The first damage assessment of a sprawling cyberattack linked to Russia has been chilling enough.
With intrusions reported across a huge swath of the government – including at the Department of Energy’s National Nuclear Security Administration – federal officials already are signaling that the worst may be yet to come.
The Department of Homeland Security’s cybersecurity unit has acknowledged that the full scope of the attack is not yet known, with an untold number of local government and private sector systems at “grave risk.”
Secretary of State Mike Pompeo said U.S. officials are “still unpacking” the cyber intrusion but he publicly blamed the Kremlin.
President Donald Trump, however, expressed doubt that Russia was behind the attack in a tweet Saturday – his first public comment on the security breach since it was first reported.
The president claimed, without evidence and in contradiction to the general consensus, that the news media was reflexively blaming Russia and not exploring whether China may have been involved.
“Russia, Russia, Russia is the priority chant when anything happens,” Trump tweeted.
“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo said in an interview on the Mark Levin Show, a conservative talk radio program.
And, in sharp contrast to the dire warnings from DHS and private experts, the president downplayed the threat posed by the cyberattack and claimed news organizations were exaggerating the danger.
“The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control,” Trump said.
Although federal authorities have so far traced the attack’s launch back to March, it remains unclear just how long operatives have been lurking in some of the government’s most critical agencies – including the departments of State, Homeland Security, Treasury and Commerce –and what may have been lost or compromised.
Because the attacks employed sophisticated tactics unseen in past intrusions, according to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), eliminating the threat is expected to be even more difficult.
Where is the White House?
Most striking, perhaps, has been the White House’s relative silence as other parts of the government have been ringing the alarm about the cascading threat and the uncertain risk, raising questions about how the U.S. should respond.
Sen. Mitt Romney, R-Utah, Friday called Trump’s lack of response “extraordinary” as the country faces the modern equivalent of “Russian bombers reportedly flying undetected over the entire country.”
“They had the capacity to show that our defense is extraordinarily inadequate; that our cyber warfare readiness is extraordinarily weak,” Romney said in an interview with Sirius XM, adding that the Kremlin acted with “impunity.”
“And in this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary,” he added.
Michael Chertoff, a former Homeland Security secretary in the George W. Bush administration, said Friday that the breaches underscored the need for a “deterrent strategy during a time of cyber conflict.”
“I think we may need to up our game,” Chertoff said.
Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., characterized the hack Friday as “a devastating breach” that requires the president’s attention.
“An incident of this magnitude and lasting impact requires an engaged and public response by the U.S. government, led by a president who understands the significance of this intrusion and who is actively marshaling a domestic remediation strategy and an international response,” Warner said. “It is extremely troubling that the president does not appear to be acknowledging, much less acting upon, the gravity of this situation.”
Pompeo defended the president’s silence after Levin, the show’s host, suggested the Trump administration might be working “behind the scenes” to address Russia’s role in the attack.
“That’s absolutely true,” Pompeo said, although he did not elaborate on what, if anything, the president might be doing to confront Moscow.
“There are many things that you’d very much love to say, ‘Boy, I’m going to call that out,’ but a wiser course of action to protect the American people is to calmly go about your business and defend freedom,” Pompeo said.
Yohannes Abraham, executive director of President-elect Joe Biden’s transition, repeated Biden’s Thursday warning that there would be consequences to those who attack the U.S. with malicious cyber operations.
“There will be substantial costs,” Abraham said Friday. “While our adversaries shouldn’t expect us to telegraph our punches, they should expect that the president-elect is a man of his word.”
He added that while much is unknown, “what we do know is a matter of great concern.”
While the Energy Department has acknowledged that its systems have been affected, including the agency that maintains the nation’s nuclear weapons stockpile, it doesn’t mean that hackers have access to nuclear weapons and codes. That’s because weapons systems are usually isolated from the traditional internet, says Dvir Sasson, head of research for CyberInt, a Tel Aviv, Israel-headquartered security firm.
DOE spokeswoman Shaylyn Hynes said late Thursday that its review is ongoing but has so far determined that the malware has been “isolated to business networks only.” The breach had not, Hynes said, spread to “mission essential national security functions of the department, including the National Nuclear Security Administration.”
“When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network,” Hynes said.
What we don’t know can hurt us
Much of what the government has so far disclosed publicly is replete with the unknown.
A joint statement this week by the FBI, CISA and Director of National Intelligence referred to “significant cyber incident” as “a developing situation,” suggesting that intrusions are ongoing.
In a separate bulletin, CISA said the attack continued to pose “a grave risk,” not only to federal networks but to state, local and tribal governments along with critical infrastructure entities and private organizations.
The agency also acknowledged that suspected additional compromises “have not yet been discovered.”
“This … actor has demonstrated patience, operational security, and complex trade-craft in these intrusions,” CISA said of the hackers, adding that the ongoing effort to eliminate the threat “will be highly complex and challenging.”
Understanding the full extent of this hacking campaign “will take a very long time,” Sasson said. “It’s not unlike contact tracing during a pandemic in that we are already finding that the impact and scale of this campaign is much larger than originally understood. In less than a week, this has grown from one security vendor being hacked … to a major assault on significant government agencies and businesses across the globe.”
‘Top-tier offensive capabilities’
The attackers penetrated federal computer systems through a popular piece of server software offered through a company called SolarWinds.
The threat apparently came from the same cyberespionage campaign that has afflicted cybersecurity firm FireEye, foreign governments and major corporations.
The system is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which are now scrambling to patch their networks.