By Christopher Bing, Joseph Menn, Raphael Satter and Jack Stubbs
Dec 19 (Reuters) – At a private dinner for tech security executives at San Francisco’s St. Regis hotel in late February, America’s top cyber defense chief boasted of how well his organizations protected the country. of spies.
The US teams were “understanding the adversary better than the adversary understands itself,” said Gen. Paul Nakasone, head of the National Security Agency (NSA) and the US Cyber Command, according to a reporter. of Reuters present at the dinner on February 26. The speech had not been previously reported.
Yet as he spoke, the hackers were embedding malicious code into the network of a Texas software company called SolarWinds Corp, according to a timeline published by Microsoft and more than a dozen government and corporate cyber researchers.
Just over three weeks after that dinner, hackers began a large-scale intelligence operation that has penetrated the heart of the United States government and numerous corporations and other institutions around the world.
The results of that operation came to light on December 13, when Reuters reported that suspected Russian hackers had gained access to emails from the US Treasury and Commerce departments. Since then, officials and researchers say they believe that at least a half dozen government agencies have been infiltrated and thousands of companies infected with malware, in what appears to be one of the largest computer intrusions ever discovered.
Secretary of State Mike Pompeo said on Friday that Russia was behind the attack, calling it “a serious risk” to the United States. Russia has denied that it participated.
The revelations of the attack come at a vulnerable time, when the United States government is facing a controversial presidential transition and a growing public health crisis. Additionally, it reflects a new level of sophistication and scale, with attacks on numerous federal agencies and the threat of inflicting further damage on public trust in America’s cybersecurity infrastructure.
Much remains unknown, including the ultimate motive or goal.
Seven government officials have told Reuters they are largely in the dark about what information might have been stolen or tampered with, or what will be needed to undo the damage. The latest known breach of US federal systems by alleged Russian intelligence – when hackers gained access to the unreserved email systems of the White House, the State Department and the Joint Chiefs of Staff in 2014 and 2015 – took years to clear up.
US President Donald Trump on Saturday played down hacking and Russia’s involvement, maintaining that it was “under control” and that China could be responsible. He accused the “fraudulent” media of exaggerating the scope.
The NSC, however, acknowledged that a “significant cyber incident” did take place. “There will be an appropriate response to the actors behind this conduct,” said NSC spokesman John Ullyot. He did not respond to the question of whether Trump had evidence of Chinese involvement in the attack.
Several government agencies, including the NSA and the Department of Homeland Security, have issued technical notices about the situation. Nakasone and the NSA declined to comment for this report.
Lawmakers from both parties said they were trying to get answers from the departments they oversee, including the Treasury. A Senate employee said his boss knew more about the attack from the media than from the government.
‘A POWERFUL KNOWLEDGE’
The attack was first made public last week when US cybersecurity company FireEye Inc. revealed that it had been the victim of the same type of attack that customers pay it to protect them for.
Publicly, the incident initially seemed more of an embarrassment to FireEye. But hackers targeting security companies are especially dangerous because their tools often reach deep into their clients’ computer systems.
Days before the intrusion was revealed, FireEye investigators knew something worrisome was happening and contacted Microsoft Corp and the FBI, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.
His message: FireEye has been hit by an extraordinarily sophisticated cyber espionage campaign carried out by a nation-state, and its own troubles were probably just the tip of the iceberg.
About half a dozen researchers from FireEye and Microsoft set out to investigate, said two sources familiar with the response efforts. They found that the root of the problem was something cybersecurity professionals dread: so-called supply chain compromises, which in this case involved using software updates to install malware that can spy on systems, extract information and eventually cause other types of havoc.
In 2017, Russian operatives used this technique to crack down on private and government computer systems across Ukraine, after hiding a malicious software known as NotPetya in a widely used accounting program. Russia has denied that it participated. The malware quickly infected computers in dozens of other countries, crippling businesses and causing hundreds of millions of dollars in damage.
The most recent attack on the United States employed a similar technique: SolarWinds said its software updates had been compromised and were used to surreptitiously install malicious code on nearly 18,000 client systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program pointed out to its operators where it had been installed. In some cases where access was especially valuable, hackers used it to deploy more active malicious software to spread through their host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft’s Azure cloud platform – which stores customer data online – to forge authentication “tokens.” These gave them much more extensive and prolonged access to emails and documents than many organizations believed possible.
Hackers could then steal documents through Microsoft’s Office 365, the online version of its most popular business software, the NSA said Thursday in a rare public announcement. Also on Thursday, Microsoft announced that it found malicious code on its systems.
Another advisory released by the U.S. Infrastructure and Cybersecurity Agency on December 17 said that SolarWinds software was not the only vehicle being used in the attacks and that the same group had likely used other methods to implant malware. .
“This is powerful knowledge and must be understood to defend important networks,” Rob Joyce, an NSA cybersecurity adviser, said on Twitter.
How or when SolarWinds was first compromised is unknown. According to researchers at Microsoft and other companies that have investigated the attack, the intruders began to manipulate SolarWinds code as early as October 2019, a few months before it was in a position to launch an assault.
“STRENGTHENING OUR NETWORKS”
The pressure on the White House to act is mounting.
Republican Senator Marco Rubio said: “The United States must retaliate, and not just with sanctions.” Mitt Romney, also a Republican, likened the attack to repeatedly allowing Russian bombers to fly undetected over the country. Senator Dick Durbin, a Democrat, called it “practically a declaration of war.”
Democratic lawmakers said they had received little information from the Trump administration beyond what is in the media. “Their reports were obtuse, lacking in detail and really seemed like an attempt to provide us with the minimum of information that they had to give us,” Democratic Rep. Debbie Wasserman Schultz told reporters after a confidential meeting.
Ullyot, the spokesman for the National Security Council, declined to comment on the congressional briefings. The White House is “focused on investigating the circumstances surrounding this incident and working with our partners from other agencies to mitigate the situation,” he said in a statement to Reuters.
President-elect Joe Biden has warned that his administration will impose “significant costs” on those responsible. House Intelligence Committee Chairman Adam Schiff, also a Democrat, said Biden “must make strengthening our networks, both public and private infrastructure, a priority.”
The attack highlights those cyber defenses, reigniting criticism that US intelligence agencies are more interested in offensive cyber operations than in protecting government infrastructure.
“The attacker has the upper hand over defenders. Decades of money, patents and efforts have done nothing to change that,” said Jason Healey, a Columbia University cyber conflict researcher and a former White House security official at the George W. Bush administration.
“Now we realize with the attack on SolarWinds that, if anything, the defenders are falling behind. The top priority should be to turn this around, to make it easier for the defenders.” (Chris Bing and Raphael Satter in Washington, Jack Stubbs in London, and Joseph Menn in San Francisco. Spanish editing table; +56224374408; Twitter: @ReutersLatam; facebook.com/ReutersLatam/)
Melissa Galbraith is the World News reporter for Globe Live Media. She covers all the major events happening around the World. From Europe to Americas, from Asia to Antarctica, Melissa covers it all. Never miss another Major World Event by bookmarking her author page right here.