US officials and private sector experts investigating the massive data breach that has rocked Washington increasingly believe the attackers were ultimately discovered because they took a more aggressive “calculated risk” that led to a possible “unforced error” as they tried to expand their access within the network they had penetrated months earlier without detection, according to a US official and two sources familiar with the situation.
Investigators still haven’t confirmed the motives of the attackers as they work both to uncover the full scope of the attack and assign blame for the campaign that impacted at least half a dozen government agencies and potentially hundreds of private companies. The incursion was first uncovered by the cybersecurity firm FireEye after its own network was breached.
FireEye was tipped off to the hackers’ presence when they attempt to move laterally within the firm’s network, according to the sources, a move that suggested the hackers were targeting sensitive data beyond emails addresses or business records. Whether that exposure was the result of a mistake by the attackers or because they took a calculated risk remains unclear, the sources said.
“At some point, you have to risk some level of exposure when you’re going laterally to get after the things that you really want to get. And you’re going to take calculated risks as an attacker,” one source familiar with the investigation said.
Multiple entry points
Last week, FireEye acknowledged in a statement that the breach “occurred when the hackers, who already had an employee’s credentials, used those to register their own device to FireEye’s multi-factor authentication system so they could receive the employee’s unique access codes.”
FireEye has declined to provide additional details about how the hackers were ultimately discovered after evading detection for months, citing an ongoing investigation into the matter. The Cybersecurity and Infrastructure Security Agency also declined to comment. US officials and experts warn the hackers used multiple entry points to breach these networks, some of which have not yet been identified.
Now, the hackers are attempting to salvage what access they can as the US government and private sector are “burning it all down,” sources said, referring to their complete overhaul of networks, which will force the attackers to find new ways of getting the information they seek.
Meanwhile, US officials continue to grapple with the fallout and assess just how successful the operation was, the US official said, noting that it is clear the nation-state responsible invested significant time and resources into the effort.
While the scope of the hacking campaign remains unclear, government agencies that have disclosed they were impacted have said there is no evidence to date that classified data was compromised.
But the way the hackers were discovered suggests the operation was intended to steal sensitive information beyond what was available on unclassified networks and sought to establish long-standing access to various targeted networks, the sources said.
The fact that FireEye — not the federal government — discovered the breach has also raised questions about why the attack went undetected at US government agencies.
Speaking to reporters Tuesday, President-elect Joe Biden knocked President Donald Trump’s administration over hack, charging that “the Trump administration failed to prioritize cybersecurity.”
“This assault happened on Donald Trump’s watch when he wasn’t watching,” Biden said. “It is a grave risk, and it continues. I see no evidence that it’s under control. I’ve seen none.”
Biden also charged that the Pentagon is failing to brief his transition team on the extent of the hack. On Wednesday, a senior defense official denied that was the case.
“The question of the damage done remains to be determined,” Biden said Tuesday. “We have to look at very closely the nature of the breaches, how extensive they are and what damage has been done.”
When Biden takes office next month, the hack will pose an immediate challenge, as it’s expected to take weeks or months to truly understand the extent of the damage to US agencies. Biden is also likely to have to decide how to respond if the federal government formally attributes the hack to Russia, which members of Trump’s administration and lawmakers have said is likely.
“I believe that when I learn the extent of the damage, and in fact who’s formally responsible, they can be assured that we will respond,” Biden said Tuesday. “We’ll probably respond in kind. We have many options, which I will not discuss now.”
Lawmakers on the relevant committees are also pushing to learn more about the extent of the hack, why it took so long to be discovered, and why it was a private company that ultimately unearthed the breach. Congressional committees have been briefed both by US officials from the intelligence community and other agencies, as well as by FireEyes, a sign of the company’s importance to understanding the data breach, lawmakers and aides say.
“If the public reporting is accurate that it was the private sector that discovered this, that’s another big question that our agencies are going to have to answer, which is, why didn’t you catch this?” House Intelligence Chairman Adam Schiff said on MSNBC.
While a private company spotted the breach, a private sector contractor, SolarWinds, was at least one of the entry points hackers used to break into government networks. The software that the suspected malware was delivered with, SolarWinds Orion, has as many as 18,000 global customers, including government agencies and Fortune 500 companies.
“The government itself may have pretty good protections, but when you have a software firm you’re contracting with and they send you a patch and you install it, turns out to not really be a patch but a back door for the Russians or Chinese or whoever wants to do something like this,” said Sen. Angus King, a Maine Independent who co-chaired a congressional commission, the Cyberspace Solarium Commission, to improve US cyber defenses.
Much of the federal government only learned of one of the country’s worst-ever cybersecurity incidents from public reporting and disclosures from private firms. Lawmakers predict there will be efforts next year both to strengthen the US defenses and improve government partnerships with the private sector.
But that remains a complicated proposition.
“It’s very clear from this that we’re going to need to set up more partnerships between government and private companies,” Rep. Jim Himes, a Connecticut Democrat on the House Intelligence Committee, told CNN. “We’re going to need to have a tough conversation about whether we want to make it easier for the government to look at private companies’ networks and products. That’s a very tough conversation because there’s civil liberties in the mix there.”
Sen. Mark Warner of Virginia, the top Senate Intelligence Committee Democrat, told CNN’s Poppy Harlow on Tuesday there should be a reexamination of reporting requirements after data breaches for both private companies and government agencies.
“If you are a public company, you have to report at the end of the quarter, but there is no immediate requirement to report” for government entities, Warner said. “These are all things that leave us much more vulnerable.”