(Bloomberg) — It was clear from the start that a cyber attack by suspected Russian hackers aimed at several U.S. government agencies was going to be bad. One clue: National Security Advisor Robert O’Brien cut short a trip overseas early this week to rush back to Washington to help manage the crisis.
But on Thursday, the reality of just how sprawling — and potentially damaging — the breach might be came into sharper focus. It started with a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, warning that the hackers were sophisticated, patient and well-resourced, representing a “grave risk” to federal, state and local governments as well as critical infrastructure and the private sector. It didn’t take long to see how accurate the agency’s assessment was.
Bloomberg News reported that at least three state governments were hacked. That was followed by reports of other breaches: the city network in Austin, Texas, and the U.S. nuclear weapons agency. Late in the day software giant Microsoft Corp. said its systems were exposed.
The U.S. Department of Energy and its National Nuclear Security Administration, which maintains the country’s nuclear stockpile, said that the malware was isolated to business networks and didn’t affect national security functions.
Nonetheless, the effect of Thursday’s revelations was confirmation that no single person or agency — including the highest reaches of the U.S. government — is certain of exactly what the hackers had infiltrated, let alone the full extent of what was taken. A Kremlin official has denied the allegations.
President-elect Joe Biden interrupted a series of high-profile appointment announcements to weigh in: “I want to be clear: my administration will make cybersecurity a top priority at every level of government – and we will make dealing with this breach a top priority from the moment we take office.”
So far, President Donald Trump hasn’t commented on the attack, though some members of Congress issued chilling statements, if few actual details.
“We already know enough about the hack to know that it’s deeply damaging and dangerous,” Representative Adam Schiff, chairman of the House Intelligence Committee, said on Thursday.
The hackers installed what is known as a backdoor in widely used software from Texas-based SolarWinds Corp., whose customers include myriad government agencies and Fortune 500 companies. That malicious backdoor, which was installed by some 18,000 SolarWinds customers, allowed the hackers access to their computer networks.
The suspected Russian hackers didn’t have the time nor inclination to raid the computers of all 18,000 customers, so they focused on targets of high value to one of the West’s most pernicious adversaries. U.S. authorities — and governments around the world — are only now beginning to uncover who was unlucky enough to get the hackers’ full attention.For investigators, the identification of breached agencies — a list that includes the State, Treasury and Commerce departments as well as the Department of Homeland Security — is only the first step. The harder part is determining what the hackers stole while they were roaming through the networks.
On Thursday, CISA, the U.S. cyber agency, suggested there could be an entirely different batch of victims beyond SolarWinds’ customers. The agency said it had evidence that SolarWinds’ Orion software wasn’t the only “access vector” used by the hackers, meaning they could have had other methods of penetrating computer networks.
The Russian attack was uncovered this month after cybersecurity firm FireEye Inc. discovered that its computers had been rifled. Microsoft executives said Thursday that a number of cybersecurity companies were among those hacked. That matches a government assessment that such firms were high on the alleged Russia hackers’ priority list, according to a person familiar with the inquiry.The U.S. is examining the possibility that the hackers were hoping to use their access inside cybersecurity firms to pull off operations similar to SolarWinds — that is, adding manipulated code to the updates those companies regularly send to clients, according to a person familiar with the government’s investigation. Those probes are in early stages, however, and it’s unclear whether the hackers were successful in any of the cases.
Microsoft on Thursday said it detected the backdoor in SolarWinds’ software in its “environment” and had “isolated and removed” it. The company said none of its customer data nor its products were accessed or used to further attacks on others, denying a Reuters report.
In a blog post, Microsoft said it had identified more than 40 customers that the hackers had “targeted more precisely and compromised,” including “security and other technology firms,” think tanks and government contractors, in addition to government agencies. Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates. Microsoft said it expects that number and locations of victims to keep growing.
Federal officials are trying to get a handle on the situation, with senior staff convening daily to coordinate a response to the breach, a Trump administration official said. On Wednesday, they triggered key parts of a cyber-emergency playbook meant to direct government efforts during a crisis. Among other things, that included convening what’s known as a Cyber Unified Coordination Group, which makes it easier to involve private companies like telecommunications firms and big tech providers in the government’s response.
If the hackers had been wandering around sensitive U.S. networks for only a few weeks, all of this would be less of a problem. Instead, the breaches began as long ago as March. That means U.S. officials now face the sobering prospect that foreign hackers had access to many sensitive computer systems for as long as nine months.With little understanding of exactly how bad the breach of the U.S. government is, members of a consortium of major financial firms that share data on security incidents with the government began considering limiting those communications, a person familiar with the deliberations said.The executive, whose firm is a member of the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, said in a phone call with senior leadership and executives on Wednesday that members expressed concern that the alleged Russian hackers might be able to steal anything sent to the government. But the group hadn’t yet made a decision on whether or how to limit the information they share, the person said.
Steve Silberstein, the group’s chief executive officer, didn’t directly address whether they were considering limiting information sharing with the government. “The U.S. government does not enjoy privileged access to or control over FS-ISAC or any of its platforms,” he said, adding that the group wasn’t impacted by the SolarWinds backdoor.
For more articles like this, please visit us at bloomberg.com
Subscribe now to stay ahead with the most trusted business news source.
©2020 Bloomberg L.P.