Federal security agencies finally confirmed that the massive hack of state and private computer systems exposed in mid-December was likely Russian in origin. A January 5 joint task force statement was one of the first by a government reluctant to share many details about the hack, possibly because President Trump refuses to acknowledge that Russia was the most likely culprit.
The hackers reportedly managed to break into several US government agencies in what could be – or maybe ever – the biggest hack into government systems since the Obama administration. The intrusion went undetected until December when a cybersecurity company that makes hacking tools discovered its own systems were breached. This means that malware injected into third-party software may have given hackers access to various government systems for months.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of the National Intelligence Service (ODNI) and the National Security Agency (NSA) are working together to investigate the breach. On January 5, the joint task force issued a statement confirming that they believe the hackers were Russian and that the attacks are "still ongoing" despite efforts to stop the intruders.
"This work shows that an Advanced Persistent Threat (APT) actor, likely of Russian origin, is responsible for most or all of the recently discovered persistent cyber compromises by both state and non-state networks," said the Explanation. “At this point, we believe this was and will be an information-gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly. "
The statement said the task force found "fewer than 10" government agencies that had previously been compromised, but did not specify which ones. The trade and energy departments have confirmed that they have been hacked. The Treasury and State Department, Department of Homeland Security, parts of the Pentagon and the National Institutes of Health are also reportedly affected.
But the Trump administration, which said little about the attack, was reluctant to blame Russia for it. The president even tweeted that it may have originated in China and is under control. However, according to this new statement, it did not come from China and is certainly not under control.
What we know about Russia's engagement – despite President Trump's tweets suggesting otherwise
According to anonymous officials, the hackers are a Russian group known as Cozy Bear, also known as APT29, who were also behind the hack of the Democratic National Committee and Hillary Clinton campaign staff during their 2016 campaign and the 2014 White hack Unclassified networks of the House and the Department of State. Cozy Bear is also believed to be behind the recent attacks on various organizations developing Covid-19 vaccines. The group is linked to Russian intelligence, although Russia has denied any involvement – a position it now maintains.
"Malicious activity in the information space contradicts the principles of Russian foreign policy, national interests and our understanding of international relations," the Russian embassy said in a December statement. "Russia is not conducting offensive cyber operations."
The Trump administration was initially reluctant to officially say much about the hack or blame a particular country. A day after CISA publicly recognized the hack, Secretary of State Mike Pompeo told Breitbart Radio News that Russia may be behind it, but possibly China or North Korea as well.
The senators of both parties had more to say at the time. Senator Dick Durbin (D-IL) called it "practically a declaration of war by Russia on the United States," while Senator Richard Blumenthal (D-CT) said the classified information he received about "Russia's cyber attack" made him feel "Deeply alarmed, actually downright scared." Senator Mitt Romney (R-UT) likened the attack to "Russian bombers … repeatedly flying undetected across our country". He criticized America's "apparently inadequate" cybersecurity defenses and the "inexcusable silence and inaction "of the President in response.
Following these statements, Pompeo told another conservative radio talk show that the Russians were "pretty clearly" behind the hack.
However, President Donald Trump appeared to have received different information than anyone else. In his initial comments on the hack, almost a week after it was first reported, Trump tweeted that it was overdone and "under control" in the press, adding that China "may" be behind it and that the hack may be behind it is stuck with affected voting machines in the elections that he falsely still insists he has won. (There is no evidence that voting machines were affected or otherwise compromised by the hack.)
But Trump's former Homeland Security adviser Thomas Bossert said in a New York Times published in December that "the scale of this ongoing attack is difficult to exaggerate" and that it would take years to understand how widespread and harmful it is was.
How a weak link in a supply chain gave hackers access to the most secure systems
The hacks are believed to have started in March last year with Orion Platform network monitoring software, made by a Texas company called SolarWinds. The hackers were somehow able to inject malware into Orion Platform software updates that gave hackers access to those systems after they were installed. This is known as a supply chain attack.
SolarWinds has more than 300,000 customers worldwide including the US military, the Pentagon, the Department of Justice, the Department of State, the Department of Commerce, the Treasury, and more than 400 Fortune 500 companies. But not all of these customers used the Orion platform. SolarWinds estimates fewer than 18,000 customers were potentially affected, according to the Washington Post. The New York Times reported that 250 government and corporate networks were accessed. The Wall Street Journal identified two dozen companies, including Cisco, Intel, and Deloitte, that were victims of the hack.
SolarWinds has now released software updates that correct the vulnerability and "apologizes for any inconvenience."
SolarWinds doesn't seem like the only attack vector. After previous rejections, Microsoft confirmed on New Year's Eve that its Office 365 software was also being targeted by "a very sophisticated nation-state actor" through its software resellers, but the company didn't believe that hackers could do much more than see source code.
FireEye, a cybersecurity company that was also a victim of the SolarWinds hack, has named this malware "SUNBURST". (Microsoft called it "Solorigate".) FireEye was reportedly the first company to discover the hack – apparently not the government agencies tasked with protecting the country's cybersecurity infrastructure.
The commercial department was one of the first to confirm this a violation of one of its agencies but did not specify which one was hit. Citing anonymous sources, Reuters reported that the national telecommunications and information administration was the agency concerned and that hackers had had access to employee email for months. The Department of Energy also said it found malware on its corporate networks but did not interfere with "essential national security functions of the mission".
The Ministries of Finance, State, Agriculture and Homeland Security and the National Institutes of Health are believed to be also affected, but they have not officially confirmed whether this is the case. How extensive the hacks were or which systems were affected in these departments was also not published.
Unlike the current president, President-elect Joe Biden responded quickly and insistently to news of the hack.
"My administration will make cybersecurity a top priority at all levels of government – and we will make dealing with this breach a top priority from the time we take office," Biden said in a statement. “We have to disrupt our opponents and prevent them from carrying out significant cyber attacks in the first place. We will do this by, among other things, imposing significant costs on those responsible for such malicious attacks, also in coordination with our allies and partners. Our opponents should know that, as President, I will not stand idly by in the face of cyber attacks on our nation. "
Open Sourced is made possible by Omidyar Network. All open sourced content is editorially independent and is produced by our journalists.
Support Vox explanatory journalism
At Vox, we want to answer your most important questions every day and provide you and our audiences around the world with information that empowers you through understanding. Vox's work reaches more people than ever before, but our distinctive brand of explanatory journalism is consuming resources. Your financial contribution is not a donation, but it does allow our staff to continue offering free articles, videos and podcasts to everyone who needs them. Please consider contributing to Vox today, starting at $ 3.