Speaking at a private dinner for technology security executives at the St Regis Hotel in San Francisco in late February, the US’ cyberdefense chief boasted how well his organizations protect the country from spies.
US teams were “understanding the adversary better than the adversary understands themselves,” US National Security Agency (NSA) Director Paul Nakasone said, according to a Reuters reporter present at the Feb. 26 dinner. His speech has not been previously reported.
Yet even as he spoke, hackers were embedding malicious code into the network of Texas software developer SolarWinds Corp, according to a timeline published by Microsoft, and more than a dozen government and corporate cyberresearchers.
Illustration: Mountain People
A little more than three weeks after that dinner, the hackers began a sweeping intelligence operation that has penetrated the heart of the US government, and numerous companies and other institutions around the world.
The results of that operation came to light on Dec. 13, when Reuters reported that suspected Russian hackers had gained access to e-mails of the US departments of the treasury and commerce.
Since then, US officials and researchers say that they believe that at least half a dozen US government agencies have been infiltrated and thousands of companies infected with malware in what appears to be one of the biggest such hacks ever uncovered.
US Secretary of State Mike Pompeo on Friday last week said that Russia was behind the attack, calling it “a grave risk” to the US. Russia has denied involvement.
Revelations of the attack come at a vulnerable time, as Washington grapples with a contentious presidential transition and a spiraling public health crisis.
It also reflects a new level of sophistication and scale, hitting numerous US agencies and threatening to inflict far more damage to public trust in US cybersecurity infrastructure than previous acts of digital espionage.
Much remains unknown — including the motive or ultimate target. Seven US government officials have told Reuters that they are largely in the dark about what information might have been stolen or manipulated — or what it would take to undo the damage.
The last known breach of US federal systems by suspected Russian intelligence — when hackers in 2014 and 2015 gained access to the unclassified e-mail systems at the White House, the US Department of State and the US Joint Chiefs of Staff — took years to unwind.
US President Donald Trump on Saturday last week downplayed the hack and Russia’s involvement, saying that it was “under control” and that China could be responsible.
He accused the “fake news media” of exaggerating its extent.
However, the US National Security Council (NSC) acknowledged that a “significant cyber incident” had taken place.
“There will be an appropriate response to those actors behind this conduct,” NSC spokesman John Ullyot said, but did not respond to a question on whether Trump had evidence of Chinese involvement in the attack.
Several government agencies, including the NSA and the US Department of Homeland Security, have issued technical advisories on the situation. Nakasone and the NSA declined to comment for this story.
US lawmakers said that they were struggling to get answers from the departments they oversee, including the Department of the Treasury.
One US Senate staffer said that his boss knew more about the attack from the media than the government.
The hack first came into view early this month, when US cybersecurity firm FireEye disclosed that it had been a victim of the very kind of cyberattack that clients pay it to prevent.
Publicly, the incident initially seemed mostly like an embarrassment for FireEye. However, hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.
Days before the hack was revealed, FireEye researchers knew something troubling was afoot, and contacted Microsoft and the FBI, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.
Their message: FireEye has been hit by an extraordinarily sophisticated cyberespionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.
About half a dozen researchers from FireEye and Microsoft set about investigating, two sources familiar with the response effort said.
They found that at the root of the problem was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.
In 2017, Russian operatives allegedly used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malicious code in a widely used accountancy program that was then used to deploy a destructive virus known as NotPetya. Russia has denied that it was involved.
The malware quickly infected computers in scores of other countries, crippling businesses and causing hundreds of millions of US dollars of damage.
The latest US hack employed a similar technique: SolarWinds said that its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program signaled back to its operators where it had landed. In some cases, where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft’s Azure cloud platform — which stores customers’ data online — to forge authentication tokens.
Those gave them far longer and wider access to e-mails and documents than many organizations thought was possible.
Hackers could then steal documents through Microsoft’s Office 365, the online version of its most popular business software, the NSA said on Thursday last week in an unusual technical public advisory.
Microsoft also announced that it found malicious code in its systems.
A separate advisory issued by the US Cybersecurity and Infrastructure Security Agency on Thursday last week said that the SolarWinds software was not the only vehicle being used in the attacks and that the same group had likely used other methods to implant malware.
“This is powerful tradecraft, and needs to be understood to defend important networks,” Rob Joyce, a senior NSA cybersecurity adviser, wrote on Twitter.
It is unknown how or when SolarWinds was first compromised. According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds’ code as early as October last year, a few months before they were in a position to launch an attack.
Pressure is growing on the White House to act.
US Senator Marco Rubio said: “America must retaliate, and not just with sanctions.”
US Senator Mitt Romney likened the attack to repeatedly allowing Russian bombers to fly undetected over the US.
US Senator Dick Durbin called it “virtually a declaration of war.”
Democratic lawmakers said that they had received little information from the Trump administration beyond what is in the media.
“Their briefings were obtuse, sorely lacking in details and really seemed an attempt to provide us with the barest of minimum in information that they had to give us,” US Representative Debbie Wasserman Schultz, a Democrat, told reporters after a classified briefing.
Ullyot declined to comment on the congressional briefings.
The White House was “focused on investigating the circumstances surrounding this incident, and working with our interagency partners to mitigate the situation,” he said in a statement.
US president-elect Joe Biden has warned that his administration would impose “substantial costs” on those responsible.
US House of Representatives Intelligence Committee Chairman Adam Schiff said that Biden “must make hardening our networks — both public and private infrastructure — a major priority.”
The attack puts a spotlight on those cyber defenses, reviving criticism that US intelligence agencies are more interested in offensive cyberoperations than protecting government infrastructure.
“The attacker has the advantage over defenders. Decades worth of money, patents and effort have done nothing to change that,” said Jason Healey, a cyberconflict researcher at Columbia University and former White House security official in the administration of former US president George W Bush.
“Now we learn with the SolarWinds hack that if anything, the defenders are falling farther behind. The overriding priority must be to flip this, so that defenders have the easier time,” Healey said.
The gutting of Voice of America (VOA) and Radio Free Asia (RFA) by US President Donald Trump’s administration poses a serious threat to the global voice of freedom, particularly for those living under authoritarian regimes such as China. The US — hailed as the model of liberal democracy — has the moral responsibility to uphold the values it champions. In undermining these institutions, the US risks diminishing its “soft power,” a pivotal pillar of its global influence. VOA Tibetan and RFA Tibetan played an enormous role in promoting the strong image of the US in and outside Tibet. On VOA Tibetan,
There is much evidence that the Chinese Communist Party (CCP) is sending soldiers from the People’s Liberation Army (PLA) to support Russia’s invasion of Ukraine — and is learning lessons for a future war against Taiwan. Until now, the CCP has claimed that they have not sent PLA personnel to support Russian aggression. On 18 April, Ukrainian President Volodymyr Zelinskiy announced that the CCP is supplying war supplies such as gunpowder, artillery, and weapons subcomponents to Russia. When Zelinskiy announced on 9 April that the Ukrainian Army had captured two Chinese nationals fighting with Russians on the front line with details
On a quiet lane in Taipei’s central Daan District (大安), an otherwise unremarkable high-rise is marked by a police guard and a tawdry A4 printout from the Ministry of Foreign Affairs indicating an “embassy area.” Keen observers would see the emblem of the Holy See, one of Taiwan’s 12 so-called “diplomatic allies.” Unlike Taipei’s other embassies and quasi-consulates, no national flag flies there, nor is there a plaque indicating what country’s embassy this is. Visitors hoping to sign a condolence book for the late Pope Francis would instead have to visit the Italian Trade Office, adjacent to Taipei 101. The death of
By now, most of Taiwan has heard Taipei Mayor Chiang Wan-an’s (蔣萬安) threats to initiate a vote of no confidence against the Cabinet. His rationale is that the Democratic Progressive Party (DPP)-led government’s investigation into alleged signature forgery in the Chinese Nationalist Party’s (KMT) recall campaign constitutes “political persecution.” I sincerely hope he goes through with it. The opposition currently holds a majority in the Legislative Yuan, so the initiation of a no-confidence motion and its passage should be entirely within reach. If Chiang truly believes that the government is overreaching, abusing its power and targeting political opponents — then
RSS