US officials search for answers after suspected Russian hack of government agencies
Days after several US agencies confirmed their networks were compromised in a massive data breach, federal officials are still struggling to understand the scope of the damage — highlighting the sophistication and breadth of a hacking campaign that has been tied to Russia.
House and Senate Intelligence Committee aides received a phone briefing on the hack from administration officials on Wednesday, but the full extent of the breach remains unclear, according to sources familiar with the briefing. The Biden transition team was also briefed on the attack this week, an official from the Department of Homeland Security’s cyber arm told CNN. The official declined to provide additional details about what was discussed.
While relevant agencies continue to investigate the incident, the cybersecurity firm FireEye disclosed Wednesday that the malicious software contains a “killswitch” that can be used to shut it down. But even after deactivating the malware, there is a chance that affected systems may remain accessible to the attackers, a FireEye spokesperson said.
At the same time, US officials are already facing mounting pressure to retaliate against Russia, even as they scramble to address the vulnerabilities that were exploited and to formally identify the perpetrator.
‘A feeling of dread’
Even as officials continue to grapple with the immediate fallout from the attack, its seriousness is already coming into view, as are the glaring shortcomings of American cyber defenses that were exposed.
News of the intrusions comes at a highly sensitive time, in the middle of a presidential transition. President-elect Joe Biden’s transition team has been meeting with the various agencies as it prepares to take over. On Monday, his staff was briefed by officials on the massive intrusion, an official from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said.
Biden himself would also presumably have been given details in his daily classified briefing.
US officials and cybersecurity experts are warning that the incident should serve as a wake-up call for both the federal government, including the incoming Biden administration, and private sector companies, as foreign actors will undoubtedly conduct similar attacks and improve their tactics in the future.
In the short term, the effort to catalog which agencies were hit and what information may have been accessed or stolen has shaken the nation’s intelligence agencies, according to one former Trump administration official, who added that the fallout has led to more than a little finger pointing.
“There is a feeling of widespread dread in the national security community,” the former official said.
President Donald Trump has yet to acknowledge the hack despite the rapidly growing list of agencies in his administration that were affected, though the National Security Council and White House spokeswoman Kayleigh McEnany have commented on the breach. Secretary of State Mike Pompeo was asked about the intrusion on Monday and acknowledged it was consistent Russian efforts to breach servers belonging to American government agencies and businesses, but would not give any additional details.
CNN has previously reported that the systems belonging to at least three agencies — the Departments of Agriculture, Commerce and Homeland Security — were compromised by a vulnerability found in a third-party software vendor’s network management tool. The Washington Post reported the Treasury Department was also affected. Other national security agencies, including the Department of Defense, are currently investigating whether their networks may have been affected.
“It’s knowable, but it takes a fair amount of forensic work” to know the full extent of the intrusions, former National Security Agency general counsel Glenn Gerstell said. “It’s going to take a long time.”
“The problem is that until we know exactly what they did and what they had access to, you can’t do something other than metaphorically unplug the system,” Gerstell added. “That’s a big problem, that’s not a mitigation, you don’t apply a patch and it’s fixed.”
Uncertainty
That uncertainty only raises the stakes of what is already the most significant government breach in years.
“The United States faces untold numbers of cyber threats from malicious foreign actors, both to the government agencies and private industry, and sometimes both at the same time,” the Democratic chairman of the House Intelligence Committee, Rep. Adam Schiff, said in a statement Wednesday after his panel was briefed on the attack by the Office of the Director of National Intelligence, the National Security Agency and the FBI.
“The seriousness and duration of this attack demonstrate that we still have enormous and urgent work to do to defend our critical information and networks, that we must move quicker than our adversaries do to adapt,” he added.
The intrusions are believed to have begun in the spring, according to forensic analysis by FireEye, which also disclosed its own breach linked to the vulnerability earlier this month.
CNN previously reported that a Russian-linked group, known as APT29, was behind the FireEye hack.
Many of the investigations will try to determine what the hackers did with the information they were able to stealthily access for months. So far, the operation, which bears all the hallmarks of a Russian-backed actor, appears to be a wide ranging espionage campaign intended to compromise as many key public and private sector networks as possible, several cybersecurity experts told CNN.
The US government’s ability to carry out its investigation is uneven and may vary by agency, said Chris Kubic, chief information security officer at Fidelis Cybersecurity and a former top cybersecurity official at the National Security Agency.
“If they don’t have the right tools in place, if they aren’t collecting the application logs, the system logs that allow them to do the analysis, it can be difficult for them to determine what was exposed,” Kubic said.
A Pentagon spokesperson said Wednesday that the forensic review of department networks continues, but that there is currently nothing definitive to share.
“For operational security reasons, the DoD will not comment on specific mitigation measures or specify systems that may have been impacted. DoD will continue to work with the whole of government effort to mitigate cyber threats to the nation,” they said.
Meanwhile, the intelligence community “continues to share information with US government agencies what they have learned about the attack” and is “marshaling all of its relevant resources to support this effort and share information across the United States Government,” a spokesperson from the Office of the Director of National Intelligence told CNN Wednesday.
