Revelations of cyberattacks on U.S. likely just ‘tip of the iceberg’

Hackers have infiltrated the computer networks of some of the nation’s biggest corporations, leading defense contractors, and top U.S. government agencies, including those in national security branches, in what security analysts believe is a “very significant” breach.

So far, the Department of Homeland Security, parts of the Pentagon, the U.S. Treasury, the Commerce Department, the Centers for Disease Control and Prevention, and the National Institutes of Health are known to have had systems attacked through malware installed on widely used network monitoring software. The software’s ubiquity and the likelihood that the hackers had access for months means there could be many other targets affected, including the National Security Agency.

U.S. officials reportedly only learned of the breach recently after a private cybersecurity firm, FireEye, informed them that some hacking tools had been stolen, according to The New York Times. The breach’s full scope and precise methodology remain unknown, but analysts say its complexity and tradecraft point to Russia’s foreign intelligence service as the likeliest perpetrator.

The Gazette spoke with Paul Kolbe, a former senior CIA official and Russia specialist who now oversees the Belfer Center’s Intelligence Project at Harvard Kennedy School (HKS), and Lauren Zabierek, executive director of the Center’s Cyber Project, to gain a deeper understanding of the cyberattack and a sense of what the U.S. may do next.

Q&A

Paul Kolbe and Lauren Zabierek

GAZETTE: How damaging does this appear to be?

KOLBE: We’re probably seeing the tip of the iceberg right now. What’s clear is that the sophistication, the scope, the depth of this, and how long-lasting it was, how many government and nongovernment entities that it affected, is really significant. If one [means] in bypassing security systems was manipulating or bypassing the two-factor authentication, which many companies and places … use, that would be very significant because that’s a primary defense that financial systems, highly classified systems, systems that organizations are trying to provide extra security use. If they’re finding ways past that, that both increases the potential damage and it carries wider implications than just this specific series of hacks.

It’s a major incident and it’s exceptional in that it’s come out, but it’s not exceptional in terms of the types of activity that happen every day, the types of espionage that are conducted against U.S. government and corporations.

GAZETTE: Russia’s foreign intelligence service, the SVR, is believed to be responsible. Does it look like the work of Russian hackers? Could it be anyone else?

ZABIEREK: There’s definitely a limited pool of actors that could pull off such a sustained, targeted, far-reaching campaign. I certainly can’t attribute it to a specific actor; I would definitely leave it up to the experts to make that determination. In general, the Russians are definitely interested in government targets, in sowing distrust, especially with the FireEye piece of it, in those particular institutions, and the targeted and sustained espionage against our federal entities, whereas a North Korean attack or breach would be more financially motivated. The Wanna Cry hack was really intended to generate finances. China, again very generally, tends to focus on intellectual property theft or stealing data on people. But to me, this definitely seems more like a Russian operation.

I do think it’s interesting that they targeted this particular piece of software that many of us haven’t heard of that is used by a large swath of customers. I think that alone probably took a very long time to discover on their part. So then, that initial targeting and then probing into seeing what vulnerabilities are there and if there are any zero-day vulnerabilities, and then developing the exploits for those, and then penetrating those holes and then getting in — the timeline they’re saying it began in spring 2020 — that seems very, very quick. Not a lot of time to execute such an attack.

KOLBE: The Chinese have the capabilities to do it and it would be well within their M.O. But from what I’m reading, the specific malware tools being used are pretty clearly identifiable with the Russians and with SVR.

GAZETTE: As the list of victimized entities grows, does that suggest more about what they were after?

KOLBE: One of the striking things is how long this has apparently taken place. They’ve had a lot of time to sit quietly in the digital shadows, mapping out the networks, studying them, seeing where they link to, seeing where pockets of information are that may be useful, going after some things that they know they want. But also, almost certainly, finding and scooping up things for use on a rainy day.

As far as scope, it just shows it’s much wider. It shows a really voracious appetite for lots of different, potentially valuable sources of information and data. Nothing I’ve seen really shows — and it’s going to be a while before folks figure out, if ever, what was actually accessed and what was actually exfiltrated and stolen — but the fact that it’s so many organizations across such a broad scope of activities indicates a “casting a wide net” approach. But certainly then within those organizations, there are undoubtedly efforts to identify and target the most valuable datasets. Almost certainly they weren’t able to get to everything that they might have had access to. [Something] like 13,000 or 18,000 different companies had uploaded the software. I mean, that’s a massive potential effort.

GAZETTE: The U.S. is still litigating the last major Russian breach from 2015‒2016. Are you surprised an attack of this magnitude has happened again so soon?

KOLBE: No, I’m surprised that we don’t hear about more. SVR, the Chinese, others, they’ve all built huge capabilities, they’re well-resourced, well-staffed, [and] focused on doing exactly this. This is not a one-off, this is not something unusual. The extent of it sounds quite grand, but, is, in fact, what’s reality and what’s taking place every day. I guarantee you that there are other operations similar in size and scope, if not larger, that haven’t been discovered.

GAZETTE: How does an investigation of this get done and how long could that take?

KOLBE: There will be a huge forensics operation to determine what happened, i.e., following the breadcrumbs, with what breadcrumbs that they can find, trying to determine where did it come in, what systems did it proliferate out into? And that may be impossible to determine because a lot of times what happens is as folks maneuver through the networks, they’re erasing their tracks as they go. And if there’s been exfiltrating of information, i.e., stealing it, it won’t be gone, so it’s hard to determine if it’s been stolen or not. So we may actually never know exactly what systems were accessed and what information was lost. So it’s a massive forensics job, a massive triage of what would have been most important, and then a damage assessment: If this was lost, what does it mean?

GAZETTE: That could take a long time to complete. Potentially months?

KOLBE: Easily.

GAZETTE: What can be done to shore up breached systems while an investigation is underway?

ZABIEREK: There are a lot of things that we can do in the meantime. You have your incident responders who are going to essentially clear out and rebuild or clear out and shut down any sort of holes in the network. So, kick out any intruders, potentially patch any of those vulnerabilities if they need to continue working with that particular software.

CISA, the Cybersecurity Infrastructure Security Agency, they’re responsible for protecting federal networks and, of course, the Department of Defense is responsible for protecting DoD networks. So right now you definitely have cyber defenders in the DoD working to make sure that our DoD networks are protected and not being compromised. But there is a real lack of capability now without a confirmed director.

Later, once attribution is finalized, then the federal government, the administration, whether it’s before Biden takes leadership or not, can make a decision on what they’re going to do at that level. We have the Office of Cyber Engagement in the State Department, but that bureau had been folded into, I think, economic affairs. So you don’t have that confirmed, high-level cyber diplomat anymore to engage diplomatically.

You do have CyberCom [U.S. Cyber Command] that is going to be engaging in cyberspace; the intelligence community is doing certain things. But from a domestic standpoint, the current administration has hobbled our ability to respond in certain ways. I’m not really sure what they would do. If there is a national cyber director [under the Biden administration], for instance, and they reinstall that State Department Bureau of Cyber Affairs, then I think that you’ll have a much stronger response.

GAZETTE: Will an investigation and U.S. response be hampered by the transition to a new administration?

KOLBE: I don’t think so. It fits into a long, long, long pattern of spy vs. spy. And whether it’s human spies or cyber spies, digital spies or human spies, that game continues. Spies will get caught, there will be a brief flurry of press and protests and expressions of shock, and then folks get back to business. I don’t think the Biden administration will allow what’s essentially an uncovered espionage operation change their views of Russia, which I think are pretty clear-eyed to begin with. It’s not going to help any renewal of discussions. But on things like arms control and other issues that are a core interest in bilateral relations, it’s also not going to impact those, I don’t think.

GAZETTE: Would President-elect Biden and Vice President-elect Harris receive detailed intelligence about this so they’re up to speed?

KOLBE: Absolutely, if for no other reason than transition staff is a highly attractive target themselves.

Interviews were edited for clarity and length.