The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US, three people familiar with the matter told Bloomberg.
Now that the intelligence review is complete, the US could respond by “singling out people close to Russian President Vladimir Putin as well as agencies linked to election interference,” Bloomberg reported.
In January, a joint US intelligence task force issued a rare initial public statement to the SolarWinds hack that it was “likely Russian in nature,” Insider’s Azmi Haroun reported.
Last month, a declassified report from the Office of the Director of National Intelligence said Russia was among the countries that authorized covert influence operations aimed at altering the outcome of the 2020 election, which ended up being unsuccessful, according to Insider’s Sonam Sheth.
Representatives from the White House did not immediately respond to Insider’s request for comment. A spokesperson for the State Department declined to comment.
White House Press Secretary Jen Psaki confirmed the review in a press briefing on January 21, saying it was intended “to hold Russia to account for its reckless and adversarial actions.”
“And to this end, the President is also issuing a tasking to the intelligence community for its full assessment of the SolarWinds cyber breach, Russian interference in the 2020 election, its use of chemical weapons against opposition leader Alexei Navalny, and the alleged bounties on US soldiers in Afghanistan,” Psaki said during the press briefing.
The US Senate is questioning the chief exeutives of SolarWinds and other tech firms in a hearing Tuesday after unknown attackers, with suspected links to Russia, infiltrated the company’s software last year, compromising thousands of organizations including major federal agencies.
SolarWinds is joined in the hearing by FireEye, the cybersecurity firm that first discovered the malware in December, as well as Microsoft, whose president, Brad Smith, is present at the proceedings. CrowdStrike CEO George Kurtz will also testify; his cybersecurity firm was apparently able to stave off the hackers.
The cyberattack began in March of last year and went undetected for months. SolarWinds told the SEC that about 18,000 of its 300,000 clients were targeted in the attack. High-level government data was left exposed – the Trump administration confirmed in December that hackers had indeed infiltrated key networks, including the US Treasury and the Commerce Department.
Fortune 500 companies – including Microsoft, AT&T, and McDonald’s – were among SolarWinds’ vulnerable customer base. Microsoft has said its products, including its Office 365 suite and Azure cloud, were not used in the hack, but they were targeted, with the attackers making off with some of its source code. And FireEye researchers say the hackers appear to be able to send emails and access calendars on Microsoft’s 365 suite.
You can watch the live stream below. Follow along here for live updates from the hearing.
Chairman Mark Warner said the committee invited Amazon to attend the hearing but the company declined
Sen. Warner kicked off the hearing and noted that Amazon declined the Senate’s invitation to testify in Tuesday’s hearing. Sen. Marco Rubio also touched on the company’s lack of participation and said, “it would be most helpful in the future if they actually attended these hearings.” Amazon did not immediately respond to Insider’s request for comment.
Microsoft president Brad Smith said the attack’s full scope is still unfolding
In his opening statement, Smith said there’s much that we still don’t know regarding the extent of the cyberattack and that there must be reform to the relationship between Silicon Valley’s cybersecurity arm and the federal government. He also said he believes that Russia is behind the attack.
FireEye CEO Kevin Mandia used his opening statement to declare the attack as behind “exceptionally hard to detect” and also later said that this was a planned hack. “The question is where’s the next one? And where are we going to find it?” Mandia said.
Microsoft’s Smith believes all the evidence points to Russia
Smith said earlier that “at this stage we’ve seen substantial evidence that points to the Russian foreign embassy and we’ve seen no evidence that points to anyone else.”
Mandia and CrowdStrike CEO George Kurtz agreed that the attacker was a nation-state actor. However, neither confirmed who they thought was exactly behind it. Mandia did say that his company analyzed forensics and found that it’s “most consistent with espionage and behaviors we’ve seen out of Russia.”
The White House may respond to the SolarWinds hacks within weeks, a senior administration official said on CNN.
Jake Sullivan, national security advisor, told CNN’s Christiane Amanpour that President Joe Biden’s administration may respond “weeks from now.” Sullivan said it would consider new sanctions, as one of a “broad range of responses.”
In January, a joint US intelligence task force issued a statement saying the hack was “likely Russian in nature.”
“We believe we can go further than that,” Sullivan said on Friday.
He added: “We are in the process of working through, with the intelligence community, and his national security team, a series of steps to respond to SolarWinds, including steps that will hold who we believe is responsible for this accountable, and you will be hearing about this in short order.”
On Wednesday, Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the US intelligence community is still “looking at who is responsible,” but that it was likely of Russian origin.
She said at least nine federal agencies and 100 private companies were compromised. She added that the response might be “several months” away, a longer timeline than Sullivan gave.
“The hackers launched the hack from inside the United States, which further made it difficult for the US government to observe their activity. Even within federal networks, a culture and authorities inhibit visibility, which is something we need to address,” said Neuberger in the White House Briefing Room.
The government’s response so far has focused on removing the hackers, improving cybersecurity, and considering how to respond, she said.
The same group that breached IT software company SolarWinds last year has hacked cybersecurity firm Malwarebytes, ZDNet reported, adding to the growing list of major security firms targeted by the group.
Malwarebytes said hackers used a weakness in the Azure Active Directory and malicious Office 365 applications to breach the company’s internal systems, according to ZDNet. The company said the situation was not related to the SolarWinds’ breach, as Malwarebytes doesn’t use any of their systems.
The SolarWinds hack last year was a “supply chain attack” that led to breaches at US government agencies and other businesses. SolarWinds, FireEye, Microsoft, CrowdStrike and now Malwarebytes have all been targeted by UNC2452/Dark Halo, a group US agencies have said the Russian government is behind.
Malwarebytes was not immediately available for Insider’s request for comment.
Malwarebytes learned of the breach on December 15 from the Microsoft Security Response Center and has since investigated the matter. The company’s CEO Marcin Kleczynski told ZDNet the hacker only gained access to a limited subset of internal company emails and added that the “software remains safe to use.”
SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months, Reuters first reported last week. Foreign hackers, who some top US officials believe are from Russia, were able to use the hack to spy on private companies like the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department.
Here’s a simple explanation of how the massive breach happened, and why it matters.
An unusual hack
Earlier this year, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. Solarwinds has 33,000 customers that use Orion, according to SEC documents.
Most software providers regularly send out updates to their systems, whether it’s fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March, SolarWinds unwittingly sent out software updates to its customers that included the hacked code.
The code created a backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.
SolarWinds told the SEC that up to 18,000 of its customers installed updates that left them vulnerable to hackers. Since SolarWinds has many high profile clients, including Fortune 500 companies and multiple agencies in the US government, the breach could be massive.
US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. So were private companies, like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University, the Wall Street Journal reported.
And since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not, the Wall Street Journal reported.
At the Treasury Department, hackers broke into dozens of email accounts and networks in the Departmental Offices of the Treasury, “home to the department’s highest-ranking officials,” Senator Ron Wyden said. The IRS hasn’t found any evidence of being compromised, he added. Treasury Secretary Steven Mnuchin said on CNBC that the hackers have only accessed unclassified information, but the department is still investigating the extent of the breach.
Federal investigators and cybersecurity experts say that Russia’s Foreign Intelligence Service, known as the SVR, is probably responsible for the attack. Russian intelligence was also credited with breaking into the email servers in the White House, the State Department, and the Joint Chiefs of Staff in 2014 and 2015. Later, the same group attacked the Democratic National Committee and members of the Hilary Clinton presidential campaign.
Not only is the breach one of the largest in recent memory, but it also comes as a wake-up call for federal cybersecurity efforts. The US Cyber Command, which receives billions of dollars in funding and is tasked with protecting American networks, was “blindsided” by the attack, the New York Times reported. Instead, a private cybersecurity firm called FireEye was the first to notice the breach when it noticed that its own systems were hacked.
Finally, the hack could accelerate broad changes in the cybersecurity industry. Companies are turning to a new method of assuming that there are already breaches, rather than merely reacting to attacks after they are found, Business Insider previously reported. And the US government may reorganize its cybersecurity efforts by making the Cyber Command independent from National Security Agency, the Associated Press reported.
Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Sunday the massive SolarWinds cybersecurity attack appears to be linked to Russia.
“Everything I’ve heard, whether it’s from private sector cybersecurity threat and intelligence experts, things I have heard out of Congress – it’s Russia,” Krebs said on CNN’s “State of The Union” Sunday.
Krebs warned that the scale of the cybersecurity breach was “probably more broad” than the hacking of SolarWinds, but said he would “be very careful about escalating” when asked if the US should retaliate.
Chris Krebs, former head of the Cybersecurity and Infrastructure Security Agency, said the massive SolarWinds cybersecurity attack appears to be linked to Russia, but the US should be cautious in its response.
Cybersecurity researchers said last week that from as early as March, hackers compromised software company SolarWinds’ system to spy on its clients, Business Insider’s Aaron Holmes previously reported. The company’s customers include key government agencies such as the White House, the Pentagon, and the US Treasury Department.
“Everything I’ve heard, whether it’s from private sector cybersecurity threat and intelligence experts, things I have heard out of Congress – it’s Russia,” Krebs said on CNN’s “State of The Union” on Sunday. “They’re exceptionally good at this.”
Secretary of State Mike Pompeo said on Friday that “we can say pretty clearly that it was the Russians that engaged in this activity,” and as The Washington Post reported, others familiar with the matter have attributed the cybersecurity attacks to Russia as well. However, President Donald Trump on Saturday contradicted these statements and in a series of tweets, suggesting “the possibility that it may be China,” Business Insider’s John Dorman reported.
Krebs said the US is “just getting our arms around the scope of this cyber-compromise,” and the scale of this breach is “probably more broad” than SolarWinds.
He also doubled down that the culprit behind the attacks was Russia, adding: “the Russian intelligence service, the SVR, they’re really the best of the best out there.”
However, when pressed by host Jake Tapper about whether the US should retaliate against Russia, Krebs cautioned he would “be very careful about escalating this.”
“I think there needs to be a conversation globally, internationally across like-minded countries about what is acceptable,” he added.
Krebs was fired from his role as the head of CISA last month not long after he publicly pushed back against Trump’s baseless claims of voter fraud in the election, Business Insider’s Sonam Sheth reported.
News surfaced earlier this month that the IT firm SolarWinds suffered a hack when bad actors launched malware in the company’s software, which was later distributed to some of its 300,000 clients. Microsft and AT&T are among its customer base.
Ousted US cybersecurity official Chris Krebs warned on Twitter Saturday not to confuse voting system security with the massive SolarWinds hack.
“Do not conflate voting system security and SolarWinds,” tweeted Krebs, who served as US Cybersecurity and Infrastructure Security Agency Director until late November. “The proof is in the paper. You can audit or recount again to confirm the outcome. Like they did in Georgia. And Michigan. And Wisconsin. And Arizona. Can’t hack paper.”
“There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA,” Trump tweeted. Twitter placed a warning label on the tweet, which read: “Election officials have certified Joe Biden as the winner of the U.S. Presidential Election.”
Presidential electors in all 50 states confirmed on Monday that Joe Biden indeed earned over 270 Electoral College votes, confirming that he won the 2020 election and will be the next president of the United States.
Trump fired Krebs in late November after the cybersecurity official said there was “no manipulation of the vote on the machine-count side,” even after states like Georgia recounted votes by hand.
“The proof is in the ballots,” Krebs said on a “60 Minutes” segment. “The recounts are consistent with the initial count.”
News surfaced in early December that IT company SolarWinds suffered an attack that has been confirmed to have infiltrated US government agencies. The hackers were able to spy on companies and federal agencies since March, when they secretly launched malware in software that was handed out to some of the firm’s 300,000 clients. It’s unclear which of the firm’s clients were affected, but its customer base includes big industry names like Microsoft and AT&T.
The Trump administration acknowledged that the hackers gained access to official networks, and the Department of Homeland Security and the State Department are also victims of the attack.
Security researchers are now working to identify weak points in SolarWinds’ security system that could have enabled the hack. One researcher told Reuters that he warned the company in 2019 that its “solarwinds123” password for its server could be accessed by anyone.
“This could have been done by any attacker, easily,” researcher Vinoth Kumar told the outlet.
Russia was “pretty clearly” behind a massive SolarWinds cyberattack that targeted several US government agencies, Secretary of State Mike Pompeo said on Friday.
Speaking on the “Mark Levin Show”, Pompeo said there was “a significant effort to use a piece of third-party software to essentially embed code inside US government systems,” according to the BBC.
“We can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo said, NBC reported. “I can’t say much more as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified.”
“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” he added.
The massive national security breach, which targeted software made by firm SolarWinds, was discovered last week but had been going on for months.
“We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks,” he said on Thursday.
A massive cyber attack reportedly executed by a Russian intelligence agency put thousands of companies and US government agencies at risk of being spied on or having data stolen for up to nine months.
The software firm SolarWinds was breached earlier this year when hackers broke into its system and inserted malicious code into one of its software platforms. Customers who updated their software from March to June added the malware to their networks, giving the hackers a backdoor into their systems.
SolarWinds has hundreds of thousands of clients across the globe, including government agencies and most Fortune 500 companies. The company said up to 18,000 of its customers downloaded the software update that contained the malicious code.
Investigating the extent of the cyberattacks may take years, but some organizations have already emerged as compromised, meaning the hackers had potential access to their networks. But it will take long-term investigations for some firms and agencies to determine what data, if any, were stolen or manipulated.
Here’s a list of the major US agencies and firms that were reportedly breached:
Department of State
The State Department is among the US agencies said to have been breached, The Washington Post first reported. Russians had also hacked into part of the department’s system in 2014.
Department of Homeland Security
Reuters first reported the breach at the Department of Homeland security, the agency responsible for cybersecurity, border security, and, recently, the distribution of the coronavirus vaccine. The department’s Cybersecurity and Infrastructure Security Agency also oversaw the secure presidential election last month.
National Institutes of Health
The Post also reported the National Institutes of Health, housed in the Department of Health and Human Services, was also compromised. Reports emerged in the summer that the SVR, a Russian intelligence agency, had targeted the COVID-19 vaccine research.
Parts of the Pentagon, the headquarters of the Department of Defense, were breached, an unnamed US official reportedly told The New York Times. The official said the extent of the attack was unknown.
Department of Energy
Politico reported the Energy Department, including its National Nuclear Security Administration, was subject to the cyber attack. In a statement, a spokesperson said the breach was “isolated to business networks only,” and did not impact national security functions of the department, which includes managing the nuclear weapons stockpile.
Department of the Treasury
The Treasury Department, which manages national finances, was among the first confirmed breaches of the federal government, Reuters reported. Hackers were reportedly spying on internal emails, but the extent of the attack is still unknown.
Department of Commerce
The Commerce Department was also one of the first agencies to have confirmed a breach. Sources told Reuters hackers also appeared to be spying on department emails.
State and local governments
Sources told Bloomberg that up to three state governments were hit by the attack, though they did not name which states. The Intercept reported that the network of the city of Austin, Texas was also breached.
Microsoft confirmed Thursday it was compromised in the cyberattack. Reuters initially reported the breach may have made the tech giant’s customers vulnerable, but Microsoft denied this. The company said there is no evidence its products or customer data were targeted.
FireEye, one of the world’s leading cybersecurity firms, announced on December 8 that its systems had been hacked by a nation-state, marking the first discovery of the sweeping cyberattack.
Lawmakers heard from the Department of Homeland Security, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence in a classified meeting today regarding the SolarWinds hack.
A statement issued afterwards said that, “Administration officials were unwilling to share the full scope of the breach and identities of the victims.”
President Trump has largely stayed silent in what is being analyzed as one of the most sophisticated hacks targeting the US government in history.
In a classified meeting on Friday, lawmakers from the House Homeland Security and Oversight Committees received a briefing on the known extent of the mass hacking campaign against the US government.
Lawmakers heard from the Department of Homeland Security, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence.
In a statement issued afterward, the committees’ chairs said that after hearing from the Trump Administration, “we are left with more questions than answers.” The statement added that “Even in the midst of an unprecedented cyberattack with far-reaching implications for our national security, Administration officials were unwilling to share the full scope of the breach and identities of the victims.”
The committees stressed the severity of the hack and called for the administration to give Congress a fuller picture. The statement said that the US government’s network defenses “do not match the constantly evolving capabilities of our adversaries,” adding that the committees need “the Administration to tell Congress what resources and authorities they need to ensure this does not happen again.”
The committees’ chairs called on the agencies to deliver an in-person briefing on Capitol Hill as soon as possible.
After leaving the briefing, the House Subcommittee on National Security Chairman Stephen Lynch, told reporters, “this hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in terms of the breadth of the inclusion itself.” Lynch added that “there are as many as 18,000 individual entities, both private and government, that have been compromised,” and that vetting would take time.
A Republican member of the House Oversight and Reform Committee, Rep. Bob Gibbs, told reporters, “I’m not too impressed with the confidence of our cybersecurity people.”
House Committee on Oversight and Reform member Rep. Jamie Raskin, a Democrat, said, “There’s a lot more that we don’t know than what we do know. I’m hopeful the government will learn exactly how this was perpetrated on us and what is the full scope of the damage.”
Others shared their disappointment and mounting concern.
House Homeland Security Committee Chairman Bennie Thompson said, “It was telephonic and it just didn’t give us what we wanted. They offered to come next week. We said next week? Are you serious? We’ll invite them back tomorrow.”
House Oversight Committee Chairwoman Carolyn Maloney told reporters, “I am shocked. National security is the number one challenge and responsibility to protect our people. Every agency is compromised…It is serious. It is deep.”
The hack took place over the course of months via IT management software SolarWinds, which monitors servers in order to prevent outages. Hackers reportedly entered the system via patch updates made by SolarWinds in March and June. Over the last few weeks, virtually every US agency, including Defense, Treasury, Commerce, State, Energy, and the National Institutes of Health were targeted in the supply chain attack.
President Donald Trump has largely stayed silent in what is being analyzed as one of the most sophisticated hacks targeting the US government in history.