That uncertainty only raises the stakes of what is already the most significant government breach in years.
“The United States faces untold numbers of cyber threats from malicious foreign actors, both to the government agencies and private industry, and sometimes both at the same time,” the Democratic chairman of the House Intelligence Committee, Rep. Adam Schiff, said in a statement Wednesday after his panel was briefed on the attack by the Office of the Director of National Intelligence, the National Security Agency and the FBI.
“The seriousness and duration of this attack demonstrate that we still have enormous and urgent work to do to defend our critical information and networks, that we must move quicker than our adversaries do to adapt,” he added.
The intrusions are believed to have begun in the spring, according to forensic analysis by FireEye, which also disclosed its own breach linked to the vulnerability earlier this month.
CNN previously reported that a Russian-linked group, known as APT29, was behind the FireEye hack.
Many of the investigations will try to determine what the hackers did with the information they were able to stealthily access for months. So far, the operation, which bears all the hallmarks of a Russian-backed actor, appears to be a wide ranging espionage campaign intended to compromise as many key public and private sector networks as possible, several cybersecurity experts told CNN.
The US government’s ability to carry out its investigation is uneven and may vary by agency, said Chris Kubic, chief information security officer at Fidelis Cybersecurity and a former top cybersecurity official at the National Security Agency.
“If they don’t have the right tools in place, if they aren’t collecting the application logs, the system logs that allow them to do the analysis, it can be difficult for them to determine what was exposed,” Kubic said.
The sophistication of the almost yearlong spying operation has revealed weaknesses and gaps in a system called Einstein that DHS’ Cybersecurity and Infrastructure Security Agency uses to protect federal agencies.
Congress is going to want to know “why it’s not working as advertised” after allocating billions of dollars for the system, a former senior DHS official told CNN. The system is based on finding known malicious activity, the former official said, but if you “don’t know what you are looking for it’s a problem.”
Einstein wasn’t set up to detect the way the actors got in, through a backdoor in software updates, said Gerstell, the senior former NSA official.
“CISA is only a few years old, it’s under-resourced, it has deficiencies in its authorities,” Gerstell said. “It takes years to build the depth of expertise you need to do the job across the government. This is a multiyear effort, and the bad guys have had years of a head start. I think in some areas the gap is widening rather than closing.”
The agency is also lacking Senate-confirmed leadership.
Chris Krebs was fired last month after he said the November election was the most secure in American history.
“The workforce will do the best that they can, but that is not a replacement for experience and confirmed leadership. Without Senate-confirmed leadership an agency doesn’t have an ability to get a lot of attention at the White House and get the support that they need to have a whole-of-government response,” said Carrie Cordero, senior fellow and general counsel at the Center for a New American Security and a CNN legal and national security analyst.
A Pentagon spokesperson said Wednesday that the forensic review of department networks continues but that there is currently nothing definitive to share.
Vice Adm. Nancy Norton, director of the Defense Information Systems Agency, issued a statement later Wednesday saying: “We are aware of the wide-spread and evolving cyber incident. We continue to assess our DOD Information Networks for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day. To date, we have no evidence of compromise of the Defense Information Systems Agency.”
Meanwhile, the intelligence community “continues to share information with US government agencies what they have learned about the attack” and is “marshaling all of its relevant resources to support this effort and share information across the United States Government,” a spokesperson from the Office of the Director of National Intelligence told CNN on Wednesday.
Still, the full impact of the breach may never be known, experts tell CNN, pointing to the fact that even if the hackers accessed only unclassified data, such as email addresses, that information can be used to engineer sophisticated phishing campaigns that would likely be impossible to trace back to the current incident.
“One of the big concerns, particularly on the US government side, is that the first thing the attackers went for were email systems,” according to Oren Falkowitz, a former NSA official who’s the CEO of the cybersecurity firm Area 1.
Email is the largest business application in the world and a significant amount of valuable data can be extracted from the inboxes of government and private-sector employees, he told CNN.
Compromised emails could easily provide a foreign government an edge in diplomatic negotiations or other sensitive dealings, said Kubic.
Additionally, having access to email servers can help attackers, who often want to launch additional phishing campaigns, Falkowitz added. “Once you get access into the email servers, you can masquerade or pretend to be a legitimate user, and now your attacks can be even more sophisticated.”
Hackers target ‘soft underbelly’ of US national security
The malware that enabled the hack was also found in thousands of organizations in the private sector, complicating the analysis. It isn’t clear whether the attackers specifically targeted any companies for intrusion. But according to FireEye, many companies in the tech, telecom, consulting and energy sectors were vulnerable because they had installed the legitimate software updates in which the hackers’ malicious code was hiding.
That has touched off a scramble at major companies to try to determine if they were hit by the spying campaign, too. On Wednesday, Comcast told CNN it has embarked on an assessment of its systems based on data breach disclosures by the software company at the center of the crisis, SolarWinds.
“As soon as we learned of the SolarWinds incident on Sunday, we quickly activated a series of internal security protocols to mitigate any potential impact,” Comcast told CNN in a statement. “We are conducting a thorough internal review, but at this time, we have no reason to believe that any Comcast data or customer data was compromised in connection with the use of SolarWinds products.”
Hundreds of other private-sector firms, including many in the Fortune 1000, also had their networks compromised in these hacks, according to Cedric Leighton, a former NSA official and a CNN military analyst who runs his own cybersecurity and defense consulting firm.
And that number is likely far higher, as the breach may affect not only direct customers of Solar Winds but those customers’ own clients as well, Jennifer Bisceglie, CEO of Interos, a supply chain risk-management firm, told CNN. “The supply chain is proving out to be the soft underbelly of the global economy. And so we have a lot of customers asking us where SolarWinds is in our extended supply chain.”
This story has been updated with a joint statement from the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence.
CNN’s Jeremy Herb, Geneva Sands and Caroline Kelly contributed to this report