On election day, General Paul M. Nakasone, the country’s leading cyber warrior, reported that the fight against Russian interference in the presidential campaign had achieved great success, exposing the other side’s online weapons, tools and crafts.
“We have expanded our activities and we feel very good where we are,” he told journalists.
Eight weeks later, General Nakasone and other American cybersecurity officials are now consumed by what they have been missing out on for at least nine months: a hacking that is now believed to have affected more than 250 federal agencies and corporations that Russia has not but targeted the electoral system in the rest of the United States government and many large American corporations.
Three weeks after the intrusion came to light, American officials are still trying to understand whether what the Russians were doing was simply a spying operation within the systems of the American bureaucracy or something more sinister that allowed access to back doors in government agencies and agencies Large corporations introduced the power grid and laboratories that develop and transport new generations of nuclear weapons.
At the very least, it has raised alarms about the vulnerability of government and private sector networks in the United States to attack, and raised questions about how and why the country’s cyber defense has failed so spectacularly.
These questions have become particularly urgent as the breach was not detected by any of the government agencies jointly responsible for cyber defense – the military’s Cyber Command and the National Security Agency, both headed by General Nakasone and the Department of Homeland become security – but from a private cybersecurity company, FireEye.
“This looks way, much worse than I first feared,” said Senator Mark Warner, Democrat of Virginia and senior member of the Senate Intelligence Committee. “The size is constantly growing. It is clear the US government missed it. “
“And if FireEye hadn’t happened,” he added, “I’m not sure we’d be fully aware of it by now.”
Interviews with key actors investigating what kind of operation the Russian S.V.R. The secret service revealed the following points:
The injury is much wider than initially assumed. Initial estimates suggested that Russia only sent its probes to a few dozen of the 18,000 state and private networks it had access to when it inserted code into network management software from a Texan company called SolarWinds. As companies like Amazon and Microsoft that offer cloud services dig deeper into evidence, Russia now appears to have exploited multiple levels of the supply chain to gain access to up to 250 networks.
The hackers managed their intrusion from servers in the United States, took advantage of the National Security Agency’s legal prohibitions on participating in domestic surveillance and evaded the cyber defense mechanisms deployed by the Department of Homeland Security.
Early warning sensors placed deep in foreign networks by Cyber Command and the National Security Agency to detect brewing attacks have clearly failed. Nor is there yet any evidence that human intelligence agencies alerted the United States to the hacking.
The government’s emphasis on electoral defense, which was crucial in 2020, may have diverted resources and attention away from long-standing issues such as protecting the “supply chain” of software. Also in the private sector, companies like FireEye and Microsoft, which have focused on election security, show that they were breached as part of the larger attack on the supply chain.
SolarWinds, the company the hackers used as a conduit for their attacks, has had a history of poor security for its products, making it an easy target according to current and former government employees and investigators. Its managing director Kevin B. Thompson, who is leaving his job after eleven years, has circumvented the question of whether his company should have recognized the intrusion.
Some of the compromised SolarWinds software was developed in Eastern Europe, and American investigators are currently investigating whether the incursion originated where Russian intelligence officials are deeply rooted.
The intentions behind the attack remain hidden. But with a new government taking office in three weeks’ time, some analysts say, the Russians could try to shake Washington’s confidence in the security of its communications and demonstrate their cyber arsenal to leverage President-elect Joseph R. Biden ahead of the nuclear weapons talks Jr. to obtain.
“We still don’t know what Russia’s strategic goals were,” said Suzanne Spaulding, who was a senior cyber officer in the Department of Homeland Security during the Obama administration. “However, we should be concerned that some of this may go beyond the Enlightenment. Your goal could be to put yourself in a position to influence the new government, such as holding a gun to your head to prevent us from counteracting Putin. “
Growing hit list
The US government was clearly at the center of the attack, with the Treasury Department, State Department, Department of Commerce, Department of Energy and parts of the Pentagon confirmed as infiltrated by the authorities. (The Department of Defense insists that the attacks on its systems were unsuccessful, even though it did not provide evidence.)
But the hacking has also hurt a large number of companies, many of which have not yet taken a step forward. SolarWinds is believed to be one of several supply chain providers Russia has used in hacking. Microsoft, which had 40 victims on Dec. 17, initially said it had not been injured, only to find out this week that it was – and that they were resellers of its software as well. A previously unreported assessment from Amazon’s intelligence team found the casualty count may have been five times higher, although officials warn that some of them may be counted twice.
In public, officials have stated that they had attacked the hackers of the Russian S.V.R. pierced classified systems with sensitive messages and plans. But privately, officials say they still don’t have a clear picture of what may have been stolen.
They said they were concerned about sensitive but unclassified data the hackers may have received from victims such as the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the US would power in the event of a catastrophic blackout want to restore.
The plans would give Russia a hit list of systems aimed at preventing power restoration in an attack like the one in Ukraine in 2015, which shuts off power for six hours in the dead of winter. Moscow planted malware on America’s power grid a long time ago, and the United States did the same to Russia as a deterrent.
A supply chain at risk
One focus of the investigation so far has been SolarWinds, the Austin-based company whose software updates the hackers compromised by the hackers.
However, the Department of Homeland Security’s cybersecurity division concluded that the hackers were working through other channels as well. And last week, CrowdStrike, another security company, announced that it had also been unsuccessfully attacked by the same hackers, but through a company that sells Microsoft software.
Because resellers are often tasked with setting up customer software, they – like SolarWinds – have extensive access to Microsoft customer networks. As a result, they can be an ideal Trojan horse for Russia’s hackers. Intelligence officials have expressed anger that Microsoft did not discover the attack sooner. The company, which announced Thursday that the hackers had viewed its source code, did not disclose which of its products were affected or how long hackers had been on its network.
“You addressed the weakest points in the supply chain and our most trusted relationships,” said Glenn Chisholm, founder of Obsidian Security.
Interviews with current and former SolarWinds employees suggest security is a slow priority, despite the fact that the software has been adopted by America’s leading cybersecurity company and federal agencies.
Employees say that under Mr. Thompson, a trained accountant and ex-CFO, every part of the business has been screened for cost savings and common safety practices have been avoided due to their cost. His approach helped triple SolarWinds’ annual profit margins from $ 152 million in 2010 to over $ 453 million in 2019.
Some of these measures may have placed the company and its customers at greater risk of attack. SolarWinds relocated much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had full access to the Orion network management software compromised by Russian agents.
The company simply said that its software was tampered with by human hackers rather than a computer program. The possibility that an insider was involved in the violation was not publicly addressed.
None of the SolarWinds customers contacted by the New York Times in the past few weeks knew they depended on software that was serviced in Eastern Europe. Many said they didn’t even know they were using SolarWinds software until recently.
Even if the software is installed in all federal networks, according to SolarWinds, the employees only tackled security in 2017 under threat of a penalty from a new European data protection law. Only then, according to the employees, did SolarWinds hire its first chief information officer and appoint a vice president for “security architecture”.
Ian Thornton-Trump, a former cybersecurity advisor at SolarWinds, said he warned management earlier this year that a cybersecurity episode would be “catastrophic” unless a more proactive approach to homeland security is taken. After ignoring his basic recommendations, Mr. Thornton-Trump left the company.
SolarWinds declined to answer questions about the adequacy of its security. A statement said it was a “victim of an advanced, complex and targeted cyber attack” and worked closely with law enforcement, intelligence and security experts to investigate.
However, security experts note that it took days after the Russian attack was discovered for SolarWinds’ websites to stop serving customers with compromised code.
Attack over defense
Billions of dollars in cybersecurity budgets have been poured into offensive espionage and prevention programs in recent years in what General Nakasone calls the need to “defend” yourself by hacking into adversary networks in order to get an early look at and counteract their operations in their own networks before they can attack if necessary.
This approach, hailed as an overdue strategy to prevent attack, failed to make the Russian break.
According to FireEye, the Russians took advantage of the National Security Agency’s attacks by staging their attacks from servers in the United States and, in some cases, using computers in the same city as their victims. Congress has not empowered the Agency or Homeland Security to enter or defend private sector networks. In these networks, S.V.R. Staff were less cautious and left clues of their tampering that FireEye could ultimately find.
By integrating with SolarWinds’ Orion update and using custom tools, they also prevented the alarms from being triggered by the Einstein Detection System that Homeland Security used in various government agencies to detect known malware, and what is known as the C.D.M. A program specifically designed to alert agencies to suspicious activity.
Some intelligence officials have questioned whether the government was so focused on electoral nuisance that it opened openings elsewhere.
The intelligence services concluded months ago that Russia had determined it could not infiltrate enough electoral systems to affect the outcome of the elections and instead turned its attention to countering ransomware attacks that disrupt voting rights and affect operations aiming to sow discord, which cast doubt on the systems integrity and change the minds of voters.
The SolarWinds hacking that began back in October 2019 and the infiltration of Microsoft’s resellers gave Russia the opportunity to attack the most vulnerable, least defended networks of several federal agencies.
General Nakasone declined to be interviewed. However, a spokesman for the National Security Agency, Charles K. Stadtlander, said, “We do not see this as an either / or compromise. The actions, insights, and new frameworks created during the election security effort are having a profound positive impact on the cybersecurity posture of the nation and the US government. “
Indeed, the United States appears to have succeeded in convincing Russia that attacking a vote would result in costly retaliation. But as the extent of the intrusion comes into focus, it is clear that the American government has failed to convince Russia that there would be a comparable consequence for carrying out extensive hacking on federal and corporate networks.
Get the hackers out
Intelligence officials say it could take months or even years to fully understand the hacking.
Since the appointment of a top Kremlin informant in 2017, the C.I.A. decreased over Russian operations. And the S.V.R. has remained one of the most capable intelligence agencies in the world by avoiding electronic communications that could divulge its secrets to the National Security Agency, intelligence officials say.
The best ratings of the S.V.R. came from the Netherlands. In 2014, hackers working for the Dutch General Intelligence and Security Service pierced the computers used by the group, observed them for at least a year, and eventually captured them on camera.
It was the Dutch who helped put the White House and State Department on an S.V.R. Hacked their systems in 2014 and 2015. And while the group is not known to be destructive, it is known to be difficult to remove from infiltrated computer systems.
When the S.V.R. Richard Ledgett, then deputy director of the National Security Agency, broke into the unclassified systems of the State Department and the White House and said the agency was looking into the digital equivalent of “hand-to-hand combat.” At one point the S.V.R. Gain access to the NetWitness Investigator tool, which investigators use to uproot Russian backdoors and manipulate them so that the hackers continue to evade detection.
Investigators said they would assume they had the S.V.R. kicked out only to find the group had crawled in through another door.
Some security experts said so many sprawling federal agencies have been relieved by the S.V.R. can be pointless and the only way forward can be to shut down and restart systems. Others said doing so in the middle of a pandemic would be prohibitively expensive and time consuming, and the new administration would have to work to identify and contain every system at risk before it could calibrate a response.
“The S.V.R. is on purpose, they are sophisticated, and they don’t have the same legal restrictions as we do here in the West, ”said Adam Darrah, a former government intelligence analyst who is now intelligence director at Vigilante, a security firm.
Sanctions, charges and other measures would have the S.V.R. not deterred, which has shown that she can adapt quickly.
“They are watching us very closely right now,” said Mr Darrah. “And they will rotate accordingly.”