'They got into everything': US surveys damage from cyberattack

The U.S. government is mapping the damage from the “worst hacking case in the history of America,” likely Russian-led, says an official. President Donald Trump has made no statements on the breach, leaving a response up to the incoming Biden administration.

Patrick Semansky/AP
A sign with the emblems of government agencies stands outside the National Security Agency campus in Fort Meade, Maryland. More than 40 government agencies, think tanks, nongovernmental organizations, and IT companies in the U.S. have been infiltrated by the hackers.

Federal authorities expressed increased alarm Thursday about a long-undetected intrusion into United States and other computer systems around the globe that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.

The hack compromised federal agencies and “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo, the Cybersecurity and Infrastructure Security Agency said in an unusual warning message. The Department of Energy acknowledged it was among those that had been hacked.

The attack, if authorities can prove it was carried out by Russia as experts believe, creates a fresh foreign policy problem for President Donald Trump in his final days in office.

Mr. Trump, whose administration has been criticized for eliminating a White House cybersecurity adviser and downplaying Russian interference in the 2016 presidential election, has made no public statements about the breach.

President-elect Joe Biden, who inherits a thorny U.S.-Russia relationship, spoke forcefully about the hack, declaring that he and Vice President-elect Kamala Harris “will make dealing with this breach a top priority from the moment we take office.”

“We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” he said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

“There’s a lot we don’t yet know, but what we do know is a matter of great concern,” Mr. Biden said.

CISA officials did not respond to questions and so it was unclear what the agency meant by a “grave threat” or by “critical infrastructure” possibly targeted in the attack that the agency says appeared to have begun last March. Homeland Security, the agency’s parent department, defines such infrastructure as any “vital” assets to the U.S. or its economy, a broad category that could include power plants and financial institutions.

The agency previously said the perpetrators had used network management software from Texas-based SolarWinds to infiltrate computer networks. Its new alert said the attackers may have used other methods, as well.

Tech giant Microsoft, which has helped respond to the breach, revealed late Thursday that it had identified more than 40 government agencies, think tanks, non-governmental organizations, and IT companies infiltrated by the hackers. It said 4 in 5 were in the United States – nearly half of them tech companies – with victims also in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates.

“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” Microsoft said in a blog post.

Over the weekend, amid reports that the Treasury and Commerce departments were breached, CISA directed all civilian agencies of the federal government to remove SolarWinds from their servers. The cybersecurity agencies of Britain and Ireland issued similar alerts.

A U.S. official previously told The Associated Press that Russia-based hackers were suspected, but neither CISA nor the FBI has publicly said who is believed to be responsible. Asked whether Russia was behind the attack, the official said: “We believe so. We haven’t said that publicly yet because it isn’t 100% confirmed.”

Another U.S. official, speaking Thursday on condition of anonymity to discuss a matter that is under investigation, said the hack was severe and extremely damaging although the administration was not yet ready to publicly blame anyone for it.

“This is looking like it’s the worst hacking case in the history of America,” the official said. “They got into everything.”

At the Department of Energy, the initial investigation revealed that malware injected into its networks via a SolarWinds update has been found only on its business networks and has not affected national security operations, including the agency that manages the nation’s nuclear weapons stockpile, according to its statement. It said vulnerable software was disconnected from the DOE network to reduce any risk.

The intentions of the perpetrators appear to be espionage and gathering information rather than destruction, according to security experts and former government officials. If so, they are now remarkably well situated.

Thomas Bossert, a former Trump Homeland Security adviser, said in an opinion article in The New York Times that the U.S. should now act as if the Russian government had gained control of the networks it has penetrated. “The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services,” he wrote.

Members of Congress said they feared that taxpayers’ personal information could have been exposed because the IRS is part of Treasury, which used SolarWinds software. Experts involved in the hack response say the intruders are not likely interested in such data because they are intelligence agents narrowly focused on sensitive national security data – and trying to steal taxpayer info would likely set off alarms.

Tom Kellermann, cybersecurity strategy chief of the software company VMware, said the hackers are now “omniscient to the operations” of federal agencies they’ve infiltrated “and there is viable concern that they might leverage destructive attacks within these agencies” now that they’ve been discovered.

Among the business sectors scrambling to protect their systems and assess potential theft of information are defense contractors, technology companies, and providers of telecommunications and the electric grid.

A group led by CEOs in the electric power industry said it held a “situational awareness call” earlier this week to help electric companies and public power utilities identify whether the compromise posed a threat to their networks.

And dozens of smaller institutions that seemed to have little data of interest to foreign spies were nonetheless forced to respond to the hack.

The Helix Water District, which provides drinking water to the suburbs of San Diego, California, said it provided a patch to its SolarWinds software after it got an advisory the IT company sent out about the hack to about 33,000 customers Sunday.

“While we do utilize SolarWinds, we are not aware of any district impacts from the security breach,” said Michelle Curtis, a spokesperson for the water district.

This story was reported by The Associated Press. AP writers Matthew Lee in Washington; Matt O'Brien in Providence, Rhode Island; and Frank Bajak in Boston contributed to this report.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.