The leader of the Federal government’s investigation of the Russia-backed hack of government and private sector networks via SolarWinds Orion products said Feb. 17 that the attack “compromised” nine Federal government networks – matching with earlier estimates from Federal law enforcement and intelligence agencies that “follow-on” activity by the hackers after initial breaches via software downloads were seen in “fewer than 10” Federal agencies.
That more precise figure came from Anne Neuberger, deputy national security advisor for cyber and emerging technology, during a White House press conference to update the government’s work on unraveling the state-sponsored hacking exploit and mitigating against its impacts. She emphasized that the government’s investigation was continuing and would likely do so for at least several months. “It’ll take us some time to uncover this, layer by layer,” she said.
“As of today, nine federal agencies and about 100 private sector companies were compromised,” Neuberger said.
But, she emphasized, about 18,000 entities downloaded malicious content via SolarWinds Orion updates. Because of that figure, “the scale of potential access far exceeded the number of known compromises,” Neuberger said. “Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions,” she said.
Attack Methods
Speaking broadly about the sophisticated nature of the attack, Neuberger said “the techniques that were used lead us to believe that any files or emails on a compromised network were likely to be compromised.”
Neuberger explained that the attacker met the definition of “advanced persistent threat” in three ways: the attack “truly was sophisticated” in nature; the focus of the attack was on the “identity part of the network, which is the hardest to clean up”; and the “scope and scale to networks, to information, makes this more than an isolated case of espionage.”
And she said the attack was launched from within the United States and carried out via private-sector networks, where the Federal intelligence community “largely has no visibility.” Neuberger added, “Even within Federal networks, a culture and authorities inhibit visibility, which is something we need to address.”
‘Executive Action’ Planned in Response
Neuberger said the Federal government plans a range of steps as part of an “executive action” to respond to the attack. And while she did not provide details on what that action will entail, she did provide some hints as to what the Biden administration regards as problems to be overcome to prevent further attacks.
“We’re also working on close to about a dozen things – likely eight will pass – that will be part of an upcoming executive action to address the gaps we’ve identified in our review of this incident,” Neuberger said.
In that context, she said the Federal government’s response to the hack focuses on “finding and expelling the adversary,” modernizing Federal defenses to “reduce the risk of this happening again,” and preparing “potential response options to the perpetrators.”
On expelling the attacker, Neuberger said the interagency response coordinated by the White House National Security Council includes communication with lawmakers and close cooperation with the private sector.
“They have visibility and technology that is key to understanding the scope and scale of compromise,” she said of the private sector, but added, “There are legal barriers and disincentives to the private sector sharing information with the government. That is something we need to overcome.”
On improving government network defenses, she flagged network visibility and funding as problems. “If you can’t see a network, you can’t defend a network,” she said. “And Federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats,” Neuberger added.
Asked about the eventual “cost” of the SolarWinds Orion hack, she said her thinking includes both the scale of the information compromised, and the need to improve cybersecurity. “There’s certainly a cost with regard to dollars; it’s also a cost with regard to national security,” she said, adding, “we’re bounding and understanding both.”
She declined to offer specifics about response options against the attacker but indicated she was using a wider lens than just the latest hack.
“What I will share with you is how I frame this in my own mind,” Neuberger said. “This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners. So as we contemplate future response options, we’re considering holistically what those activities were.”