Federal officials issued an urgent warning Thursday that the hackers who were working for a foreign government and penetrated deep into government systems had used a wider variety of techniques in their cyberoffensive — and they warned that the hacking was “a grave risk to the federal government.”
The discovery vastly complicates the challenge for federal investigators as they search through computer networks used by the Treasury, Defense and Commerce departments, as well as nuclear laboratories, trying to assess the damage and understand what the Russian actors had stolen. Although the government warning made no specific reference to the origin of the hacking, intelligence agencies have told Congress that they believe it was carried out by an elite Russian intelligence agency.
Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joe Biden, in his first comments on the broadening cyberattack, warned that his administration would impose “substantial costs” on those responsible.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”
President Donald Trump has said nothing about the attacks since they were first revealed on Sunday.
The government warning, issued by the Cybersecurity and Infrastructure Security Agency, gave no details. But it confirmed suspicions voiced earlier this week by FireEye, a cybersecurity firm, that there were almost certainly other pathways that had been found for the attack.
FireEye was the first to inform the government that a Russian intelligence agency’s hackers had, since this spring, gotten into critical network monitoring software used by the government and hundreds of Fortune 500 companies and companies that oversee critical infrastructure, including the power grid.
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raises concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.
The alert also ramped up the urgency of government warnings. After playing down the episode — in addition to Trump’s silence, Secretary of State Mike Pompeo deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the new alert left no doubt the assessment had changed.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”
“Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” the warning said. As a result, it could take months, investigators say, to unravel the extent to which US networks are compromised.
Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.
Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.”
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said, adding that he plans to impose “substantial costs on those responsible.”
The cybersecurity agency’s warning came just days after Microsoft, which produces Windows software and monitors the global network of computers that make use of Windows, took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch.
That shut off further penetration. But it is of no help to organizations that have already been penetrated because the first software was corrupted with malware in March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.
Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.
Two security experts who work with utility companies said companies were shutting down third-party applications that have deep access to operational systems as a precaution and searching their code for signs of compromise. But to date, they said, it was not clear that grid operators had been compromised by the hackers.
In an interview this week, officials at FireEye said they believed the actual number of targets could be limited to “dozens” out of the 18,000 organizations that used the SolarWinds software. But after Thursday’s alert about other Russian entry points, security experts said they expect the number of victims to grow.