The first damage assessment of a sprawling cyberattack linked to Russia has been chilling enough.
With intrusions reported across a huge swath of the government – including at the Department of Energy’s National Nuclear Security Administration – federal officials already are signaling that the worst may be yet to come.
The Department of Homeland Security’s cybersecurity unit has acknowledged that the full scope of the attack is not yet known, with an untold number of local government and private sector systems at “grave risk.”
Secretary of State Mike Pompeo said U.S. officials are “still unpacking” the cyber intrusion but he publicly blamed the Kremlin.
“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo said in an interview on the Mark Levin Show, a conservative talk radio program.
President Donald Trump, however, expressed doubt that Russia was behind the attack in a tweet Saturday – his first public comment on the security breach since it was first reported.
The president claimed, without evidence and in contradiction to the general consensus, that the news media was reflexively blaming Russia and not exploring whether China may have been involved.
“Russia, Russia, Russia is the priority chant when anything happens,” Trump tweeted.
And, in sharp contrast to the dire warnings from DHS and private experts, the president downplayed the threat posed by the cyberattack and claimed news organizations were exaggerating the danger.
“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control,” Trump said.
Although federal authorities have so far traced the attack’s launch back to March, it remains unclear just how long operatives have been lurking in some of the government’s most critical agencies – including the departments of State, Homeland Security, Treasury and Commerce –and what may have been lost or compromised.
Because the attacks employed sophisticated tactics unseen in past intrusions, according to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), eliminating the threat is expected to be even more difficult.
Where is the White House?
Most striking, perhaps, has been the White House’s relative silence as other parts of the government have been ringing the alarm about the cascading threat and the uncertain risk, raising questions about how the U.S. should respond.
Sen. Mitt Romney, R-Utah, Friday called Trump’s lack of response “extraordinary” as the country faces the modern equivalent of “Russian bombers reportedly flying undetected over the entire country.”
“They had the capacity to show that our defense is extraordinarily inadequate; that our cyber warfare readiness is extraordinarily weak,” Romney said in an interview with Sirius XM, adding that the Kremlin acted with “impunity.”
“And in this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary,” he added.
Michael Chertoff, a former Homeland Security secretary in the George W. Bush administration, said Friday that the breaches underscored the need for a “deterrent strategy during a time of cyber conflict.”
“I think we may need to up our game,” Chertoff said.
Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., characterized the hack Friday as “a devastating breach” that requires the president’s attention.
“An incident of this magnitude and lasting impact requires an engaged and public response by the U.S. government, led by a president who understands the significance of this intrusion and who is actively marshaling a domestic remediation strategy and an international response,” Warner said. “It is extremely troubling that the president does not appear to be acknowledging, much less acting upon, the gravity of this situation.”
Pompeo defended the president’s silence after Levin, the show’s host, suggested the Trump administration might be working “behind the scenes” to address Russia’s role in the attack.
“That’s absolutely true,” Pompeo said, although he did not elaborate on what, if anything, the president might be doing to confront Moscow.
“There are many things that you’d very much love to say, ‘Boy, I’m going to call that out,’ but a wiser course of action to protect the American people is to calmly go about your business and defend freedom,” Pompeo said.
Yohannes Abraham, executive director of President-elect Joe Biden’s transition, repeated Biden’s Thursday warning that there would be consequences to those who attack the U.S. with malicious cyber operations.
“There will be substantial costs,” Abraham said Friday. “While our adversaries shouldn’t expect us to telegraph our punches, they should expect that the president-elect is a man of his word.”
He added that while much is unknown, “what we do know is a matter of great concern.”
While the Energy Department has acknowledged that its systems have been affected, including the agency that maintains the nation’s nuclear weapons stockpile, it doesn’t mean that hackers have access to nuclear weapons and codes. That’s because weapons systems are usually isolated from the traditional internet, says Dvir Sasson, head of research for CyberInt, a Tel Aviv, Israel-headquartered security firm.
DOE spokeswoman Shaylyn Hynes said late Thursday that its review is ongoing but has so far determined that the malware has been “isolated to business networks only.” The breach had not, Hynes said, spread to “mission essential national security functions of the department, including the National Nuclear Security Administration.”
“When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network,” Hynes said.
What we don’t know can hurt us
Much of what the government has so far disclosed publicly is replete with the unknown.
A joint statement this week by the FBI, CISA and Director of National Intelligence referred to “significant cyber incident” as “a developing situation,” suggesting that intrusions are ongoing.
In a separate bulletin, CISA said the attack continued to pose “a grave risk,” not only to federal networks but to state, local and tribal governments along with critical infrastructure entities and private organizations.
The agency also acknowledged that suspected additional compromises “have not yet been discovered.”
“This … actor has demonstrated patience, operational security, and complex trade-craft in these intrusions,” CISA said of the hackers, adding that the ongoing effort to eliminate the threat “will be highly complex and challenging.”
Understanding the full extent of this hacking campaign “will take a very long time,” Sasson said. “It’s not unlike contact tracing during a pandemic in that we are already finding that the impact and scale of this campaign is much larger than originally understood. In less than a week, this has grown from one security vendor being hacked … to a major assault on significant government agencies and businesses across the globe.”
‘Top-tier offensive capabilities’
The attackers penetrated federal computer systems through a popular piece of server software offered through a company called SolarWinds.
The threat apparently came from the same cyberespionage campaign that has afflicted cybersecurity firm FireEye, foreign governments and major corporations.
The system is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which are now scrambling to patch their networks.
The initial DHS alert came a few days after FireEye announced that it had been breached “by a nation with top-tier offensive capabilities,” FireEye CEO Kevin Mandia has said.
FireEye found malicious code was included in normal software updates for SolarWind’s products. The so-called “supply chain attack” comes from a vendor that is trusted, especially an IT management software company, so bad actors are “coming from the back door, the least expected place to get infected from,” Sasson said.
Once within a network, the code attacked Microsoft Office 365 products. Such an attack through Microsoft’s products “could have major consequences. Microsoft products are used globally, touching individual operating systems, video game services, cloud infrastructure, and more,” said Sivan Tehila, director of solution architecture at Perimeter 81, a cloud software security company also based in Tel Aviv, Israel.
Microsoft, which has released an update to block the malicious code, noted that the code, once in the network, sought to collect credentials to gain additional access.
Such an attack “is quite rare,” Sasson said. “The way the malware acts it is (as if it is) shutting itself down. It’s trying to be very secretive and trying to communicate low and slow, what we call in the industry, to make sure it is not being detected.”
Tehila urged organizations to update their Microsoft software and follow the DHS recommendations to shut down SolarWinds software and quarantine parts of networks where the software is installed.
Microsoft, which says its own networks were not breached, was able to find that its products were compromised “because they have world-class capabilities to discover these kinds of issues,” said Eric Noonan, CEO of CyberSheath, a Reston, Va.-based cybersecurity company. “But the reality is most breached organizations don’t have the capabilities or resources to investigate this and will find out they were hacked through third parties at a later time.”
Noonan compared the situation to “smelling smoke in your house and getting everyone out, compared to waking up to fire engines at three in the morning.”
This cyber attack “will likely rank as one of the worst (very possibly the worst ever) in the last decade given the targeted and cyber espionage nature of this attack,” said Daniel Ives, an analyst with Wedbush Securities, in a note to investors Friday.
Perhaps escalating its repercussions is that employers across the U.S. for private and federal agencies have millions of employees working from home.
“This breach could not have come at a worse time with nearly all government agencies as well as enterprises having employees work from home likely until at least mid 2021 and accessing applications/data from ubiquitous endpoints globally,” Ives said
Contributing: Bart Jansen and Jessica Guynn