While US officials believe that a Russia-linked entity or Russian individuals are responsible for the attacks, they have not yet finalized their designation on which actors are responsible, a senior administration official said.
The National Security Council has decided to covene two meetings daily with the Cyber Response Group to determine the scope, scale and impact of the hack, they added.
In the first of its meetings on Monday, officials came closer to a determination that a Russian-backed group was responsible but forensic investigations are ongoing, the official told CNN.
A meeting scheduled for later Monday aims to determine which government agencies were compromised. So far, only the Commerce Department has said publicly that it experienced a breach but other agencies appeared to have been targeted as well.
“We have a hunch about who is behind the breaches,” another administration official said, also confirming Monday’s Emergency Cyber Response Group meeting. “But forensics like this take time to nail down, unless they were sloppy about it.”
Early statements issued by the technology company SolarWinds, whose system breached by the hackers, suggest the operation was sophisticated and “extremely targeted,” meaning it may take some time before blame is formally attributed.
But in the meantime, top US officials, including Secretary of State Mike Pompeo, are not shying away from suggesting Russia was involved.
When asked about the hack Monday, Pompeo cited consistent Russian efforts to breach servers belonging to American government agencies and businesses, but would not give any additional details.
“I can’t say much other than it’s been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses,” Pompeo said in an interview with Breitbart News Radio.
The Russian embassy in Washington, on the other hand, is forcefully denying any involvement in the hack, which was first reported by Reuters Sunday, saying in a statement: “We paid attention to another unfounded attempts of the US media to blame Russia for hacker attacks on US governmental bodies.”
Linked to previous breach?
But despite the embassy’s claim that “Russia does not conduct offensive operations in the cyber domain,” Moscow has been linked to several recent breaches, including last week’s hack of FireEye, an attack that compromised the so-called “Red Team” tools it uses to protect clients, including government customers.
two blog posts Sunday, the cybersecurity firm tied the SolarWinds vulnerability directly to its own announced breach, which a source familiar with the matter previously told CNN was likely carried out by a Russian-affiliated group known as APT29.
FireEye described a “global intrusion campaign” that takes advantage of a critical flaw in a network monitoring product sold by SolarWinds, an IT network management company. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East, the second blog post says, adding that they anticipate there are additional victims in other countries and verticals.
A source familiar with the attacks on both FireEye and those reported Sunday also told CNN that “it’s all related.”
“These sorts of attacks leveraging trusted relationships are extraordinarily difficult to detect and defend against in real-time,” the person said, adding that while the Commerce and Treasury Departments are the victims that have so far been identified, “there will no doubt be more.”
The US Commerce Department confirmed Sunday it has been the victim of a data breach in an attack that is believed to be linked to Russia.
“We can confirm there has been a breach in one of our bureaus,” the Commerce Department said in a statement to CNN. “We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency also confirmed the data security incident, telling CNN in a statement, “We have been working closely with our agency partners regarding recently discovered activity on government networks.”
“CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises,” the statement continued.
CISA issued a directive late Sunday that tech company SolarWinds was compromised and it posed “unacceptable risks to the security of federal networks,” said CISA acting Director Brandon Wales.
SolarWinds Orion products are used by a number of federal civilian agencies for network management and CISA is urging the agencies to review their networks for any possible signs of a data breach. This is only the fifth emergency directive issued since 2015, when CISA was created by Congress in the Cybersecurity Act.
SolarWinds said in a statement Sunday night that the breach of their system was “was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
‘Massive national security failure’
On Monday, the technology company said it believes “fewer than 18,000” customers could have been affected by the software vulnerability.
In a new financial filing, SolarWinds said that out of a total of 300,000 customers, the company “believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.”
SolarWinds has released a software update addressing the flaw and anticipates providing a second software update by December 15 to “further address” the security gap, the company added.
Microsoft also responded to the hack in a blog post overnight, telling customers that it has updated its anti-spyware program to detect the SolarWinds vulnerability.
“We believe this is nation-state activity at significant scale, aimed at both the government and private sector… We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations,” the post said.
Sen. Ron Wyden, a Democrat from Oregon who serves on the Senate Intelligence Committee, warned Monday that the damage caused by the breach may be “far more significant than currently known.”
“If reports are true and state-sponsored hackers successfully snuck malware-riddled software into scores of federal government systems, our country has suffered a massive national security failure that could have ramifications for years to come,” he said in a statement to CNN. “I’m pressing the government for more information about the full scope of this breach and the steps that agencies are taking to mitigate it. I fear that the damage is far more significant than currently known.”
“I have warned for years that the government was falling down on the basics of securing federal systems, and this breach unfortunately proves me right. To start, it’s high time to scrap the lax practice of allowing agencies to install high-risk software on government systems without subjecting it to a thorough security review,” Wyden added.