The widespread breach of SolarWinds, the network management software company that supplies so many U.S. government agencies and Fortune 500 companies, likely allowed Russian hackers to access the top echelons of those institutions and cannot simply be dismissed as routine espionage by a strategic rival, former cybersecurity officials said this week.
Moreover, they warned that the attackers may be burrowed deep into government and corporate networks and from there could launch other damaging attacks at a time of their choosing.
The cybersecurity experts who served in the George W. Bush and Obama administrations said that the attackers, who breached the SolarWinds operating software to gain access to the company’s clients between March and June, by now may have used that access to slip deeper into the networks, making it harder to find them.
President-elect Joe Biden on Tuesday said the cyberattack, likely launched by the Russian intelligence service known as SVR, happened “on Donald Trump’s watch, when he wasn’t watching.” Biden said the attack “constitutes a grave risk to our national security. It was carefully planned and carefully orchestrated.”
Although most knowledgeable observers say the attack was likely carried out by Russia, President Donald Trump has tweeted that it could have been carried out by China or others, contradicting statements by Secretary of State Mike Pompeo and outgoing Attorney General William Barr, both of whom have said the attack was likely carried out by Moscow.
The attack has exposed 18,000 SolarWinds clients after they downloaded and installed a tainted software update that was infected with malware. The breach wasn’t discovered until cybersecurity research firm FireEye, which was attacked separately, revealed the SolarWinds breach this month.
Federal departments such as Commerce, Treasury, Energy, and Homeland Security have been exposed, as well as large corporations like Microsoft, Ford Motor Co. and others.
On Monday, Oregon Sen. Ron Wyden, the top Democrat on the Senate Finance Committee, said the Treasury Department “suffered a serious breach, beginning in July, the full depth of which isn’t known,” based on briefings the committee received from the agency, and contradicting Treasury Secretary Steven Mnuchin, who earlier said the breach was “under control.”
Wyden said the hackers had broken into systems that are home to the department’s highest-ranking officials and that the agency remained in the dark about “all of the actions taken by the hackers, or precisely what information was stolen.”
Attack not over
The attackers “still have the ability in the networks in which they have maintained some persistent control to do the proverbial bomb drop, if they really wanted to go that route,” said Tom Bossert, who was a White House adviser for homeland security and cybersecurity in the Trump administration until April 2018.
The attackers also could use information they have gleaned from their presence in government and corporate networks to “conduct a misinformation or disinformation campaign” in the coming months and even years, Bossert said.
Bossert appeared on a panel discussion with Michael Daniel, the Obama administration cybersecurity adviser; Melissa Hathaway, who advised Presidents Barack Obama and George W. Bush on cyber matters; and Chris Inglis, the former deputy director of the National Security Agency. The event was organized by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.
Unlike the Japanese attack on Pearl Harbor or al-Qaida’s attack on 9/11, it’s likely that the wide-open breach that has allowed Russian hackers to hide inside government networks could enable Moscow to spread out its attack in a diffused manner “over time and space,” Inglis said.
The U.S. government must shift its approach to cybersecurity from “detect and react strategy” after each major attack, because “it’s a fool’s errand,” Inglis said. “We appear to be defending technology as opposed to the operations that are dependent upon that technology.”
Hathaway said a handful of private companies with weak security systems have exposed thousands of others and the U.S. government to risk. In addition to SolarWinds, “Microsoft is part of this problem,” she said, because the company’s Office 365 and cloud services enabled the attack.
The exposure means that “we will have lost trust in all of these enterprises,” Hathaway said, adding that the path of attack could also leave the country’s energy and utilities infrastructure — electricity, gas, water — vulnerable.
Paying a price
The experts said Russia must pay a price for its indiscriminate breaching of U.S. government networks.
The attack in its “scope and scale is clearly unacceptable,” Inglis said. “It’s brazen, it’s impactful, and it’s indiscriminate.”
The American response cannot simply be a computer network attack or a physical attack by armed forces, which are “not completely appropriate,” but the U.S. government must craft an adequate response, Inglis said.
Hathaway and Daniel said the response could be a series of steps ranging from economic sanctions, an oil embargo or moves expelling Russian diplomats, and working with U.S. allies to step up pressure steadily on Moscow.
Those steps executed in a sequence could also deter and forestall any long-term damage Moscow might be contemplating from the network access its spies have gained, Hathaway and Daniel said.