‘Powerful trade’: how foreign cybersecurity threatened America

(Reuters) -Speaking at a private dinner for tech security officers at the St. Louis Hotel Regis was in San Francisco in late February, America’s cyber defense chief boasted how well his organizations are defending the country from spies.

PHOTO FILE: SolarWinds headquarters are located in Austin, Texas, USA, December 18, 2020. REUTERS / Sergio Flores

U.S. teams “understood the enemy better than the enemy understands themselves,” said General Paul Nakasone, head of the U.S. National Security Agency (NSA) and Cyber ​​Command, according to a Reuters reporter. who attended the 26 February dinner. His speech had not been reported before.

But even as he spoke, hackers were inserting malicious code into the network of a software company in Texas called SolarWinds Corp., according to a timeline published by Microsoft and more than a dozen government and corporate cyber investigators.

Just over three weeks after that dinner, the hackers began a massive intelligence activity that has broken the heart of the American government and several other corporations and institutions around the world.

The results of that operation came to light on December 13, when Reuters reported that Russian spies were suspected of having accessed the U.S. Department of Finance and Trade’s emails. Since then, officials and researchers say they believe at least half a dozen U.S. government agencies have been infiltrated and thousands of companies have been found to contain malware in what appears to be this is one of the largest hockey ever discovered.

Secretary of State Mike Pompeo said on Friday that Russia was behind the attack, saying it posed a “serious threat” to the United States. Russia has refused to intervene.

Demonstrations about the attack come at a time of vulnerability as the U.S. government engages in a controversial presidential transition and a public health emergency. And it reveals a new level of comfort and scale, hitting several federal agencies and threatening to further damage public confidence in America’s cybersecurity infrastructure than previous acts of digital espionage.

Much remains unknown – including the ultimate cause or target.

Seven government officials have told Reuters that they are largely in the dark about what information could be stolen or handled – or what it will take to remove the damage. The last known breach of U.S. federal systems led to suspicion of Russian intelligence – when hackers gained access to the unsecured email systems of the White House, the Department of State and Joint Chiefs of Staff in 2014 and 2015 – it took years to retire.

U.S. President Donald Trump on Saturday defeated the hack and Russia’s involvement, claiming it was “under control” and China could be held accountable. He accused the Fake News Media of increasing their ranking.

However, the NSC acknowledged that an “important cyber incident” had taken place. “There will be an appropriate response for those actors behind this behavior,” said NSC spokesman John Ullyot. He did not answer whether Trump had evidence that China was involved in the attack.

Several government agencies, including the NSA and the Department of Homeland Security, have provided technical advice on the situation. Nakasone and the NSA declined to comment for this story.

Lawyers from both parties said they were struggling to get answers from the departments they are overseeing, including the Treasury. One senate official said his leader knew more about the media attack than the government.


The hack first surfaced last week, when U.S. cybersecurity company FireEye Inc revealed that it had itself been the victim of the very kind of cyberattack that clients are paying to block.

Publicly, the incident initially seemed a disgrace to FireEye. But hacks of security companies are especially dangerous because their devices often penetrate deep into clients ’computer systems.

Days before the hack was revealed, FireEye investigators were aware that something serious was going on and contacted Microsoft Corp and the Federal Bureau of Investigation, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.

Their message: FireEye was hit by a highly solemn cyber-spy campaign conducted by a national state, and its own problems seem to have been right at the top of the iceberg.

About half a dozen researchers from FireEye and Microsoft, who were aiming for an investigation, said two sources were familiar with the response effort. At the heart of the problem, they found, was something that struck a chord in cybersecurity professionals: so-called supply chain compromise, which in this case involved the use of software updates to install malware that may infect systems, destroy information and potentially destroy others. types of harassment.

In 2017, Russian operators used the method of deploying private and government computer systems throughout Ukraine, after hiding a piece of malicious code in a widely used accounting program and which was then used to infect a destructive virus called NotPetya. Russia has denied any involvement. The malware infiltrated computers in scores of other countries, disrupting businesses and causing hundreds of millions of dollars of damage.

The latest hack in the US used a similar device: SolarWinds reported that its software updates were compromised and used to install malicious code in nearly 18,000 systems messenger. Its Orion network management software is used by hundreds of thousands of organizations.

Once downloaded, the program pointed back to its operators where it landed. In some cases where access was particularly valuable, the hackers used it to use more active malicious software to spread across its host.

In some of the attacks, the attackers combined the administrator privileges granted to SolarWinds by Microsoft’s Azure cloud platform – which stores online customer data – to ” confirmation ”. These gave them far more extensive and wider access to emails and documents than many organizations thought possible.

Hackers could steal documents through Microsoft Office 365 365, the online version of its most popular business software, the NSA said Thursday in an unusual technical public consultation. Also on Thursday, Microsoft announced that it had detected malicious code in its systems.

An individual adviser sent by the U.S. Cybersecurity and Infrastructure Security Agency on Dec. 17 said SolarWinds software was not the only vehicle used in the attacks and appeared to be the same agency has used other methods to install malware.

“This is a powerful trading craft, and must be understood to protect important networks,” Rob Joyce, NSA’s senior cybersecurity consultant, said on Twitter.

It is not known how or when SolarWinds was first compromised. According to researchers at Microsoft and other companies that have studied the hack, attackers first started hacking the SolarWinds code as early as October 2019, a few months before it was able to launch an attack. floating.


There is growing pressure on the White House to take action.

Republican Senator Marco Rubio said: “America needs revenge, and not just sanctions.” Mitt Romney, who was also a Republican, was like the attack to allow Russian bombers to fly unidentified over America. Senator Dick Durbin, a Democrat, has called it “almost a declaration of war.”

Democratic lawmakers said they have received little information from the Trump administration beyond what is in the media. “Their minutes were vague, very lackluster and they were really trying to give us the least amount of information,” Democratic Representative Debbie Wasserman Schultz told statement following classified notice.

Ullyot, a spokesman for the National Security Council, declined to comment on the conference meetings. The White House “aimed to investigate the situation of this incident, and work with our inter-agency partners to alleviate the situation,” it said in a statement to Reuters.

President Joe Biden has warned that his administration would impose “huge costs” on those responsible. House of Representatives Information Committee Chairman Adam Schiff, who is also a Democrat, said Biden must “prioritize the hardening of our networks – both public and private infrastructure. ”

The attack underscores those cyber defenses, echoing criticism that U.S. intelligence agencies are more interested in offensive cyber work than defending government infrastructure.

“The attacker has an advantage over the defenders. Decades of money, patents and effort have done nothing to change that, ”said Jason Healey, a cyber conflict researcher at Columbia University and a White House security officer in the George W. Bush administration.

“Now we learn with the SolarWinds hack, if anything, that the defenders are falling further down. The main priority is to move this, so that defenders have an easier time. ”

Chris Bing and Raphael Satter reported from Washington. Jack Stubbs reported from London, and Joseph Menn reported in San Francisco. Additional statement by Alexandra Alper. Written by Jonathan Weber. Edited by Bill Rigby and Jason Szep