BOSTON (AP) – Some of America’s most deep-seated secrets may have been stolen during a disciplined, months-long operation blamed on elite Russian government hackers. The possibilities of what could have been stolen are mind-boggling.
Could hackers have obtained nuclear secrets? Data on the COVID-19 vaccine? Blueprints for Next Generation Weapon Systems?
It takes weeks, in some cases maybe years, for digital sleuths to scour the networks of the US government and private industry to find the answers. These hackers are consummate professionals at covering their tracks, experts say. Some theft may never be discovered.
What seems clear is that this campaign – which, according to cybersecurity experts, displays the tactics and techniques of Russia’s foreign intelligence agency SVR – will be among the most prolific in the annals of cyber espionage.
U.S. government agencies, including the Treasury and Commerce divisions, were among dozens of high-value public and private sector targets known to have infiltrated as early as March through a commercial software update distributed to thousands of companies and government agencies worldwide. A statement from the Pentagon on Monday indicated it was using the software. It said it had “issued guidelines and guidelines to protect its networks.” It wouldn’t say – for “operational security reasons” – whether one of its systems may have been hacked.
On Tuesday, Acting Secretary of Defense Chris Miller told CBS News there was no evidence of a compromise so far.
In the months since the update came out, the hackers have carefully exfiltrated data, often encrypted it so it wasn’t clear what was being taken, and expertly covered their tracks.
Thomas Rid, a cyber conflict expert at Johns Hopkins, said the likely effectiveness of the campaign can be compared to the three-year ‘Moonlight Maze’ hacking of the US government in the 1990s, including NASA and the Pentagon. An American investigation determined that the height of the stolen documents – if printed and stacked – would triple the height of the Washington Monument.
In this case, “some piles of Washington Monument documents that they took from various government agencies are probably a realistic estimate,” Rid said. “How would they use that? They probably don’t know yet. “
The Trump administration has not said which agencies have been hacked. And so far no casualties from the private sector have emerged. Traditionally, defense contractors and telecommunications companies have been popular targets of state-sponsored cyber spies, Rid said.
Intelligence agents typically seek the latest news about weapon technologies and missile defense systems – everything essential to national security. They are also developing files on rival government employees, possibly for recruitment as spies.
President Donald Trump’s national security adviser, Robert O’Brien, ended a trip abroad to hold meetings about the hack and would call a top-level interaction meeting later this week, the White House said in a statement.
O’Brien was scheduled to return Saturday and had to scrap plans to visit officials in Italy, Germany, Switzerland and Great Britain, said an official who was familiar with his travel schedule and had no authority to talk about it, and spoke on condition of anonymity.
Earlier, the White House said a coordinating team had been set up to respond, including the FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence.
During a briefing to Congressional executives on Monday, DHS did not say how many agencies were hacked, a reflection of how little the Trump administration has shared with Congress on the matter.
Critics have long complained that the Trump administration has failed to tackle the cybersecurity snowball effects, including ransomware attacks that have hampered state and local governments, hospitals and even high schools.
“It has been a frustrating time for the past four years. I mean, nothing serious has happened in the cybersecurity field at all, ”said Brandon Valeriano, a Marine Corps University scientist and advisor to the Cyber Solarium Commission, created by Congress to help protect the country’s cyber defenses. strengthen. “It’s hard to find anything that we’ve moved on with.”
Trump eliminated two major government positions: the White House cybersecurity coordinator and the State Department’s head of cybersecurity policy.
Valeriano said one of the few bright spots was the work of Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency, who fired Trump for defending the integrity of the election in the face of Trump’s false claims of widespread fraud.
Hackers infiltrated government agencies by piggybacking malicious code on commercial network management software from SolarWinds, a Texas company, as of March.
The campaign was discovered by cybersecurity firm FireEye when it discovered it had been hacked – it announced the breach on December 8 – and alerted the FBI and other federal agencies. FireEye Director Charles Carmakal said it was aware of “dozens of incredibly valuable targets” infiltrated by the hackers and “helped a number of organizations respond to their break-ins.” He did not want to name any and said he expected many more to learn in the coming days that they too were in danger.
Carmakal said the hackers would only have triggered remote access back doors on targets that are sure to have valuable data. It is manual, demanding work and moving networks around risk detection.
The SolarWinds campaign highlights the lack of mandatory minimum security rules for commercial software used on federal computer networks. Zoom video conferencing software is another example. It was approved for use on federal computer networks last year, but security experts discovered several vulnerabilities that could be exploited by hackers – after federal workers sent home by the pandemic started using it.
Representative Jim Langevin, a member of the Rhode Island Democrat and Cyberspace Solarium Commission, said the breach reminded him of the 2015 Chinese hack of the U.S. Office of Personnel Management, which took the data of 22 million federal employees and job applicants to the government. were stolen.
It highlights the need, he said, for a national cyber director in the White House, a position that is subject to confirmation by the Senate. Congress approved such a position in a recently passed bill.
“In all different departments and agencies, cybersecurity will never be their primary mission,” said Langevin.
Trump has threatened to veto objections to unrelated provisions.
—-
Associated Press writers Ben Fox, Deb Riechmann and Lolita Baldor in Washington and Matt O’Brien in Providence, Rhode Island contributed to this report.