FBI scrambles to assess damage from Russia-linked US government hack
U.S. officials have been scrambling over the last several days to assess the damage from a potentially devastating breach across multiple U.S. government computer networks, include those at the State, Commerce and Treasury departments.
The FBI says the agency is ‘investigating and gathering intelligence” on the breach, according to a statement released Wednesday night, but officials have said little else, and President Donald Trump has yet to comment on the attack, which officials have told ABC News is believed linked to Russia.
President-elect Joe Biden issued a statement Thursday calling it a “matter of great concern.”
“I have instructed my team to learn as much as we can about this breach, and Vice President-elect Harris and I are grateful to the career public servants who have briefed our team on their findings, and who are working around-the-clock to respond to this attack,” Biden said.
“We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks. But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” Biden said, noting his team would implement stronger punitive measures for those who carry out any such attacks on the U.S.
“Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation,” Biden said.
The intrusion involves software from SolarWinds, which makes IT management tools, that had been adulterated or “Trojanized” with a vulnerability that could be exploited by hackers to steal information, manipulate systems or plant trap doors and other exploits for future use.
The FBI, Department of Homeland Security and the Office of the Director of National Intelligence called the intrusion a “significant and ongoing cybersecurity campaign.”
“The FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors,” the agency’s statement said. “The FBI is engaging with known and suspected victims, and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action.”
The three agencies established a Cyber Unified Coordination Group on Tuesday and will work “to coordinate a whole-of-government response to this significant cyber incident.”
The statement reiterated that the Cybersecurity and Infrastructure Security Agency (CISA) is the lead agency in helping secure companies and agencies affected.
CISA is the Department of Homeland Security’s cyber arm.
Two government officials told ABC News that Russia is believed to be behind the attack that has so far compromised the Department of Homeland Security, State Department, National Institute of Health, Commerce and Treasury Departments.
National Security Adviser Robert O’Brien cut an international trip short in order to return to the United States to address the cyberbreach of U.S. government computer networks, according to the White House’s National Security Council.
A person familiar with the matter confirmed that there has been at least one NSC meeting to discuss the situation.
The Russians have denied they are behind the attack, and while Trump hasn’t commented, White House press secretary Kayleigh McEnany asked on Tuesday about the breaches said the U.S. government was “taking all necessary steps to identify and remedy any possible issues related to the situation.”
One lawmaker briefed on the intrusion said what they saw was troubling.
“Stunning,” Sen. Richard Blumenthal, a Connecticut Democrat, tweeted on Tuesday. “Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on. Declassify what’s known & unknown.”
Others, like former Trump administration Homeland Security Adviser Tom Bossert said “the magnitude of the attack cannot be overstated.”
“The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next,” Bossert wrote in New York Times op-ed. “The access the Russians now enjoy could be used for far more than simply spying.”
Bossert also asserts that trying to pick up the pieces after this intrusion could be very difficult.
“The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks,” Bossert said. “Somehow, the nation’s sensitive networks have to remain operational despite unknown levels of Russian access and control. A “do over” is mandatory and entire new networks need to be built — and isolated from compromised networks. Cyber threat hunters that are stealthier than the Russians must be unleashed on these networks to look for the hidden, persistent access controls. These information security professionals actively search for, isolate and remove advanced, malicious code that evades automated safeguards. This will be difficult work as the Russians will be watching every move on the inside,” he warned.
Cyberexperts concur with Bossert’s assertion that this hack could potentially be incredibly damaging.
“The potential for damage here is full compromise of the environment, including theft of sensitive materials,” Tony Turner, Vice President for Security Solutions for Fortress Security Solutions, told ABC News.
On Monday, SolarWinds said as many as 18,000 organizations including unclassified federal government networks and 425 Fortune 500 companies could have downloaded the malicious software, according to a Securities and Exchange Commission filing.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters,” SolarWinds President and CEO Kevin Thompson said on Sunday.
Over the weekend, CISA, assessed there is “high potential for compromises of agency information systems,” and the potential “grave impact of a successful compromise,” in affected systems and for only the fifth time in the agency’s history issued an emergency directive “to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
CISA is operating with an acting director after President Trump fired director Chris Krebs in November.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA acting Director Brandon Wales.
Javed Ali, a former senior counterterrorism director on the National Security Council and former FBI official said that Russia has not been deterred by the United States previous response to Russians meddling in US systems.
“It raises serious questions about the level of US defensive measures against cyber-attacks, as the vulnerabilities exploited in this latest attack crossed over into both private industry cyber tools and federal ones–neither of which were able to identify the Russian breaches until months after they began,” he explained.