The New York TimesDec 18, 2020 11:32:20 IST
Federal officials issued an urgent warning on Thursday that hackers, who US intelligence agencies believed were working for the Kremlin, used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government.” The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and the Pentagon, Treasury and Commerce departments’ systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen.
Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joe Biden issued a strong statement — especially in comparison with President Donald Trump, who has said nothing about the attacks. Biden warned that his administration would impose “substantial costs” on those responsible.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”
Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, at a minimum, that government agencies and think tanks that the suspected Russian hackers stole data from. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.
“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on IT companies, especially in the security industry.”
Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the SVR, an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 percent — are in the United States, while Russia shows no infections at all.
The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the United States depend.
FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raises concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.
The alert was a clear sign of a new realization of urgency by the government. After playing down the episode — in addition to Trump’s silence, Secretary of State Mike Pompeo deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the new alert left no doubt the assessment had changed.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said.
“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”
Investigators say it could take months to unravel the extent to which American networks and the technology supply chain are compromised.
In an interview on Thursday, Smith, of Microsoft, said the supply-chain element made the attack perhaps the gravest cyberattack against the United States in years.
“Governments have long spied on each other but there is a growing and critical recognition that there needs to be a clear set of rules that put certain techniques off limits,” Smith said. “One of the things that needs to be off-limits is a broad supply chain attack that creates a vulnerability for the world that other forms of traditional espionage do not.”
Reuters reported Thursday that Microsoft was itself compromised in the attack, a claim that Smith emphatically denied Thursday. “We have no indication of that,” he said.
Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.
Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.”
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said, adding that he plans to impose “substantial costs on those responsible.”
The Cybersecurity and Infrastructure Security Agency’s warning came days after Microsoft took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch.
That shut off further penetration. But it is of no help to organizations that have already been penetrated by an attacker who has been planting back doors in their systems since March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.
Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.
Inside federal agencies and the private sector, investigators say they have been stymied by classifications and siloed approach to information sharing.
“We have forgotten the lessons of 9/11,” Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies come together into a single place and share what they know.”
[David E Sanger and Nicole Perlroth] c.2020 The New York Times Company