The president-elect’s team will consider several options over the country’s suspected role in the unprecedented hacking of US government agencies and companies, sources have told Reuters.
The massive data breach enabled hackers believed to be from
Fired DHS Cybersecurity chief Chris Krebs on Sunday admitted his ‘failure’ to stop the hack, telling
He warned: ‘I’d be very careful with escalating this.’
Biden is reported to be looking at new financial sanctions and cyber attacks on Russian infrastructure, people familiar with the matter say.
Joe Biden is said to be considering cyber attacks on Russian infrastructure in retaliation for the hacks that breached 200 US federal agencies and firms
Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency has admitted his ‘failure’ to stop the hack, telling CNN : ‘It happened on my watch’
‘They’ll be held accountable,’ Biden said in an interview broadcast on CBS on Thursday when asked about how he would deal with the Russian-led hack. He vowed to impose ‘financial repercussions’ on ‘individuals as well as entities.’
Sources say the response will need to be strong enough to impose a high economic, financial or technological cost on the perpetrators, but avoid an escalating conflict between two nuclear-armed Cold War adversaries.
The overarching goal of any action, which could also include stepped-up counter cyber espionage efforts, would be to create an effective deterrence and diminish the potency of future Russian cyber spying, the person added.
The unfolding crisis – and the lack of visibility over the extent of the infiltration into the computer networks of federal agencies including the Treasury, Energy and Commerce Departments – will push to the front of Biden’s agenda when he takes office on January 20.
‘Cozy Bear’: The Russian hacker cell suspected in attack
Russia denies involvement in the SUNBURST attack, but US officials say the nation is behind the ‘Advanced Persistent Threat’ (APT) that carried out the audacious breach.
Sources say that one top suspect is APT29, the Kremlin-linked group also known as Cozy Bear.
Cozy Bear is best known as the group said to be responsible for the 2016 breach of the Democratic National Committee’s servers.
Experts believe that Cozy Bear operates as part of one of Russia’s intelligence agencies.
Some doubt the attribution of SUNBURST to Cozy Bear, through, noting that the tools used in the attack have never been seen before.
A company called SolarWinds was hacked, permitting an open door into public and private sector computer systems. SolarWinds is behind critical network monitoring software utilized both by the US government and many blue-chip American firms.
‘Symbolic won’t do it’ for any U.S. response, said James Andrew Lewis, a cyber security expert at the Center for Strategic and International Studies, a Washington think tank. ‘You want the Russians to know we’re pushing back’
President Donald Trump only acknowledged the hacking on Saturday almost a week after it surfaced, downplaying its importance and questioning whether the Russians were to blame.
Trump’s silence did not go unnoticed with Democrats in Congress blasting Trump for failing to address the issue and demanding a harsh response on the perpetrators.
‘Our nation is under assault. This cyberattack could be the largest in our history. We don’t yet know the extent of the damage, but we know that we weren’t prepared & have our work cut out for us,’ Rep Jason Crow (D – Colorado) tweeted on Friday.
‘We can’t wait for leadership, we need it now. @realdonaldtrump, where are you?’
Crow also likened the attack to Pearl Harbor in a follow-up tweet: ‘The situation is developing, but the more I learn this could be our modern day, cyber equivalent of Pearl Harbor.’
Mitt Romney demanded Sunday that the U.S. response to the Russia cyber attack be ‘of like magnitude or greater’. Democratic Senator Mark Warner, ranking member of the Intelligence Committee, called the Kremlin’s takeaway from the cyber attack a ‘big haul.’
The discussions among Biden’s advisers are theoretical at this point and will need to be refined once they are in office and have full view of U.S. capabilities.
Biden’s team will also need a better grasp of US intelligence about the cyber breach before making any decisions, one of the people familiar with his deliberations said.
The president elect’s access to presidential intelligence briefings was delayed until about three weeks ago as Trump disputed the November 3 election results.
Trump asserted that China was behind the unprecedented hack on US government agencies and private sector firms, after the secretary of state said on Friday that the Kremlin was to blame. Russian President Vladimir Putin, left, and China’s President Xi Jinping are pictured
This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
- Department of State
- Department of Homeland Security
- Commerce Department
- National Institutes of Health
- Department of Energy
- National Nuclear Security Administration
- Los Alamos National Laboratory
- Federal Energy Regulatory Commission
- Office of Secure Transportation
With Trump taking no action, Biden’s team are concerned that in the coming weeks the president-elect may be left with only one tool: bluster, according to one of the people familiar with his options.
Biden issued a statement Thursday about the attack where he vowed to make cybersecurity ‘imperative’ when he takes office and said he would not ‘stand idly by’.
‘I want to be clear: My administration will make cybersecurity a top priority at every level of government – and we will make dealing with this breach a top priority from the moment we take office,’ Biden said in a statement.
‘We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks.’
A spokeswoman for Biden’s transition team did not respond to a request for comment.
One potential target for U.S. Treasury financial sanctions would be the SVR, said Edward Fishman, an Atlantic Council fellow who worked on Russia sanctions at the State Department during the Obama administration.
Media reports have suggested the SVR-linked hacking group known as ‘Cozy Bear’ or APT29 was responsible for the attacks. The United States, Britain and Canada in July accused here ‘Cozy Bear’ of trying to steal COVID-19 vaccine and treatment research from drug companies and academic institutions.
‘I would think, at the bare minimum, imposing sanctions against the SVR would be something that the U.S. government should consider,’ Fishman said, noting that the move would be largely symbolic and not have a major economic impact.
The U.S. Treasury has already imposed financial sanctions on other Russian security services, the FSB and the GRU.
Financial sanctions against Russian state companies and the business empires of Russian oligarchs linked to Russian President Vladimir Putin may be more effective, as they would deny access to dollar transactions, both Fishman and Lewis said.
Those targets could include aluminum giant Rusal, which saw U.S. sanctions lifted in 2018 after blacklisted Russian billionaire Oleg Deripaska reduced his stake to a minority in a deal with the Treasury.
Lewis said a stronger option could be to cut Russia off from the SWIFT international bank transfer and financial messaging system, a crippling move that would prevent Russian companies from processing payments to and from foreign customers.
Such a move was contemplated in 2014 when Russia annexed Ukraine’s Crimean peninsula, but it would hurt the Russian energy sector, complicating gas sales to Europe and hit European companies with Russian operations.
Neither the Treasury nor State Department responded to questions about possible actions in response to the hacking.
How hackers used legitimate software updates as camouflage for the ‘SUNBURST’ attack
The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.
It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said – and made off with hacking tools it uses to probe its customers’ defenses.
Its apparent monthslong timeline gave the hackers ample time to extract information from a lot of different targets.
FireEye executive Charles Carmakal said the company was aware of ‘dozens of incredibly high-value targets’ compromised’ by the hackers and was helping ‘a number of organizations respond to their intrusions.’
He would not name any, and said he expected many more to learn in coming days that they, too, were infiltrated.
WHAT IS SOLARWINDS?
SolarWinds, of Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
Its compromised product, called Orion, accounts for nearly half SolarWinds’ annual revenue. The company’s revenue totaled $753.9 million over the first nine months of this year.
Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks.
HOW DID IT HAPPEN?
The US Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in US history.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.
Without offering further details, the agency warned that the hackers used ‘other initial access vectors beyond SolarWinds Orion,’ meaning even groups that do not use the network software could be compromised.
The Pentagon’s U.S. Cyber Command likely has options for counter actions that could cripple Russian technology infrastructure, such as disrupting phone networks or denial of internet actions, Lewis said, adding that this too could hurt European allies.
‘They’ll need to think through the diplomacy of that,’ Lewis said.
The hackers likely left behind some malicious code that would let them access U.S. systems for retaliation against any U.S. cyber attack and it will take months to find and eliminate those ‘Easter eggs,’ he added.
Microsoft researchers said Saturday they discovered a second cyber attack on the U.S. government.
They said an unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign, as the number of victims in the attack rose to 200.
The second backdoor, dubbed SUPERNOVA by security experts, appears distinct from the SUNBURST attack that has been attributed to
The sprawling attack compromised multiple government agencies, as well as a growing list of companies and local governments across the country.
The two US agencies responsible for maintaining America’s nuclear weapons stockpile have already said they were compromised in the attack.
The attack also breached the Pentagon, FBI, Treasury and State Departments.
Other victims to fall foul of the attack include the Pima County, Arizona government and cable television company Cox Communications Inc, according to Reuters.
Microsoft said Friday it had already identified at least 40 government agencies and companies targeted by the hackers.
A heat map of infections released by the tech giant, which has helped respond to the breach, shows that those infiltrated by the hackers are spread out across the US with agencies, companies and think tanks in New York, Washington DC and Texas among the hardest hit.
Microsoft has not revealed the names of those infiltrated by the hackers but said nearly half were tech companies.
The UK, Israel, Canada and the United Arab Emirates were also caught in the cross hairs.
The breach was executed back in March and went undetected for nearly nine months fueling concerns over the full extent of intelligence and top-secret information that may have fallen into the wrong hands.
‘The most serious attention should be paid to information security’: Putin in sly dig at Russia’s cyber attack on America as he welcomes new spooks during 100th anniversary of country’s intelligence agency
The Kremlin leader appeared at the headquarters of the SVR, Russian Foreign Intelligence Service, to mark its 100th anniversary on Sunday.
While not referring to hacking, Putin lauded the work of intelligence agents in protecting
A hatless Putin – himself a former KGB agent – stood in the freezing cold outside the SVR HQ to say: ‘I wish success to everyone who defends Russia, our people from external and internal threats, defends sovereignty and national interests.
‘And for whom the safety and well-being of the Motherland was, is and will be the main business of their entire life.’
He stressed: ‘The most serious attention should be paid to information security.’
Vladimir Putin gave his personal backing to Russia’s SVR foreign intelligence agency at an event commemorating its 100th anniversary on Sunday in Moscow (pictured). The event came days after the SVR was accused of launching a massive cyberattack against the US
Putin braved frigid temperatures to give his speech outside the SVR’s headquarters. ‘I wish success to everyone who defends Russia, our people from external and internal threats, defends sovereignty and national interests,’ he said
Putin praised young new staffers – believed to include many with skills in hacking – recruited to Russia’s foreign intelligence service.
‘I want to congratulate those who have recently chosen this fate for themselves, sometimes associated with considerable risk,’ he said.
Agents must ‘respond flexibly to the high dynamics of changes in the international situation and actively participate in identifying and neutralizing potential threats to Russia,’ he said.
In a temperature of around minus 1C (30F), Putin hailed the role of the former KGB during the Soviet era, when it was widely seen as responsible for multiple repressions, and the current role of his security organs in fighting terrorism.
‘Our common task is to confront any attempts to revise history, including silencing or distorting the role of our special services in the defeat of Nazism and, more generally, in ensuring the national security and national interests of our country,’ he said.
Putin spoke in support of the SVR as the vast agency is accused of being behind a vast data breach hacking the networks of government agencies, private companies and think-tanks for months.
The scale of the operation hitting 40 separate targets has shocked seasoned cyber experts with little doubt this was a huge state-level operation to penetrate sensitive US facilities.
Putin’s spokesman denied Kremlin involvement in the attack, and the Russian embassy said in a statement that the country ‘does not conduct offensive operations in the cyber domain’.
Putin spoke in support of the SVR as the vast agency is accused of being behind a vast data breach hacking the networks of government agencies, private companies and think-tanks
Earlier the Russian state media gleefully seized on President Donald Trump’s remarks playing down the role of Russia in the hacking.
The US president hit out at Secretary of State Mike Pompeo for blaming Russia for the huge cyber attack on the US in a tweet on Saturday.
Tagging Pompeo, Trump asserted that China was behind the unprecedented hack on US government agencies and private sector firms, after the secretary of state said on Friday that the Kremlin was to blame.
Russian state news agency TASS headlined a story in the wake of Trump’s comments: ‘White House cancels release of statement alleging Russia involvement in cyber attacks.’
Another state agency Sputnik also cited US sources as saying the US government ‘backs away’ from ‘blaming Russia’.
Sputnik also reported that Trump had ‘berated media outlets for excluding China’s potential involvement in the attack, which, he believes, might be the case’.
They also seized on the president’s claim that ‘the true scale of recent cyberattacks on US government agencies was greatly exaggerated’.
This followed Pompeo alleging ‘it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity’.
He also emphasized it was a direct and serious attack on the US government by Moscow.
He called it ‘a significant effort to use a piece of third-party software to essentially embed code inside of US government systems’.
US Secretary of State Mike Pompeo (pictured) blamed Russia for the attack on Friday
President Donald Trump hit out at Pompeo in a tweet on Saturday, downplaying the severity of the hack and shifting blame to China