for us to think that the only technique that they have to break in organizations is SolarWinds,” Mr. Carmakal said. “As we continue our investigation, we may find that there is a different avenue the attacker used to gain access to those organizations.”
‘Effectively, An Attack On The United States.’ Microsoft Gets Caught Up In SolarWinds Cyberattack
A widespread hack that took advantage of a back door in SolarWinds software has hit one of the world’s biggest technology companies, Microsoft, which has likened it to an “attack” on the country itself.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” said Microsoft spokesperson Frank Shaw on Twitter, confirming a Reuters report of the attack on Thursday.
The report said Microsoft’s own products were used to attack others after the infiltration.
However, Shaw said Microsoft has “found absolutely no indications that our systems were used to attack others,” and no “evidence of access to production services or customer data.”
The hack of the Austin-based SolarWinds was first reported on Sunday and may be the biggest to hit the U.S., with around 18,000 companies—including many on the S&P 500—and major U.S. government agencies swept up.
Many believe that Russian securities agencies are behind the attack. SolarWinds has hired third-party cybersecurity experts to investigate, and is cooperating with government agencies who are also probing the cyberattack.
“This latest cyber-assault is effectively an attack on the United States,” said Microsoft President Brad Smith in a blog post on Thursday. “As much as anything, this attack provides a moment of reckoning.
“It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response,” said Smith.
How To Respond To Russia’s SolarWinds Cyberattack
Putin took cyberwar to a new level, and the U.S. could show some weapons it has kept hidden.
When Chinese hackers breached the U.S. Office of Personnel Management in 2014, scooping up the sensitive personal data of Americans holding government security clearances, the consensus among experts was that the intrusion was extremely damaging, but not out of bounds. “This is not ‘shame on China,’ ” explained Michael Hayden, the former head of the National Security Agency. “This is ‘shame on us’ for not protecting that kind of information.”
It would be a grave mistake to respond to a more recent — and more spectacular — alleged hack by Russian agents in the same way. The so-called SolarWinds breach represents a step up in cyberespionage, exposing a new degree of democratic vulnerability and authoritarian ambition.
According to public reporting, Russian hackers with ties to the Kremlin inserted malicious code into software made by the U.S. tech firm SolarWinds.
Corrupted updates were then downloaded by private companies and government agencies, giving Russian intelligence a backdoor into their networks. Such “supply-chain” attacks are not unprecedented: In 2018, there were reports (denied by all parties) that Chinese hackers had used a hardware supply-chain attack to compromise a variety of sensitive networks. But this approach is what makes the Russian gambit so concerning.
Moscow didn’t simply attack a single, lucrative target — as Beijing did in penetrating Office of Personnel Management. Russian agents compromised an entire supply chain, and thus, potentially, many of the entities that rely on that chain.
The breach reportedly affected hundreds of government and private networks, including those of the National Nuclear Security Administration (which manages America’s nuclear weapons stockpile) and other key federal institutions.
As former Homeland Security Adviser Tom Bossert wrote in the New York Times, “It will take years to know for certain which networks the Russians control and which ones they just occupy.”
This relates to a second noteworthy feature of the hack. Espionage is often intended not simply to harvest information but also to sow vulnerability. When Beijing gained access to millions of security clearance records, it may also have gained access to powerful weapons of blackmail. The SolarWinds episode creates much deeper and broader vulnerabilities, across civil society and government, than anything the U.S. has experienced before.
While Russia’s intent in penetrating these networks remains unclear, Vladimir Putin’s government now has the ability to gum up the works of departments and agencies from the Department of Homeland Security to the Department of Energy. It could delete sensitive data in public or private-sector networks, or use them to launder disinformation through seemingly reputable sources.
The potential for mischief is breathtaking: As Bossert writes, President-elect Joe Biden must assume that anything he reads about the attack is being read by Russia, and assume that any communication could be falsified. Even if Putin does nothing to weaponize the access he has gained, confidence in America’s critical digital infrastructure will likely suffer.
Simply assessing, let alone repairing, the damage will be a monumental undertaking. Yet there are also three larger strategic implications.
First, don’t fall asleep on Russia, even as the Chinese threat attracts the majority of America’s geopolitical attention. Putin’s Russia may be a declining, economically moribund power. But his high tolerance for risk, combined with Moscow’s talent for identifying and exploiting Western vulnerabilities, means that Washington downplays the Russian challenge at its peril.
Second, effective cyberstrategy must blend unilateral and multilateral measures. It seems likely that many other countries were victimized by the SolarWinds hack. The U.S. must therefore work more closely with other advanced democracies to strengthen shared warning networks, coordinate damage assessments, and impose sharp costs on malign actors.
As Microsoft president Brad Smith argues, “In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together.”
Third, those responses cannot be solely defensive. SolarWinds highlights the basic offense-defense asymmetry in cyberspace: A clever attack will require remediation efforts costing orders of magnitude more than the attack itself.
Moreover, the relatively open nature of the democratic internet, and the fact that responsibility for cybersecurity is diffused among so many public and private actors, creates vectors of vulnerability that will always tempt authoritarian regimes.
U.S. Cyber Command has been pursuing a “defend forward” posture that emphasizes keeping adversaries off balance by penetrating and, occasionally, disrupting their networks. The premium on doing so just got higher.
In the wake of this attack, the U.S. must find subtle ways of showing that it can achieve equivalent or greater breaches of Russian networks — those used by Putin’s security services and propaganda organs, for instance, or by financial firms that are linked to the Kremlin and handle the flow of dirty money that lubricates that regime.
Doing so is not costless, because it requires revealing where America’s offensive cyberwarriors are lurking. But sometimes it is necessary to show one’s hand, or just a couple of cards in it, to achieve the desired psychological effect.
The U.S., preferably in concert with allies, might also impose targeted financial and diplomatic sanctions, less for the tangible pain they inflict than to demonstrate that America retains the right to respond to major cyberbreaches with whatever tools it deems appropriate. Such a response would raise tensions in the short term.
Over time, however, it might promote a sort of mutual restraint when it comes to cyberattacks with the potential to seriously disrupt modern societies.
These bargains can be struck: During the Cold War, Moscow and Washington reached a tacit agreement not to shoot down each other’s spy satellites, once it was clear that each side could respond in kind, and that neither side would benefit from unrestrained competition. Now as in the past, achieving eventual de-escalation will first require making clear that escalation will not pay.
Russian Hackers’ Motive Baffles U.S.: Mere Espionage, or Worse?
As researchers from Silicon Valley to Washington race to understand the full impact of the massive cyber-attack that breached computer networks in the government and private sector, one of their thorniest unanswered questions centers on motive.
Already, investigators and government officials have pointed to an elite group of hackers tied to the Russian government and suggested a fairly obvious rationale: that it was an espionage operation aimed at nabbing classified intelligence and other inside information.
But some lawmakers and people involved in the investigations have said that the magnitude and breadth of the hack point to other objectives, including undermining Americans’ faith in the systems themselves.
U.S. cybersecurity officials have warned that the attackers pose a “grave risk” to federal, state and local government agencies, in addition to the private sector and critical infrastructure, which could include anything from the electrical grid to transportation networks.
Some have even likened the attack to an act of war, raising the stakes in how the U.S. might respond.
Chris Inglis, former deputy director of the U.S. National Security Agency, said the attack extended beyond typical cyber-espionage because the attackers dispersed their malicious code so widely, even to potential targets with no obvious intelligence value.
“They’ve blown out the possibility that this is a simply an intelligence operation,” he said. “They’re clearly attacking the confidence that we as a society have in those systems.”
Melissa Hathaway, former cybersecurity adviser to presidents George W. Bush and Barack Obama, said in a panel discussion on the attacks Tuesday that “key utilities” in the U.S. were also at risk. “We cannot ignore the fact that this is also a protocol that can be used against the industrial control systems.”
The hacks are ongoing too, with the hackers still operating within breached networks, according to Microsoft Corp. That access gives them the ability to conduct a more damaging attack, like deleting data or shutting down systems. “When you have this much of persistent access, you have leverage,” Hathaway said.
The debate over the motive comes as some members of Congress and former U.S. officials are calling for an aggressive response beyond what has been tried following previous cyber-attacks.
Determining the motive for the suspected Russian hackers’ ambitious attack is important as it will help determine in part how President Donald Trump — or more likely incoming President-elect Joe Biden — responds.
Trump has downplayed the attack, while Biden has vowed to hold the culprits to account. “They can be assured we will respond and respond in kind,” Biden said.
A wide range of possibilities are on the table, including both overt measures and others that are unlikely to ever become public. They include targeted sanctions, Justice Department indictments against the hackers, covert operations and the use of the U.S.’s own formidable offense cyber capabilities, according to a person familiar with the discussions.
Biden’s incoming chief of staff, Ron Klain, said on “Face the Nation” on Sunday that the options aren’t limited to sanctions.
“It’s steps and things we could do to degrade the capacity of foreign actors to engage in this sort of attack.” But he added, “I think there’s still a lot of unanswered questions about the purpose, nature and extent of these specific attacks.”
Inquiries into the attack are ongoing, and it may take months before investigators determine what the hackers stole — or secretly reviewed — and what their motivations were.
The U.S. response may also be muddied by its own cyber-attacks in Russia and elsewhere, much of which haven’t been made public. In 2015, after Chinese hackers breached the Office of Personnel Management, then Director of National Intelligence James Clapper suggested the U.S. would do the same thing if given the chance.
“You have to kind of salute the Chinese for what they did,” he said. “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
In the most recent cyber-attack, the hackers installed malicious code into updates of popular IT software from Texas-based SolarWinds Corp., whose customers include U.S government agencies and Fortune 500 companies, authorities have said.
SolarWinds has said as many as 18,000 customers received the malicious update, which served as a sort of secret backdoor that hackers could later use to dive deeper into computer networks.
The hackers breached the departments of Treasury, Commerce, State and Homeland Security as well as the National Nuclear Security Administration. They also hacked into the cybersecurity company FireEye Inc., whose investigation of its own breach led to the discovery of the malicious update in SolarWinds’s Orion software.
Bloomberg News reported that investigators have identified at least 200 government agencies and companies that were hacked using SolarWinds’s backdoor, but the identities of many of the victims aren’t yet publicly known.
U.S. officials including outgoing Attorney General William Barr, as well as cybersecurity experts, have fingered Russia as the most likely culprit; some experts have suggested the attack bears the hallmarks of Russia’s APT 29 hacking group, which is also known as Cozy Bear.
In the days after the attack, Senator Mark Warner, Democrat from Virginia, was among those who pointed to spying as motive. The vice chairman of the Senate Intelligence Committee, Warner said the attack was “a very, very sophisticated espionage attempt to take information, key information.”
Dmitri Alperovitch, co-founder and former chief technology officer of the cybersecurity firm CrowdStrike, agreed with Warner’s take.
“Motive has been obvious since the beginning. This is a data and intelligence collection operation,” said Alperovitch, who is now chairman of the Silverado Policy Accelerator.
The fact that the hackers gained access to the email accounts of high-ranking U.S. government officials supports the idea that the suspected Russian hackers were engaged in a massive spying operation. On Monday, Senator Ron Wyden, Democrat from Oregon and the ranking member of the Senate Finance Committee, provided the most compelling evidence to date to support the espionage theory.
Following a briefing from Treasury officials, Wyden said hackers had gained access to the email accounts of the department’s highest-ranking officials but that Treasury still doesn’t have a full accounting of what the hackers did.
The hackers also broke into about three-dozen email accounts at the Commerce Department’s National Telecommunications and Information Administration, including those of senior leadership, Wall Street Journal reported.
Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and an adviser to the Department of Homeland Security, said it’s simply too soon to know for sure what the hackers were after, even as it looks initially like a “massive intelligence coup.”
“That doesn’t necessarily mean they can’t use those footholds for more disruptive actions in the future,” he said. “It’s hard to know until the damage assessment is complete.”
With SolarWinds Hack, Suspected Russian Hackers Again Flex Moscow’s Spycraft Muscle
Cyber intrusion sends a message to the West that years of sanctions haven’t deterred Russia’s security apparatus from conducting broad-based operations, analysts say.
In September, Russian President Vladimir Putin proposed a reset of U.S.-Russia relations in information security, calling for a truce to prevent incidents in cyberspace.
Now, U.S. officials have accused Moscow of carrying out one of the worst ever hacks of federal computer systems, penetrating the heart of the American government and ensnaring thousands of private companies.
While the hack so far appears to fall short of a destructive cyberattack, the use of stealthy tradecraft and a never-before-seen digital tool kit serves as a potent reminder of Russia’s cyber capabilities and its willingness to use them at scale, analysts say.
The range of targets—from the departments of Commerce, State and Homeland Security to the National Institutes of Health—could provide Russian leaders with indispensable intelligence and secrets that can be used at a later stage.
Ultimately, the hack signals to the West that years of international sanctions haven’t hampered Russia’s global ambitions or deterred its security apparatus from conducting broad-based operations with impunity, analysts say.
“It’s always good to sneak into these systems and collect some intelligence that you can use in the future. It’s classic industrial and political espionage,” said Andrei Soldatov, an expert and author on Russia’s spy agencies.
“On a political level, this could be very important too,” he said. “Such operations send a message that Russia has its strong intelligence agencies and they can’t be slowed down by the Americans.”
Mark Galeotti, an expert on Russia’s intelligence services and senior associate fellow at the British think tank Royal United Services Institute, said that the hack shows that Russia will continue its cyber operations unabated.
“If you think the Americans are out to get you, like many in Russia do, you have no reason not to do your worst,” he said.
The Kremlin has denied involvement in the hacks. Mr. Putin’s spokesman, Dmitry Peskov, on Monday called the allegations “continuation of blind Russophobia.” Russian officials said this week that the country isn’t conducting “offensive” operations in cyberspace. In his September statement, Mr. Putin proposed reaching an agreement “on no-first-strike with the use of [digital technologies] against each other.”
U.S. intelligence leaders frequently acknowledge the extreme level of cyber skills Russian hackers possess, but always say they aren’t as good as what the U.S. spies can manage. A former senior U.S. intelligence official said the hack should prompt a period of serious reflection about whether Russia’s hackers are superior, because a frank admission that the U.S. has fallen behind a chief adversary could prompt a necessary recommitment to improving cyber capabilities and defenses.
“People in the Pentagon don’t like to think of the Russians are superior to us in anything,” the former official said. “We are playing a game against adversaries who are our equals, maybe our superiors, in the cyber domain.”
U.S. and Russian experts say that since the hack doesn’t appear to have altered or damaged data and no computer systems or other infrastructure appear to have been damaged so far, it was a classic act of cyber espionage and a modern example of great power competition.
“Cyber espionage is a legitimate state activity,” said Vladimir Frolov, former senior Russian diplomat and Moscow-based political analyst. “Every self-respecting state does that. Given a similar opportunity to collect information on Russian targets, the NSA or the CIA would not hesitate for a second.”
But the sheer magnitude of the Russian heist changes the dynamics of the act and should be factored into Washington’s potential response options, some U.S. intelligence officials and security experts have said.
“In no way, shape or form have they exercised any discretion that they’ve met the standard of necessity or proportionality,“ said Chris Inglis, the former deputy director of the NSA, during a panel discussion Thursday about the hack. ”It is brazen, it is impactful, it is indiscriminate.”
Russian cyber operations have evolved since 2016 when U.S. intelligence found that Russia interfered in the presidential election, which Moscow denies.
Four years ago, hackers primarily relied on spearphishing—an attack that involves posing as another person to trick an email recipient to click on a malicious link—to steal login credentials. They have recently deployed more reconnaissance tactics, such as password sprays, which target a wider net of people with automated attempts to essentially guess passwords.
In the latest hack, instead of targeting organizations directly, the hackers broke in through a software backdoor and used it as a springboard to reach their marks. They sneaked their malicious code into the legitimate software of a trusted software maker—an Austin, Texas-based company called SolarWinds Corp. and its software called Orion. As many as 18,000 companies downloaded the malicious SolarWinds update.
While U.S. government officials and cybersecurity experts have concluded that Russia is likely responsible for the hack, the actual perpetrator behind the breaches is less certain.
Some U.S. officials and experts suspect Russia’s foreign-intelligence service, known by the initials SVR, was behind the infringements, though other security experts involved in probing the hack believe a previously unknown Russia cyber espionage group may be responsible.
Mr. Soldatov said that the hack could have been a joint operation between the SVR and the Federal Security Service or FSB, Russia’s domestic spy agency, which is known for its extensive cyber capabilities and has experience with similar hacks, he said. The SVR, on the other hand, doesn’t have the same cyber resources and technical expertise and would have been involved in providing intelligence on how and where to conduct the hack, he added.
Another Russian security agency, the military intelligence known as GRU, has gained notoriety in recent years and was linked by U.S. authorities to the cyber meddling during the 2016 election and other operations in subsequent years that knocked out Ukraine’s energy grid, exposed emails from the French president’s party and damaged global systems.
While there’s still uncertainty over whether the latest cyber theft involved collaboration among intelligence agencies, what’s clear is that with competition rife between such organizations in Russia pulling off a hack like this could be a way to get an edge on rivals, according to analysts.
“They all want to prove to the boss [Mr. Putin] that they are the best, the most imaginative, the most loyal,” Mr. Galeotti said. “They are all competing for access, for resources. “Russia is a system where agencies can get devoured by their rivals if they look weak or inefficient.”
Russian officials have gone on the counter offensive, charging that their nation is the target of foreign hackers.
Konstantin Kosachev, the chairman of the foreign affairs committee of Russia’s upper house of Parliament, claimed last week that some 30% of hacking attacks on Russia come from the U.S..
Mr. Putin, while denying state-backed hacking campaigns, has defended Russian cyber spies in the past, comparing hackers to artists.
“If artists get up in the morning feeling good, all they do all day is paint. The same goes for hackers,” he said in 2017. “If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”
On Sunday, at a ceremony on the outskirts of Moscow commemorating an SVR anniversary, Mr. Putin praised the agency’s intelligence operations and said that it should focus on ensuring information security, among other topics.
“I know firsthand what we are talking about here, and offer my highest praise for these complicated and professional operations,” he said.
Microsoft Hacked In Russia-Linked SolarWinds Cyberattack
Software giant says it saw ‘unusual activity’ on a few accounts that led it to discover the breach.
The Russia-linked hackers behind a widespread cyber-intrusion into U.S. corporate and government systems were able to access internal systems within Microsoft Corp. and view internal source code, used to build software products, the company said Thursday.
Microsoft had previously confirmed that it had downloaded malicious software from a vendor called SolarWinds Corp. that had been modified by the hackers. Thursday’s disclosure is the first indication that the hackers were able to access internal systems at Microsoft.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” Microsoft said in a statement.
This compromised account was able to view Microsoft’s source code, but not make changes, the company said.
Microsoft’s disclosure raises the specter that the hackers may have targeted and then compromised other technology companies as well, said Sherri Davidoff, chief executive of the security consulting firm LMG Security LLC. “That’s why these hackers are going after these companies,” she said. “They don’t want access to just one company. They want access to everything.”
A Microsoft spokesman declined to say what products or internal systems were affected by the intrusion.
The company has “found no evidence of access to production services or customer data,” and “no indications that our systems were used to attack others,” the company said.
The SolarWinds attack dates back to at least October of 2019 and has prompted a flurry of cyber investigations within government and private industry. Through a backdoor the attackers installed in SolarWinds’s Orion networking software, the hackers found their way into systems belonging to the Department of Homeland Security, the State Department, the Treasury and Commerce departments and others.
U.S. government and cybersecurity officials have linked the attack to Russia. The Kremlin has denied involvement in the hacks.
A Wall Street Journal analysis of internet records identified infected computers at two dozen organizations that installed the tainted network monitoring software from SolarWinds. Among them: technology giant Cisco Systems Inc., chip makers Intel Corp. and Nvidia Corp. , and accounting firm Deloitte LLP.
The hackers also compromised at least one reseller of Microsoft’s cloud-based computing services and tried to use that as a way of gaining access to emails belonging to the cybersecurity vendor CrowdStrike Inc. That attempt was unsuccessful, CrowdStrike said last week. Microsoft is the world’s second-largest cloud-computing company after Amazon.com Inc.
The SolarWinds attack went undetected for months and was discovered by FireEye Inc., a cybersecurity company, when hackers tripped an alarm. FireEye put more than 100 cyber sleuths on the job of investigating the hack of its systems, before ultimately zeroing in on SolarWinds’ software as the source of the compromise.
U.S. government and corporate Investigators are still trying to assess what information the hackers were able to glean in what cybersecurity officials have characterized as one of the biggest breaches of U.S. networks in years.
Software development technologies have long been considered a sensitive target in cyberattacks. Source code management systems, like the one accessed by the Microsoft hackers, are used by software developers to build their products. Gaining access to them could give hackers insight into new ways of attacking these products, security experts say.
“Having the source code might reduce the amount of time and analysis for identifying vulnerabilities but attackers are still able to identify vulnerabilities without source code,” said Window Snyder, formerly chief security officer at Square Inc. “It’s another tool in the toolbox.”
In the case of SolarWinds, the attackers were able to do more than simply view source code. They compromised the system SolarWinds used for assembling its finished software products and were able to slip malicious code into SolarWinds’ own software updates that were shipped to about 18,000 customers, including Microsoft and FireEye.
U.S. Cites Russia As Likely Hacking Culprit, Bucking Trump
U.S. intelligence agencies and the FBI said a major hack of the federal government and some corporations was likely undertaken by Russia — contradicting President Donald Trump’s efforts to suggest China might be responsible — and “will require a sustained and dedicated effort to remediate.”
The Federal Bureau of Investigation is still focused on identifying victims, collecting and analyzing evidence and sharing information about the sophisticated hack, according to a joint statement on Tuesday from the FBI, National Security Agency, Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency. The cyber-attacks are ongoing, according to the agencies.
The hack targeted updates in widely used software from Austin, Texas-based SolarWinds Corp., which has said as many as 18,000 of its customers may have received the malicious code. According to the statement, the agencies believe that “a much smaller number has been compromised by follow-on activity on their systems.”
That means the hackers left most of the SolarWinds’s customers who received the malicious update alone but pursued further attacks against a smaller number of them.
“We have so far identified fewer than 10 U.S. government agencies that fall into this category, and are working to identify the nongovernment entities who also may be impacted,” according to the statement.
Russia has rejected accusations it was behind the hack.
However, in the statement, the agencies said the attacks were likely “Russian in origin” and are believed to be “an intelligence gathering effort.”
Tuesday’s statement is the latest contradiction of Trump’s assessment of the hack. Attorney General William Barr and Secretary of State Mike Pompeo have previously said Russia was likely responsible.
“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control.
Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),” Trump wrote in a series of tweets on Dec. 19.
In a statement Tuesday, Mark Warner, the top Democrat on the Senate Intelligence Committee, criticized the Trump administration for waiting for more than three weeks after the hacking campaign was revealed to “finally issue a tentative attribution.”
“We need to make clear to Russia that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will prompt an appropriately strong response,” he said.
SolarWinds Hack Breached Justice Department System
Cyberattack potentially accessed 3% of the agency’s Microsoft Office email accounts.
The U.S. Justice Department has become the latest federal agency to say it was breached by hackers in the Russia-linked cyberattack that has ripped through government agencies and an unknown number of corporate networks.
About 3% of the Justice Department’s Microsoft Office email accounts were potentially accessed in the attack, the department said Wednesday.
The Justice Department’s chief information officer learned of the previously unknown malicious activity on Dec. 24 and has “eliminated the identified method by which the actor was accessing” Microsoft Office email accounts, Marc Raimondi, a Justice Department spokesman, said in a written statement.
There is no indication classified systems were affected, Mr. Raimondi said, as the department classified the breach as a major incident requiring notification to other agencies and Congress.
Even unclassified email accounts, though, can contain sensitive information about investigations and potentially national security related issues, said Chris Painter, a former senior official at the Justice and State departments who worked on cybersecurity issues. “A lot of DOJ work happens on unclassified systems.”
It couldn’t be determined which Justice Department employees, or how many, potentially had their internal communications exposed in the operation.
Some 115,000 employees work at the Justice Department, according to the department’s 2020 fiscal year budget request, a figure that includes Federal Bureau of Investigation personnel and correctional officers at federal prisons. Mr. Raimondi said not all Justice Department employees use Microsoft Office, but didn’t comment further on the size of the exposure.
Investigators continue to try to understand the full extent of the hack, so far linked to using a malicious update to widely used software provided by a Texas-based network-management company called SolarWinds Corp. to compromise U.S. government agencies and scores of private businesses across the globe. Investigators are reviewing how it managed to go undetected for so long and whether there were avenues of attack.
Intelligence officials and cybersecurity analysts involved in the response are investigating whether a little-known software company called JetBrains s.r.o. might have played a role in the SolarWinds hack, according to people familiar with the matter.
JetBrains makes tools for software developers, including a product called TeamCity that is used to help manage and speed up large software development projects.
Investigators believe that the SolarWinds hackers gained access to a TeamCity server used by SolarWinds to build its software products, but it is unclear how this system was accessed, according to people familiar with the matter.
“SolarWinds, like many companies, uses a product by JetBrains called TeamCity to assist with the development of its software. We are reviewing all internal and external tools as part of our investigations, which are still ongoing” a SolarWinds spokesman said. The company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product, he said.
“We’re not aware of any breach,” Maxim Shafirov, the chief executive of JetBrains, said in a text message. The company was founded in the Czech Republic in 2000. It boasts 79 of the Fortune 100 among its 300,000 clients.
“We have never been contact by any security firms or agencies on the matter,” Mr. Shafirov said.
Interest in JetBrains among investigators was earlier reported by the New York Times.
The Justice Department is the latest of more than a half-dozen agencies to identify a compromise of its systems related to the massive hack, which has been under way for more than a year but was only discovered last month. Other federal agencies affected include the departments of State, Treasury, Commerce and Energy, according to officials and others familiar with the investigation.
On Tuesday, the Trump administration for the first time formally stated that Russia is likely behind what is known as the SolarWinds hack, a conclusion that senior officials had already reached and expressed both publicly and privately. Moscow has denied involvement in the cyberattack.
Current and former officials and cybersecurity experts have said the hack amounts to one of the worst intelligence failures on record. Hacks are often destructive in nature by disrupting operations. This one, officials believe, was different—a widely successful cyber espionage operation intended to purloin sensitive information from the U.S. government and quietly maintain persistent access within those networks.
Microsoft last week said the hackers accessed its systems and viewed internal source code used to create software products. The hackers also compromised at least one reseller of Microsoft’s cloud-based computing services and tried to use that as a way of gaining access to emails belonging to the cybersecurity vendor CrowdStrike Inc. That attempt was unsuccessful, CrowdStrike has said.
Microsoft Corp. declined to comment on the breach of Justice Department email accounts.
Russia-Linked Hack Spread Via New Malware, Security Experts Say
Suspected Russian hackers used a previously unknown piece of malware called “Raindrop” in the SolarWinds cyberattack, potentially infecting more computer systems than had been thought, according to digital security firm Symantec.
It’s the latest information to emerge about the sprawling hack that sent shock waves through the U.S. government and business world last month.
Raindrop “was used against a select number of victims that were of interest to the attackers,” according to a blog post by a team headed by Eric Chien, the technical director at Symantec, which is a unit of Broadcom Inc.
Symantec has not found evidence that it was delivered through the SolarWinds malware, which means computer systems showing no signs of containing SolarWinds software or the malware it delivered could still be victims of the attack, according to Chien. He said the hackers likely used credentials stolen during the SolarWinds phase of the attack to log in and deliver Raindrop to other systems.
“Machines that don’t have SolarWinds could still be infected,” suggesting the hack could be larger than previously understood, said Chien. “Hopefully Raindrop is the end of the chain, but there’s no guarantee.”
Suspected Russian Hackers Gained Edge Through Tech Firm Attacks
Whether it was opportunity, strategy or sheer chutzpah, the suspected Russian hackers behind a massive cyber-attack revealed last month focused particular attention on technology companies, including cybersecurity firms entrusted to find malicious activity in their clients’ networks.
Four cybersecurity companies announced this week that they had been targeted as part of the attack, adding to a list of at least eight other tech companies that the hackers tried to breach. Many of the companies said they successfully blocked the attackers, but some others acknowledged that their networks were infiltrated.
The hackers may have focused on technology and cybersecurity companies simply because, after government agencies, they were the next best targets. For hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit, said Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future Inc.
Also, cybersecurity and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims, Liska said.
“If you can compromise security infrastructure, you essentially have the keys to the kingdom and can run around undetected,” he said. “And we’re dealing with an advanced adversary who’s looking for this kind of access.”
In the case of SolarWinds Corp., for instance, the hackers installed malware in its Orion software, which is used by government agencies and Fortune 500 companies. The Texas-based firm said that as many as 18,000 customers may have received the malicious code in software updates, though far fewer are believed to have been subject to further attacks from the hackers.
In addition, the hackers targeted at least one reseller of Microsoft Corp.’s Office 365 tools, likely by digging up login credentials and then compromising the resellers’ clients, cybersecurity experts say. The suspected Russian attackers used those tactics to target the cybersecurity company Crowdstrike, which wasn’t ultimately breached.
The cyber-research firm Malwarebytes Inc. was also targeted after a third-party application that protects its Office 365 email was hacked, and the hackers gained access to a “limited subset of internal company emails,” Malwarebytes said.
There’s not yet any evidence that cybersecurity companies were a launching point for a broader attack, only that the Russian adversary attempted to do so.
”This is a persistent, sophisticated attack that requires organizations to look carefully at the supply chain of their IT infrastructure, which cybersecurity is a part of,” said Ryan Gillis, vice president for cybersecurity strategy and global policy at Palo Alto Networks Inc. “When you look at the consequences, from that we’ve seen so far, everything points back to the IT supply chain.”
Hacking into cybersecurity companies also provides attackers with advantages when launching further attacks, potentially providing them with detection tools or source code that they can use to avoid being caught, according to cybersecurity experts.
“If I am trying to break into your house, the best way to go through is to disable cameras, electronic clocks; this will give me a tactical advantage,” said Alex Holden, founder and chief information security officer at Hold Security. “Knowing how to evade detection in cyber is almost the entire battle. If they have the detection tools in their pocket, they’ve taken our safeguards to use against us.”
Mimecast Ltd., an email security provider, said Tuesday that hackers had turned one of its security tools against it to view its customers’ Microsoft 365 accounts. Fidelis Cybersecurity Inc. said that the company is investigating evidence that it might have been targeted. Another cybersecurity company, Qualys Inc. was also targeted but said in a statement that “there was no impact on our production environment nor exfiltrated data.”
Palo Alto Networks said it was targeted by the same hackers in October but successfully stopped the attacks.
The hack was disclosed in December by the cybersecurity company FireEye Inc., which itself was attacked. About 10 U.S. government agencies were infiltrated as part of the attack, including the departments of Justice, Treasury and Homeland Security. Among the other technology companies that were targeted for further attacks were Microsoft and Cisco Systems Inc. U.S. officials have said they believe hackers associated with the Russian government are behind the attack.
The attack isn’t the first time that cybersecurity firms were compromised by hackers. In 2011, for instance, EMC Corp.’s RSA unit was breached, and two years later, the security firm Bit9 revealed that it had been hacked. Juniper Networks Inc. said it too was compromised in 2015.
Even so, trying to target cybersecurity companies comes with its own perils. After all, the alleged Russian hackers could still be roaming undetected through U.S. government networks, and those of various companies, if they hadn’t decided to break into FireEye’s computers.
“Attackers are getting more sophisticated, and pursuing persistence over time instead of smash and grab techniques,” said Jim Jaeger, a former U.S. Air Force brigadier general who is now president and chief cyber strategist at the cyber investigations firm Arete Advisors LLC. “Now they’re aspiring to use cybersecurity tools to get inside our networks. They’re taking our safeguards and using them against us.”
Hackers Lurked In Solarwinds Email System For At Least 9 Months, CEO Says
Investigators still don’t know how the company was breached in attack that will cost millions.
The newly appointed chief executive of SolarWinds Corp. SWI 0.25% is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company’s Office 365 email system for months.
The hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, Sudhakar Ramakrishna said in an interview Tuesday. “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” he said.
It is the latest development in the eight-week investigation into one of the worst breaches in U.S. history. SolarWinds, previously a little-known but critical maker of network-management software, is still trying to understand how the hackers first got into the company’s network and when exactly that happened.
One possibility is that the hackers may have compromised the company’s Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said.
Investigators are trying to determine how widespread the damage has been. So far only several dozen victims have been identified, but the attack could have ultimately affected close to 18,000 of the company’s customers.
The internal investigation has involved searching through tens of terabytes of logfiles and other data in an effort to retrace the steps of a hacking operation that went undetected for more than a year, Mr. Ramakrishna said. “We have been evaluating mountains of data,” he said.
Ultimately the response to the incident will end up costing SolarWinds millions of dollars, said Mr. Ramakrishna, who had been pegged as SolarWinds next chief executive when the hack was discovered, but didn’t start at the company until Jan. 4.
“My attitude was to come in and assess first and figure out what we needed to do,” he said. Since taking over, Mr. Ramakrishna has revamped the company’s software development processes and brought in outside cybersecurity experts to help respond to the breach, including Chris Krebs, formerly the Department of Homeland Security’s top cybersecurity official, and Alex Stamos, formerly Facebook’s chief security officer.
Investigators describe the hack as one of the worst in U.S. history because of its sophistication, scope and the way it undermined the trusted relationship between technology providers and the products they make.
The attackers crafted a way to turn SolarWinds’ own software update into a kind of digital Trojan horse. So far, the investigation has found that the hackers were running tests on SolarWinds’ internal build systems, used to assemble the company’s software updates, in September 2019. The build system was then used to create a malicious software patch that SolarWinds says it shipped out to fewer than 18,000 customers in 2020.
The U.S. government has publicly blamed Russia, which has denied responsibility. Last month, President Biden instructed his director of national intelligence, Avril Haines, to conduct a review of Russian aggression against the U.S., including the SolarWinds hack.
Dozens of SolarWinds’ customers, including major technology companies such as Microsoft Corp. and Cisco Systems Inc., were affected by the incident, as well as the departments of the Treasury, Justice, Energy, Commerce, State, Homeland Security, Labor and Energy.
On Tuesday, people familiar with the investigation said that another group of hackers—a group linked to China—that had accessed the Agriculture Department’s networks, exploited an unrelated and less serious flaw in SolarWinds software to further target the organization’s computer systems. The Agriculture Department attack was reported earlier by Reuters. A spokesman for the Agriculture Department disputed aspects of the Reuters story but didn’t clarify whether any part of the department had suffered a breach related to SolarWinds software.
Mr. Ramakrishna said that SolarWinds was already investigating a single report of hackers exploiting this bug when it learned of its own compromise last December.
While SolarWinds’ network management software, called Orion, was itself a major avenue of attack by the hacking effort, it wasn’t the only one. Last week the acting director of the Cybersecurity and Infrastructure Security Agency said that about 30% of the hackers’ victims had no direct connection with SolarWinds itself.
“This is a pretty significant incident,” said Adam Meyers, senior vice president of intelligence at CrowdStrike Holdings Inc., a security company that SolarWinds hired to investigate the hack. “Frankly I don’t even know that we’ve scratched the surface on this thing.”
Former US Director Of Cybersecurity: Crypto Ransomware ‘Running Wild’
Ransomware is something the “average American” is worried about, says former cybersecurity top dog Chris Krebs.
Former Department of Homeland Security official Christopher Krebs called for greater governmental oversight of cryptocurrency in an interview yesterday, saying that anonymous payments are a threat “the average American is concerned about.”
In an interview on Late Night with Bill Maher, Maher asked the former U.S. Cybersecurity & Infrastructure Security Agency director about his thoughts on Bitcoin.
“What’s gonna happen with Bitcoin? Where do you see that going? That’s in sort of your area, I see it bringing down civilization, but maybe I’m being anti-intellectual,” said Maher.
“Cryptocurrency is, as I see it, is one of the single enabling factors that has allowed cyber-criminals to deploy a massive amount of ransomware across our state and local agencies,” said Krebs. “It’s the anonymous payments, the ability to pay anonymously. And I think that is the cyber-threat that the average American is concerned about.”
Maher noted that 1600 schools have been hit with ransomware (citing a report from IBM), and Krebs added that there have also been attacks on “hospitals, and government agencies, I mean we had, Baltimore’s been hit twice, Atlanta, Mecklenburg county North Carolina, 23 counties in Texas, Louisiana’s been hit a couple times.”
“And they just want money. This isn’t anything sophisticated, this isn’t ideological,” Maher responded, comparing — puzzlingly — the ransomware attacks to the plot of the movie Die Hard. (Shortly after, Krebs incorrectly referred to the fictitious Nakatomi Plaza as “Nakasomi Tower”).
Krebs went on to warn of “bad guys” running wild if there are “no consequences.” He recommended “looking at” cryptocurrencies in exchange wallets, pressuring countries that cyber-criminals call home to crack down on illegal activites aimed at the U.S., and helping state and local governments improve their defenses.
Ransomware has been on the rise the last few years, likely contributing to an image problem in the cryptocurrency space. One recent poll indicates that only 43% of respondents believe cryptocurrency is a valid form of payment, and another from 2020 shows that 90% of respondents are “worried” about cryptocurrencies being used to launder money.
Suspected China Hack of Microsoft Shows Signs of Prior Reconnaissance
Investigators suspect personal data taken in earlier huge hacks or scraped off social-media sites aided breach of Microsoft Exchange Server.
Microsoft Corp. and U.S. government officials are still working to understand how a network of suspected Chinese hacking groups carried out an unusually indiscriminate and far-reaching cyberattack on Microsoft email software, more than a month after the discovery of an operation that rendered hundreds of thousands of small businesses, schools and other organizations vulnerable to intrusion.
A leading theory has emerged in recent weeks, according to people familiar with the matter: The suspected Chinese hackers mined troves of personal information acquired beforehand to carry out the attack.
Such a method, if confirmed, could realize long-held fears about the national security consequences of Beijing’s prior massive data thefts. And it would suggest the hackers had a higher degree of planning and sophistication than previously understood.
“We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks,” said Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology. “Their potential ability to operationalize that information at scale is a significant concern.”
Soon after the hack on computer systems using Microsoft Exchange Server was discovered in March, senior national security officials in the Biden administration recognized it as a major international cybersecurity problem.
The White House assembled an interagency task force that included private-sector partners, such as the Redmond, Wash., tech giant and cybersecurity companies, to quickly share information and develop security patches for the affected Exchange Server customers.
Among the potential sources of the personal data is China’s vast archive of likely billions of personal records its hackers stole over the past decade. The hackers may have mined that to discover which email accounts they needed to use to break into their targets, according to people familiar with the matter.
Another theory under investigation: The hackers scanned social-media sites like LinkedIn to determine which email accounts corresponded to systems administrators and were therefore likely the ones to use in the attack. A third: The hackers may have been simply lucky, breaking into systems using a default administrator email address.
The attack on the Exchange Server systems began slowly and stealthily in early January, launched by a hacking group dubbed Hafnium that has targeted infectious-disease researchers, law firms and universities in the past, cybersecurity officials and analysts said.
The operational tempo picked up dramatically, as other China-linked hacking groups became involved, infecting thousands of servers, while Microsoft scrambled to send its customers a software patch in early March.
Microsoft and other security companies have publicly linked the Exchange Server attack to groups believed to be based in China. The Biden administration hasn’t publicly attributed the hack to any group, and China has denied involvement.
But officials at Microsoft and within the Biden administration remain puzzled by how the suspected Chinese actors were able to pull off such a global operation so rapidly, said Tom Burt, Microsoft’s vice president of customer security and trust, in an interview.
The attackers exploited a set of previously unknown bugs to infiltrate Exchange Server systems and target a range of the systems’ users. But to do that, the hackers had to know the email accounts of the respective networks’ system administrators, Mr. Burt said.
A theory soon emerged that the hackers were relying on personal information that led them to the system administrators’ email account names, whether mined in previous hacks, or scraped from publicly available social-media sites like LinkedIn.
“That could be from big hacks of big data sets. It could also be that they have big teams of people who are focused on doing the social research to try to build out these data sets,” Mr. Burt said. “Who knows?”
In 2015, the Obama administration discovered that hackers linked to China breached the U.S. Office of Personnel Management, the human-resources office for the U.S. federal government. The hackers pilfered millions of government background investigation records dating back 20 years, gaining detailed information on current and former U.S. government employees and their families.
Beijing has also been implicated in scores of hacks of enormous databases of personal information from corporations in the U.S. and overseas, such as Marriott International Inc. and the credit-reporting company Equifax Inc.
Additionally, many Exchange Server systems use the default administrator account, “administrator@” followed by the network’s domain name, creating another path for the hackers to exploit.
As the code used in the Exchange Server attacks was made public, security experts and U.S. officials urgently warned that criminals would leverage that code in a second massive wave of cyberattacks.
But the feared wave of attacks wasn’t as severe as anticipated, according to investigators. Those hackers wouldn’t likely have had access to the personal information, giving credence to cybersecurity officials’ theory that the Chinese hackers may have used extra information.
The number of potential victims was enormous. On March 9, the cybersecurity company Palo Alto Networks Inc. said it had identified 125,000 potentially vulnerable Exchange systems that hadn’t been patched. By April 1, more than 90% of Microsoft’s customers had patched their systems to address the vulnerabilities used in the attack, Mr. Burt said.
Microsoft has pushed its customers to install security patches over the past month, releasing a blizzard of more than 25 patches that covered the wide array of Exchange versions. At the Biden administration task force’s urging, the company also simplified the updating process for customers, releasing a “one-click patch” option. In meetings, the group has discussed possibilities for how the attack was pulled off without reaching consensus on any one theory, Mr. Burt and others said.
In all, the China-linked hackers are estimated to have infiltrated as many as 20,000 servers, according to an estimate by Symantec, the security division of Broadcom Inc. But because Microsoft has only limited access to data about Exchange servers running within its customer data centers, the full scope of the attack may never be known, Mr. Burt said.
Krebs, who rose to prominence after being fired by former president Donald Trump because of Krebs’ vocal dismissal of election fraud conspiracy theories, may be aligning his publicly stated views with popular opinion in preparation for a run for office. The former bureaucrat has also floated policy proposals such as investing in state and local cyber defense and education programs.