WASHINGTON — The discovery this weekend that Russian hackers used sophisticated techniques to infiltrate a broad swath of government and corporate networks to steal sensitive information sent cybersecurity experts into a panic, leaving open the question of how the U.S. will respond.
The attribution was made on Sunday, according to one source familiar with the matter, who said the spy group responsible for the breach is known to the military and intelligence community. U.S. Cyber Command, the military combatant command charged with pursuing U.S. enemies in cyberspace, is closely involved in investigating the infiltration, as it may be asked “to respond” to the Russian espionage campaign at a future date, the source said.
The government has reportedly fingered APT29, or Advanced Persistent Threat 29, sometimes called Cozy Bear, a Russian hacking group associated with the Kremlin’s foreign intelligence service, SVR, as the culprit.
Cozy Bear has also been tied to spying on COVID-19 vaccine data as well as U.S. and foreign government agencies and think tanks.
“They are going to have to respond,” said another national security official, who noted that the U.S. government might try and keep SVR offline or shut off their network connectivity, as retaliation.
One national security official described the atmosphere within the government as “chaos,” forcing cybersecurity workers to scramble to pick up the pieces over the weekend.
“We’re honestly just trying to get a handle on what it all means and what or how much was stolen or made vulnerable,” said one congressional aide.
The intrusions into government systems, which were first reported by Reuters, included the Department of Homeland Security and the U.S. Treasury and Commerce departments, and may be “only the tip of the iceberg,” according to one national security official.
By Monday night, the Washington Post reported that the State Department and the National Institutes of Health were also among the victims.
According to a Securities and Exchange Commission filing from SolarWinds, the company whose software was used as a foothold to get into sensitive networks, “fewer than 18,000” customers were using the vulnerable product.
The company says hackers “inserted a vulnerability” into its Orion monitoring products, malicious code that was included in new product downloads as well as security updates between March and June 2020.
Any customer who purchased or updated software during that period, including “more than 425 of the U.S. Fortune 500” and “all five branches of the U.S. military,” according to a recently removed list of the company’s customers, may have been compromised.
Cybersecurity experts fear the ramifications of the attack could be “really, really bad,” said one national security official, referring to the scope of access the attackers had to entire networks for months and months before being detected.
Another former intelligence officer involved in cyber operations said the Russian actors appeared to have spent significant time planning the operation and did an excellent job to “conceal their presence” on networks.
Those responsible for identifying breaches are so busy that finding the time to investigate “what by all appearances is a legitimate account” or software update doesn’t make sense, they explained.
However, given that the government has been the victim of massive breaches a number of times over recent years, including the theft of millions of sensitive employee personal records from the Office of Personnel Management in 2015, something needs to change. “We can’t be having these once-in-a-decade breaches happening every couple years like this,” they said. (Jenna McLaughlin)
