In the wake of what could be the largest security breach in U.S. history, if you were to believe the Russian foreign ministry, you would be sure in the knowledge that the Russian Federation does not engage in offensive cyber attacks. In a prepared statement, they wrote, “We paid attention to another unfounded attempt of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies…We declare responsibly: malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations. Russia does not conduct offensive operations in the cyber domain.”
The subtext, of course, is that allegations to the contrary are unfounded nonsense and that Americans should stop being so paranoid. It’s true that there exists a long history of accusations being lobbed at Russia for a variety of nefarious activities. Over the years, the United States has repeatedly blamed Putin and Russia for ordering various hacks —the latest being in 2015—aimed at a slew of American targets. In every instance, Putin categorically denied involvement, and this week has given us more of the same.
As many have pointed out, emphatic denials are what a country that engages in frequent offensive cyber operations against various adversaries would say, right? Because, despite a refusal by the White House and others to provide a name, according to multiple news agencies, Russian hackers are again the main suspects in a vast hack of numerous government and private-sector systems. According to the Washington Post, affected parties include the Department of Homeland Security, the Pentagon, Treasury and Commerce, the State Department, and the National Institutes of Health. Critically, this list of known affected parties will likely grow due to the specific attack vector used by the hackers. Reuters reports that “Technology company SolarWinds, which was the key steppingstone used by the hackers, said up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy unnoticed on businesses and agencies for almost nine months.”
The hack was initially discovered by FireEye, a prominent cybersecurity company, after it led an investigation into its own breached systems to understand how they were breached as well. Additionally, FireEye announced that a suite of what it deemed “Red Team tools” were stolen during the hack. The firm employed these tools regularly to stress test various agency systems and help clients discover vulnerabilities in their networks. Historically, the long-term effect of tools like this being copied or stolen can be hard to assess. Companies are generally quick to fix any known vulnerabilities, but it often comes down to how quickly customers download a given patch or upgrade that would nullify the issues.
In one perhaps ironic twist of fate, The New York Times reports that “The National Security Agency — the premier U.S. intelligence organization that both hacks into foreign networks and defends national security agencies from attacks — apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye. The N.S.A. itself uses SolarWinds software.” Led by General Paul M. Nakasone, the N.S.A.’s main priority this year was to ensure the security of the 2020 elections in the hopes of avoiding a repeat of 2016. By many accounts, after a multi-billion dollar investment, most agree that effort was largely successful.
What remains unclear though is how this hack went unnoticed for so long, why it was a private firm and not the government that discovered it, and why the White House still refuses to acknowledge Russia’s involvement. The New York Times hits the nail on the head writing that “While President Trump was complaining about the hack that wasn’t — the supposed manipulation of votes in an election he had clearly and fairly lost — he was silent on the fact that Russians were hacking the building next door to him: the United States Treasury.”
The breadth of information and files that these hackers were able to uncover is still an unknown. In the coming weeks and months, that picture will hopefully crystallize. Ultimately though, one thing is certain. The U.S. government has proven itself woefully unprepared for these types of sophisticated cyber attacks again and again. Now, it’s incumbent upon us, as citizens, to relentlessly question why.