Nearly a week after the US government announced that multiple federal agencies had been targeted by a sweeping cyber attack, the full scope and consequences of the suspected Russian hack remain unknown.
Key federal agencies, from the Department of Homeland Security to the agency that oversees America’s nuclear weapons arsenal, were reportedly targeted, as were powerful tech and security companies, including Microsoft. Investigators are still trying to determine what information the hackers may have stolen, and what they could do with it.
Donald Trump has still said nothing about the attack, which federal officials said posed a “grave risk” to every level of government. Joe Biden has promised a tougher response to cyber attacks but offered no specifics. Members of Congress are demanding more information about what happened, even as officials scrambling for answers call the attack “significant and ongoing”.
Here’s a look at what we know, and what we still don’t, about the worst-ever cyber attack on US federal agencies.
What happened?
The hack began as early as March, when malicious code was snuck into updates to a popular software called Orion, made by the company SolarWinds, which provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
That malware in the updates gave elite hackers remote access to an organization’s networks so they could steal information. The apparent months-long timeline gave the hackers ample opportunity to extract information from many targets, including monitoring email and other internal communications.
Microsoft called it “an attack that is remarkable for its scope, sophistication and impact”.
Who has been affected so far?
At least six US government departments, including the energy, commerce, treasury and state departments, are reported to have been breached. The National Nuclear Security Administration’s networks were also breached, Politico reported on Thursday.
Dozens of security and other technology firms, as well as non-governmental organizations, were also affected, Microsoft said in a statement Thursday. While most of those affected by the attack were in the US, Microsoft said it had identified additional victims in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
“It’s certain that the number and location of victims will keep growing,” Microsoft added.
Who is responsible for the attack?
While the US government has not yet officially named who is responsible for the attack, US officials have told media outlets they believe Russia is the culprit, specifically SVR, Russia’s foreign intelligence outfit.
Andrei Soldatov, an expert on Russia’s spy agencies and the author of The Red Web, told the Guardian he believes the hack was more likely a joint effort of Russia’s SVR and FSB, the domestic spy agency Putin once headed.
Russia has denied involvement: “One shouldn’t unfoundedly blame the Russians for everything,” a Kremlin spokesman said on Monday.
The infiltration tactic involved in the current hack, known as the “supply-chain” method, recalled the technique Russian military hackers used in 2016 to infect companies that do business in Ukraine with the hard-drive-wiping NotPetya virus – the most damaging cyber-attack to date.
What information has been stolen, and how is it being used?
That’s remains deeply unclear.
“This hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in the terms of the breadth of the intrusion itself,” Stephen Lynch, the head of the House of Representatives’ oversight and reform committee, said after attending a classified briefing Friday.
Thomas Rid, a Johns Hopkins cyberconflict expert, told the Associated Press that it was likely that the hackers had harvested such a vast quantity of data that “they themselves most likely don’t know yet” what useful information they’ve stolen.
What can be done to fix the networks that have been compromised?
That’s also unclear, and potentially very difficult.
“Removing this threat actor from compromised environments will be highly complex and challenging for organizations,” said a statement from the Cybersecurity and Infrastructure Security Agency (Cisa) on Thursday.
One of Trump’s former homeland security advisers, Thomas Bossert, has already said publicly that a real fix may take years, and be both costly and challenging.
“It will take years to know for certain which networks the Russians control and which ones they just occupy,” Bossert wrote in a New York Times op-ed on Wednesday. “The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.”
“A ‘do-over’ is mandatory and entire new networks need to be built – and isolated from compromised networks,” he wrote.
How has Trump responded?
As of Friday afternoon, the US president had still said nothing to address the attack.
The Republican senator and former presidential candidate Mitt Romney has criticized Trump’s silence as unacceptable, particularly in response to an attack he said was “like Russian bombers have been repeatedly flying undetected over our entire country”.
“Not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary,” Romney said.
How has Biden responded?
So far, there’s been tough talk but no clear plan from the president-elect.
“We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Biden said.
Could this attack have been prevented or deterred?
“What we could have done is had a coherent approach and not been at odds with each other,” said Fiona Hill, a Russia expert and former Trump National Security Council member, to PBS NewsHour this week, criticizing conflict and dysfunction within the Trump administration and between the US and its allies on Russia-related issues.
If “we don’t have the president on one page and everybody else on another, and we’re working together with our allies to push back on this, that would have a serious deterrent effect”, Hill said.
Other cybersecurity experts said the federal government could also do more to simply keep up to date on cybersecurity issues, and said the Trump administration had failed on this front, including by eliminating the positions of White House cybersecurity coordinator and state department cybersecurity policy chief.
“It’s been a frustrating time, the last four years. I mean, nothing has happened seriously at all in cybersecurity,” said Brandon Valeriano, a Marine Corps University scholar and adviser to a US cyber defense commission, to the Associated Press.
What options does the US have to respond politically to this kind of attack?
Some experts are arguing that the US government needs to do more to punish Russia for its apparent interference. The federal government could impose formal sanctions on Russia, as when the Obama administration expelled Russian diplomats in retaliation for Kremlin military hackers’ meddling in Donald Trump’s favor in the 2016 election. Or the US could fight back more covertly by, for instance, making public details of Putin’s own financial dealings.
But, as the Guardian’s Luke Harding pointed out, cyber attacks are “cheap, deniable, and psychologically effective”, and Biden’s options for responding to Russia’s aggression are limited.
“The answer eluded Barack Obama, who tried unsuccessfully to reset relations with Putin. The person who led this doomed mission was the then secretary of state, Hillary Clinton, herself a Russian hacking victim in 2016,” Harding wrote.
What are other potential consequences of the hack?
SolarWinds may face legal action from private customers and government entities affected by the breach. The company filed a report with the Securities and Exchange Commission on Tuesday detailing the hack.
In it, the company said total revenue from affected products was about $343m, or roughly 45% of the firm’s total revenue. SolarWinds’ stock price has fallen 25% since news of the breach first broke.
Moody’s Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs”.
The Associated Press contributed reporting.
Source: US Politics - theguardian.com
