Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach
After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down.
Over the course of a few months, as US officials remained unaware of the breach, hackers identified a handful of key cyber security officials and analysts who would be among the first to respond once the hack was detected, so-called ‘threat hunters,’ and attempted to access their email accounts, according to two sources familiar with the matter.
While it is unclear if any of those accounts were compromised, sources say the fact that the hackers knew which working-level cybersecurity analysts at the Department of Homeland Security to go after suggests they were able to develop a much deeper understanding of US cyberdefenses than was previously known.
“It appears as if the Russian SolarWinds hackers possess granular information on personnel and who among them is likely to be involved in investigating the SolarWinds hack,” said Cedric Leighton, a former NSA official and CNN military analyst. “This could mean that networks have been penetrated to a degree we’ve not known before. If that’s true, we need a complete housecleaning of all our defensive cyberoperations.”
The assessment that hackers deliberately targeted DHS threat hunters, which has not been previously reported, underscores how the SolarWinds attack was among the most sophisticated cyberoperations ever conducted against the US, according to current and former officials.
By keeping tabs on these cyber first responders, sources and experts tell CNN the hackers could have been able to monitor in real-time as US officials began to discover the attack, allowing them to tailor their actions accordingly and remain hidden for as long as possible.
“What this does is it shows a level of sophistication in terms of targeting those who are working actively to prevent the attacks from either occurring or expanding. And so that is different than what you’re seeing in past cyberattacks,” former acting DHS acting undersecretary Chris Cummiskey told CNN.
“The level of sophistication is problematic because they’re actually going after people that they see as more valuable, so it shows a sense of prioritization,” he added.
While emails belonging to the senior-most cyber officials, including Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, do not appear to have been accessed, sources told CNN that the hackers deliberately targeted other top cyberofficials at the agency in addition to lower-level threat hunters.
Hackers infiltrated email account of top Trump official
Initial reports briefed to the Hill showed that around 30 email accounts at DHS were infiltrated as part of the SolarWinds breach, including that of former acting secretary Chad Wolf and former DHS Chief Information Officer Karen Evans, according to a Capitol Hill aide. There was no indication that classified information was accessed in the hack, the aide added.
The Associated Press first reported that suspected Russian hackers gained access to Wolf’s account and cybersecurity staff who were hunting threats from foreign countries.
After the hack, senior staff at DHS headquarters received new phones, a former department official told CNN, indicating the impact was significant at DHS.
Wolf and Evans declined to comment. Other federal agencies have also confirmed email accounts were accessed.
At a hearing last month, GOP Rep. Pat Fallon of Texas said he was “alarmed” by the fact that “the Secretary of Homeland Security’s own email had been compromised.”
“This attacker stayed laser focused on stealing specific information,” said cybersecurity firm FireEye’s CEO Kevin Mandia at the same hearing. “They showed, arguably, restraint and they didn’t do anything destructive.”
FireEye, also a victim of the hack, first alerted both the government and the public to the breach in early December.
CISA has still not publicly acknowledged if it was impacted in the SolarWinds breach and a DHS spokesperson declined to say so again Wednesday when asked if email accounts belonging to members the threat hunter team were targeted.
The spokesperson did, however, confirm that a “small number of employees’ accounts were targeted in the breach,” referring to DHS more broadly. The department no longer sees “indicators of compromise in its networks,” the spokesperson added.
The targeting of department emails didn’t interrupt operations, according to a senior CISA official who said private sector partners helped DHS and CISA evict the hackers from the department’s networks.
“That response resulted in a conclusion that after remediation steps were taken the adversary had been removed from the network,” the official told reporters in a briefing call earlier this week, adding that operations were able to continue.
A DHS spokesperson also told CNN that the agency’s operational cybersecurity teams utilize various communications methods to continue executing their mission under all circumstances, and that they were able to do so in this instance.
How will the Biden administration respond against Russia?
The Biden administration continues to quietly work through its response to the SolarWinds hack and send vague messages about its plans to hold Russia accountable. In February, the White House began a 60-day review of the hack and has since outlined responses it plans to level against Russia but offered few specifics.
The National Security Council, which is leading the effort, reiterated this week that a response consisting of “seen and unseen” actions will be coming in a matter of “weeks not months.” That timeframe is the same laid out six weeks ago in February by national security adviser Jake Sullivan.
What that response will look like remains unclear but it is expected to include sanctions, cyberoperations and an executive order to make improvements to national cybersecurity.
An executive order with initiatives designed to shore up the government’s cyberdefenses is expected sooner, according to administration officials.
Deputy national security adviser Anne Neuberger, the White House’s top cyberofficial, has been tapped to lead the sprawling effort that spans multiple government agencies.
“That EO will be released shortly and it will make fundamental improvements to national cybersecurity; many of these measures are long overdue,” Neuberger said in a statement to CNN on Tuesday. “We are working closely across the federal government, Congress, and the private sector to continue making the necessary investments to defend the nation against malicious cyber activity.”
While Neuberger is the most senior cyberofficial ever appointed in an administration, the unprecedented Russian breach and the massive Chinese hack of Microsoft Exchange servers underscore that two key, senior cyberpositions remain unfilled: the newly-created role of National Cyber Director, a position that is supposed to the President’s top adviser on all cyber issues, and the director of CISA inside DHS. Both require Senate confirmation.
The National Cyber Director position was created by Congress but has not been funded and questions remain over how it will work alongside the NSC and CISA. Administration officials argue that though a CISA Director is needed and expected soon, the agency is being run by a deeply experienced staff, both career and newly-appointed officials.
Krebs, the first and only permanent CISA director, argued Thursday that Neuberger’s appointment “addressed many of the concerns that prompted the creation of the [National Cyber Director].”
“If we’re talking about nominees, I’d prefer to see my successor [at CISA] named ASAP!” he tweeted. “Need to round out the team!”