U.S. Cyber Agency: Computer Hack Poses 'Grave Risk'
Updated on Dec. 17 at 5:45 p.m. ET
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday delivered an ominous warning about a major computer intrusion, saying it "poses a grave risk" to federal, state and local governments as well as private companies and organizations.
The Trump administration has said relatively little since the hack on government computers at multiple agencies was first announced last weekend.
But the CISA, which is part of the Department of Homeland Security, offered a broad overview in its latest comments. The agency noted the attack began around March and is still ongoing — meaning the malware that's been placed on computers may still be capturing valuable information.
In addition, CISA said that removing the malware will be "highly complex and challenging for organizations."
Russia's foreign intelligence service, the SVR, is believed responsible, according to cybersecurity experts who cite the extremely sophisticated nature of the attack. But the Trump administration has not formally blamed Russia, and Russia has denied involvement.
"How could I prove that I'm innocent if I didn't do it. Let's sit together. Let's discuss. Let's restart our dialogue," Russian Ambassador Anatoly Antonov said Wednesday in a Zoom call from the Russian Embassy in Washington.
U.S. intelligence agencies have started briefing members of Congress, and Sen. Richard Blumenthal, a Connecticut Democrat, said the information clearly pointed to Cozy Bear, a hacking group widely considered to be Russian foreign intelligence.
"Russia's cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what's going on," Blumenthal said in one of several tweets related to the hack.
Blumenthal said he will be pushing to make more information public.
So far, the list of affected U.S. government entities reportedly includes the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service and the National Institutes of Health.
In a statement Thursday, the Department of Energy acknowledged its computer systems had been compromised, though it said "at this point" its investigation shows the malware "isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration."
Attention has focused on the breach of U.S. government networks, but the malware has also likely infected computers at thousands of private companies and organizations, according to government officials and cybersecurity experts.
The FBI, the Department of Homeland Security and the Office of the Director of National Intelligence announced Wednesday they have formed a special unified team, saying they will "coordinate a whole-of-government-response to this significant cyber incident."
President Trump hasn't made any public mention of the hack.
The hackers targeted software from SolarWinds, a company based in Austin, Texas. Many federal agencies and thousands of companies use SolarWinds' Orion software to monitor their computer networks.
CISA issued an emergency directive on Sunday, telling federal agencies "to immediately disconnect or power down affected SolarWinds Orion products from their network."
The incident is the latest in what has become a long list of suspected Russian electronic incursions into other nations – particularly the U.S. – under President Vladimir Putin. Multiple countries have previously accused Russia of using hackers, bots and other means in attempts to influence elections in the U.S. and elsewhere.
U.S. national security agencies made major efforts to prevent Russia from interfering in the 2020 election. But those same agencies seem to have been blindsided by the hackers who have had months to dig around inside U.S. government systems.
"It's as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months," said Glenn Gerstell, who was the National Security Agency's general counsel from 2015 to 2020.
Here's what we know about the attack:
Who was affected?
SolarWinds has some 300,000 customers, but it said "fewer than 18,000" installed the version of its Orion products that appears to have been compromised.
The victims include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East, according to the security firm FireEye, which helped raise the alarm about the breach.
"We believe this is nation-state activity at significant scale, aimed at both the government and private sector," Microsoft said as it shared some details about what it called "the threat activity we've uncovered over the past weeks."
After studying the malware, FireEye said it believes the breaches were carefully targeted: "These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."
How did the hack work?
Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts said the malicious code gave hackers a "backdoor" — a foothold in their targets' computer networks — which they then used to gain elevated credentials.
SolarWinds traced the "supply chain" attack to updates for its Orion network products between March and June.
"After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs,' that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services," FireEye said.
The malware was engineered to be stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it said the credentials it used to move within the system were "always different from those used for remote access."
After gaining access, Microsoft said, the intruder also made changes to ensure long-term access, by adding new credentials and using administrator privileges to grant itself more permissions.
FireEye is calling the "Trojanized" SolarWinds software Sunburst. It named another piece of malware – which it said had never been seen before — TEARDROP.
What are investigators doing now?
SolarWinds said it is cooperating with the FBI, the U.S. intelligence community and other investigating agencies to learn more about the malware and its effects. The company and security firms also said any affected agencies or customers should update to the latest software to lessen their exposure to the vulnerability.
Describing some of the detective work that's now taking place, Gerstell said, "You'd have to go back and look at every room to see what was taken, what might have been touched. And of course, that's just a horrifying thought."
The intruders were careful to cover their tracks, he said.
"You couldn't tell that they came in, you couldn't tell that they left the backdoor open. You couldn't even tell necessarily when they came in, took a look around and when they left."
Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. That access can help reveal the scope of the hack, he said.
The intrusion could simply be a case of espionage, he said, of one government trying to understand what its adversary is doing.
This story was first published Dec. 15 and has been updated.
Copyright 2020 NPR. To see more, visit https://www.npr.org.