What we know and still dont about the worst-ever US government cyber attack – The Guardian

Nearly a week after the US government announced that multiple federal agencies had been targeted by a sweeping cyber attack, the full scope and consequences of the suspected Russian hack remain unknown.

Key federal agencies, from the Department of Homeland Security to the agency that oversees Americas nuclear weapons arsenal, were reportedly targeted, as were powerful tech and security companies, including Microsoft. Investigators are still trying to determine what information the hackers may have stolen, and what they could do with it.

Donald Trump has still said nothing about the attack, which federal officials said posed a grave risk to every level of government. Joe Biden has promised a tougher response to cyber attacks but offered no specifics. Members of Congress are demanding more information about what happened, even as officials scrambling for answers call the attack significant and ongoing.

Heres a look at what we know, and what we still dont, about the worst-ever cyber attack on US federal agencies.

The hack began as early as March, when malicious code was snuck into updates to a popular software called Orion, made by the company SolarWinds, which provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.

That malware in the updates gave elite hackers remote access to an organizations networks so they could steal information. The apparent months-long timeline gave the hackers ample opportunity to extract information from many targets, including monitoring email and other internal communications.

Microsoft called it an attack that is remarkable for its scope, sophistication and impact.

At least six US government departments, including the energy, commerce, treasury and state departments, are reported to have been breached. The National Nuclear Security Administrations networks were also breached, Politico reported on Thursday.

Dozens of security and other technology firms, as well as non-governmental organizations, were also affected, Microsoft said in a statement Thursday. While most of those affected by the attack were in the US, Microsoft said it had identified additional victims in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.

Its certain that the number and location of victims will keep growing, Microsoft added.

While the US government has not yet officially named who is responsible for the attack, US officials have told media outlets they believe Russia is the culprit, specifically SVR, Russias foreign intelligence outfit.

Andrei Soldatov, an expert on Russias spy agencies and the author of The Red Web, told the Guardian he believes the hack was more likely a joint effort of Russias SVR and FSB, the domestic spy agency Putin once headed.

Russia has denied involvement: One shouldnt unfoundedly blame the Russians for everything, a Kremlin spokesman said on Monday.

The infiltration tactic involved in the current hack, known as the supply-chain method, recalled the technique Russian military hackers used in 2016 to infect companies that do business in Ukraine with the hard-drive-wiping NotPetya virus the most damaging cyber-attack to date.

Thats remains deeply unclear.

This hack was so big in scope that even our cybersecurity experts dont have a real sense yet in the terms of the breadth of the intrusion itself, Stephen Lynch, the head of the House of Representatives oversight and reform committee, said after attending a classified briefing Friday.

Thomas Rid, a Johns Hopkins cyberconflict expert, told the Associated Press that it was likely that the hackers had harvested such a vast quantity of data that they themselves most likely dont know yet what useful information theyve stolen.

Thats also unclear, and potentially very difficult.

Removing this threat actor from compromised environments will be highly complex and challenging for organizations, said a statement from the Cybersecurity and Infrastructure Security Agency (Cisa) on Thursday.

One of Trumps former homeland security advisers, Thomas Bossert, has already said publicly that a real fix may take years, and be both costly and challenging.

It will take years to know for certain which networks the Russians control and which ones they just occupy, Bossert wrote in a New York Times op-ed on Wednesday. The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.

A do-over is mandatory and entire new networks need to be built and isolated from compromised networks, he wrote.

As of Friday afternoon, the US president had still said nothing to address the attack.

The Republican senator and former presidential candidate Mitt Romney has criticized Trumps silence as unacceptable, particularly in response to an attack he said was like Russian bombers have been repeatedly flying undetected over our entire country.

Not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary, Romney said.

So far, theres been tough talk but no clear plan from the president-elect.

We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place, Biden said. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.

Theres a lot we dont yet know, but what we do know is a matter of great concern, Biden said.

What we could have done is had a coherent approach and not been at odds with each other, said Fiona Hill, a Russia expert and former Trump National Security Council member, to PBS NewsHour this week, criticizing conflict and dysfunction within the Trump administration and between the US and its allies on Russia-related issues.

If we dont have the president on one page and everybody else on another, and were working together with our allies to push back on this, that would have a serious deterrent effect, Hill said.

Other cybersecurity experts said the federal government could also do more to simply keep up to date on cybersecurity issues, and said the Trump administration had failed on this front, including by eliminating the positions of White House cybersecurity coordinator and state department cybersecurity policy chief.

Its been a frustrating time, the last four years. I mean, nothing has happened seriously at all in cybersecurity, said Brandon Valeriano, a Marine Corps University scholar and adviser to a US cyber defense commission, to the Associated Press.

Some experts are arguing that the US government needs to do more to punish Russia for its apparent interference. The federal government could impose formal sanctions on Russia, as when the Obama administration expelled Russian diplomats in retaliation for Kremlin military hackers meddling in Donald Trumps favor in the 2016 election. Or the US could fight back more covertly by, for instance, making public details of Putins own financial dealings.

But, as the Guardians Luke Harding pointed out, cyber attacks are cheap, deniable, and psychologically effective, and Bidens options for responding to Russias aggression are limited.

The answer eluded Barack Obama, who tried unsuccessfully to reset relations with Putin. The person who led this doomed mission was the then secretary of state, Hillary Clinton, herself a Russian hacking victim in 2016, Harding wrote.

SolarWinds may face legal action from private customers and government entities affected by the breach. The company filed a report with the Securities and Exchange Commission on Tuesday detailing the hack.

In it, the company said total revenue from affected products was about $343m, or roughly 45% of the firms total revenue. SolarWinds stock price has fallen 25% since news of the breach first broke.

Moodys Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs.

The Associated Press contributed reporting.

See the original post:

What we know and still dont about the worst-ever US government cyber attack - The Guardian