House and Senate Intelligence Committee aides received a phone briefing on the hack from administration officials on Wednesday, but the full extent of the breach remains unclear, according to sources familiar with the briefing. The Biden transition team was also briefed on the attack this week, an official from the Department of Homeland Security’s cyber arm told CNN. The official declined to provide additional details about what was discussed.
While relevant agencies continue to investigate the incident, the cybersecurity firm FireEye disclosed Wednesday that the malicious software contains a “killswitch” that can be used to shut it down. But even after deactivating the malware, there is a chance that affected systems may remain accessible to the attackers, a FireEye spokesperson said.
At the same time, US officials are already facing mounting pressure to retaliate against Russia, even as they scramble to address the vulnerabilities that were exploited and to formally identify the perpetrator.
Even as officials continue to grapple with the immediate fallout from the attack, its seriousness is already coming into view, as are the glaring shortcomings of American cyber defenses that were exposed.
News of the intrusions comes at a highly sensitive time, in the middle of a presidential transition. President-elect Joe Biden’s transition team has been meeting with the various agencies as it prepares to take over. On Monday, his staff was briefed by officials on the massive intrusion, an official from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said.
Biden himself would also presumably have been given details in his daily classified briefing.
US officials and cybersecurity experts are warning that the incident should serve as a wake-up call for both the federal government, including the incoming Biden administration, and private sector companies, as foreign actors will undoubtedly conduct similar attacks and improve their tactics in the future.
In the short term, the effort to catalog which agencies were hit and what information may have been accessed or stolen has shaken the nation’s intelligence agencies, according to one former Trump administration official, who added that the fallout has led to more than a little finger pointing.
“There is a feeling of widespread dread in the national security community,” the former official said.
President Donald Trump has yet to acknowledge the hack despite the rapidly growing list of agencies in his administration that were affected, though the National Security Council and White House spokeswoman Kayleigh McEnany have commented on the breach. Secretary of State Mike Pompeo was asked about the intrusion on Monday and acknowledged it was consistent Russian efforts to breach servers belonging to American government agencies and businesses, but would not give any additional details.
CNN has previously reported that the systems belonging to at least three agencies — the Departments of Agriculture, Commerce and Homeland Security — were compromised by a vulnerability found in a third-party software vendor’s network management tool. The Washington Post reported the Treasury Department was also affected. Other national security agencies, including the Department of Defense, are currently investigating whether their networks may have been affected.
“It’s knowable, but it takes a fair amount of forensic work” to know the full extent of the intrusions, former National Security Agency general counsel Glenn Gerstell said. “It’s going to take a long time.”
“The problem is that until we know exactly what they did and what they had access to, you can’t do something other than metaphorically unplug the system,” Gerstell added. “That’s a big problem, that’s not a mitigation, you don’t apply a patch and it’s fixed.”
That uncertainty only raises the stakes of what is already the most significant government breach in years.
“The United States faces untold numbers of cyber threats from malicious foreign actors, both to the government agencies and private industry, and sometimes both at the same time,” the Democratic chairman of the House Intelligence Committee, Rep. Adam Schiff, said in a statement Wednesday after his panel was briefed on the attack by the Office of the Director of National Intelligence, the National Security Agency and the FBI.
“The seriousness and duration of this attack demonstrate that we still have enormous and urgent work to do to defend our critical information and networks, that we must move quicker than our adversaries do to adapt,” he added.
The intrusions are believed to have begun in the spring, according to forensic analysis by FireEye, which also disclosed its own breach linked to the vulnerability earlier this month.
CNN previously reported that a Russian-linked group, known as APT29, was behind the FireEye hack.
Many of the investigations will try to determine what the hackers did with the information they were able to stealthily access for months. So far, the operation, which bears all the hallmarks of a Russian-backed actor, appears to be a wide ranging espionage campaign intended to compromise as many key public and private sector networks as possible, several cybersecurity experts told CNN.
The US government’s ability to carry out its investigation is uneven and may vary by agency, said Chris Kubic, chief information security officer at Fidelis Cybersecurity and a former top cybersecurity official at the National Security Agency.
“If they don’t have the right tools in place, if they aren’t collecting the application logs, the system logs that allow them to do the analysis, it can be difficult for them to determine what was exposed,” Kubic said.
The sophistication of the almost yearlong spying operation has revealed weaknesses and gaps in a system called Einstein that DHS’ Cybersecurity and Infrastructure Security Agency uses to protect federal agencies.
Congress is going to want to know “why it’s not working as advertised” after allocating billions of dollars for the system, a former senior DHS official told CNN. The system is based on finding known malicious activity, the former official said, but if you “don’t know what you are looking for it’s a problem.”
Einstein wasn’t set up to detect the way the actors got in, through a backdoor in software updates, said Gerstell, the senior former NSA official.
“CISA is only a few years old, it’s under-resourced, it has deficiencies in its authorities,” Gerstell said. “It takes years to build the depth of expertise you need to do the job across the government. This is a multiyear effort, and the bad guys have had years of a head start. I think in some areas the gap is widening rather than closing.”
“The workforce will do the best that they can, but that is not a replacement for experience and confirmed leadership. Without Senate-confirmed leadership an agency doesn’t have an ability to get a lot of attention at the White House and get the support that they need to have a whole-of-government response,” said Carrie Cordero, senior fellow and general counsel at the Center for a New American Security and a CNN legal and national security analyst.
A Pentagon spokesperson said Wednesday that the forensic review of department networks continues but that there is currently nothing definitive to share.
Vice Adm. Nancy Norton, director of the Defense Information Systems Agency, issued a statement later Wednesday saying: “We are aware of the wide-spread and evolving cyber incident. We continue to assess our DOD Information Networks for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day. To date, we have no evidence of compromise of the Defense Information Systems Agency.”
Meanwhile, the intelligence community “continues to share information with US government agencies what they have learned about the attack” and is “marshaling all of its relevant resources to support this effort and share information across the United States Government,” a spokesperson from the Office of the Director of National Intelligence told CNN on Wednesday.
Still, the full impact of the breach may never be known, experts tell CNN, pointing to the fact that even if the hackers accessed only unclassified data, such as email addresses, that information can be used to engineer sophisticated phishing campaigns that would likely be impossible to trace back to the current incident.
“One of the big concerns, particularly on the US government side, is that the first thing the attackers went for were email systems,” according to Oren Falkowitz, a former NSA official who’s the CEO of the cybersecurity firm Area 1.
Email is the largest business application in the world and a significant amount of valuable data can be extracted from the inboxes of government and private-sector employees, he told CNN.
Compromised emails could easily provide a foreign government an edge in diplomatic negotiations or other sensitive dealings, said Kubic.
Additionally, having access to email servers can help attackers, who often want to launch additional phishing campaigns, Falkowitz added. “Once you get access into the email servers, you can masquerade or pretend to be a legitimate user, and now your attacks can be even more sophisticated.”
Hackers target ‘soft underbelly’ of US national security
The malware that enabled the hack was also found in thousands of organizations in the private sector, complicating the analysis. It isn’t clear whether the attackers specifically targeted any companies for intrusion. But according to FireEye, many companies in the tech, telecom, consulting and energy sectors were vulnerable because they had installed the legitimate software updates in which the hackers’ malicious code was hiding.
That has touched off a scramble at major companies to try to determine if they were hit by the spying campaign, too. On Wednesday, Comcast told CNN it has embarked on an assessment of its systems based on data breach disclosures by the software company at the center of the crisis, SolarWinds.
“As soon as we learned of the SolarWinds incident on Sunday, we quickly activated a series of internal security protocols to mitigate any potential impact,” Comcast told CNN in a statement. “We are conducting a thorough internal review, but at this time, we have no reason to believe that any Comcast data or customer data was compromised in connection with the use of SolarWinds products.”
Hundreds of other private-sector firms, including many in the Fortune 1000, also had their networks compromised in these hacks, according to Cedric Leighton, a former NSA official and a CNN military analyst who runs his own cybersecurity and defense consulting firm.
And that number is likely far higher, as the breach may affect not only direct customers of Solar Winds but those customers’ own clients as well, Jennifer Bisceglie, CEO of Interos, a supply chain risk-management firm, told CNN. “The supply chain is proving out to be the soft underbelly of the global economy. And so we have a lot of customers asking us where SolarWinds is in our extended supply chain.”
This story has been updated with more details and expert commentary.
CNN’s Jeremy Herb and Geneva Sands contributed to this report.