The Biden administration is readying sanctions and other measures to punish Russia over a cyber espionage campaign that the US Senate heard on Tuesday used potentially a dozen different ways into government and corporate networks.
The hack struck at the heart of the US government, starting as early as 2019 and directly affecting at least nine federal agencies as well as about 100 companies, officials have said. The US intelligence community has yet to issue its final conclusion, but officials have said the attack was “likely of Russian origin”.
Mark Warner, Democratic chairman of the Senate select committee on intelligence, opened a hearing on the so-called SolarWinds hack by complaining of a lack of information sharing by those affected.
“Indications suggest the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” he said.
The Biden administration plans sanctions and a package of measures to secure commercial networks and improve third-party services, according to two people briefed on the matter.
“There are Russia-specific measures being developed that will go beyond sanctions,” said one of the people briefed on the matter.
The steps under consideration underscore the tougher line Joe Biden’s administration is preparing to take against Russia on several fronts from espionage to human rights, including the jailing of Alexei Navalny, the opposition leader who has accused Russian spies of nearly killing him with a chemical nerve agent in August. Moscow has denied any involvement in the hack and the poisoning.
Hackers gained access to systems by hijacking software in March last year from SolarWinds, a Texas-based information technology company, but the select committee hearing on Tuesday made it clear that the intruders exploited a wider range of other vulnerabilities as well.
Once inside a victim’s system, “systemic weaknesses” in Microsoft’s Windows authentication process were wielded by hackers to get unfettered access to data in some cases, George Kurtz, chief executive of the cyber security company CrowdStrike, told the hearing.
Brad Smith, Microsoft chief executive, said that approach “was only used by the Russian attackers 15 per cent of the time” among the 60 victims it had identified. He said that hackers may have used “up to a dozen” different methods to gain access to victims’ systems, not just SolarWinds.
In January Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal that about 30 per cent of all of the campaign’s victims had no direct connection to SolarWinds.
At least 18,000 companies and agencies were potentially exposed. The hackers went on to select particular targets to pursue further, lurking in their emails and impersonating legitimate employees in order to access sensitive information in the cloud.
Amazon came under fire at the hearing for declining to send a representative of Amazon Web Services, its cloud computing business, despite an invite from the committee. Amazon did not immediately respond to a request for comment.
Panellists and politicians at the hearing agreed that concerns about legal liability and reputational damage made companies fearful of disclosing hacks, leading to discussion of whether confidential reporting should be mandatory.
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.
People familiar with the Biden administration’s thinking caution that it had yet to determine the full scope of the measures it would take in response to the hack. US officials want to go beyond sanctions to bring criminal charges against specific Russians, according to the people briefed, but that approach will rely on the US intelligence community’s efforts to drill down into the hacks in order to attribute the actions to individuals.
Some cyber experts have cast the campaign — which is continuing — as the sort of espionage that is common practice for most nation-states. But others have suggested it is possible that it could go further, constituting reconnaissance for future potential disruptive attacks, and urged the Biden administration to retaliate.
The Washington Post first reported the administration’s intention to punish Russia.
Additional reporting by Dave Lee in San Francisco