Experts: Brazen Cyberattack Against US Agencies Bears Hallmarks of Russian Cyber Tradecraft

December 14, 2020Nolan Peterson
Photograph of the US Treasury building in Washington, DC. Washington Monument in the background. Photo by MeanieHyaena via Wikimedia Commons.

Photograph of the US Treasury building in Washington, DC. Washington Monument in the background. Photo by MeanieHyaena via Wikimedia Commons.

A foreign government has struck the US Treasury and Commerce Departments, stealing data and infiltrating employees’ emails, in what experts are calling the most sweeping and technologically advanced cyberattack against the country in years.

The White House National Security Council reportedly met on Saturday to discuss the breach, and both the Department of Homeland Security and FBI have issued statements acknowledging the attacks. While news reports point to Russian intelligence agencies as the most likely culprit, the US government has not yet officially blamed Russia for the cyber espionage operation.

“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, spokesman for the National Security Council, said in a statement.

News of the cyberattack was first reported by Reuters.

Cybersecurity officials say the attack began in Spring 2020 and is ongoing. In a series of statements, the Department of Homeland Security attributed the breach to “malicious actors.”

Several national security agencies and civilian contractors may also have been affected, according to reporting by The New York Times and The Wall Street Journal. However, as of this article’s publication it’s not immediately clear how far the effects of the cyberattack reach — and how much sensitive government data, or if any highly classified defense secrets, may have been stolen.

“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” the US-based cybersecurity firm FireEye said in a Sunday release.

Army Sgt. Kyle Plumley, an intel analyst for Joint Force Headquarters out of Columbus, Ohio, works three laptop computers May 16 as part of Cyber Shield 2018 at Camp Atterbury, Indiana. Cyber Shield provides a collective training event that, in part, prepares soldiers to actively monitor for internal network threats. Photo by Staff Sgt. Chad Menegay, courtesy of DVIDS.

Some experts say that if Moscow is indeed behind the recent attacks, then it may be part of a broader Kremlin gambit to scramble the deck, so to speak, on US foreign policy toward Russia — possibly to challenge the incoming administration of President-elect Joe Biden.

“From Washington’s perspective, this hacking is one more in a steady drumbeat of Russian malign activities, including also microwave attacks against US diplomats and the poisoning of democratic oppositionist Alexei Navalny with an internationally banned chemical weapon,” William Courtney, a former US ambassador to Kazakhstan and Georgia who is now an adjunct senior fellow at the Rand Corp., told Coffee or Die Magazine.

“These and other strains in relations with Moscow could lead to increased US sanctions on Russia,” Courtney said.

The Kremlin, for its part, denies it had anything to do with the attack.

“I reject these statements, these accusations once again,” Russian presidential spokesman Dmitry Peskov told journalists during a Monday press conference, the Russian news agency TASS reported.

“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” Peskov said. “We have nothing to do with this.”

Soldiers and civilians listen to Ohio Army National Guard Chief Warrant Officer 4 Rich Kerwood and members of the FBI at the conclusion of a staged raid of a building containing suspected cyber-criminals during Cyber Shield 19 at Camp Atterbury, Indiana, April 17, 2019. Photo by Spc. William Phelps, courtesy of DVIDS.

As part of what industry experts call a “supply-chain” cyberattack, the hackers reportedly exploited a vulnerability in software created by the IT company SolarWinds Inc., which has more than 300,000 customers worldwide, including more than 400 of the US Fortune 500 companies, according to The Wall Street Journal. The hackers reportedly cloaked their attacks as updates to versions of SolarWinds’ Orion IT monitoring and management software, which were released between March 2020 and June 2020.

SolarWinds’ US government clients include the executive branch, the Secret Service, the Federal Reserve, the Department of Defense, and intelligence agencies. SolarWinds’ customers also comprise several key civilian military contractors, such as Booz Allen Hamilton, and Lockheed Martin Corp. — producer of the F-22 Raptor advanced stealth fighter jet.

In a release, SolarWinds said an “outside nation state” conducted the “narrow, extremely targeted, and manually executed attack.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a flurry of warnings Sunday night, advising organizations that use the Orion software to review their networks for compromise and to “disconnect or power down SolarWinds Orion products immediately.”

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in a Sunday evening statement.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation,” Wales said.

While US government agencies routinely face cyberthreats, this particular strike was unique in its sophistication and scope, experts say, underscoring what may be a new trend in cyber espionage: the exploitation of vulnerabilities in commercial software shared across a broad spectrum of government agencies and key businesses.

Thus, along that line of thinking, many cybersecurity experts say the recent attacks match Russia’s cyberwarfare modus operandi, which has been on display for years in places like Ukraine, the Baltics, as well as against the US and its Western allies.

“My read is that this is spy business as usual,” Richard Stiennon, chief research analyst at IT-Harvest, a US-based cybersecurity analyst firm, said. “The original compromise of SolarWinds occurred earlier this year and has been stealthily deployed widely since then. I have not seen evidence that these attacks were revealed so much as discovered. In other words, the attackers, who took extraordinary steps to avoid discovery, were found out.”

In September, Russian President Vladimir Putin put forward a proposal for the US and Russia to combine forces in cybersecurity operations. Most US officials disregarded the offer as a disingenuous attempt by the Kremlin to disguise its own culpability for a worldwide blitz of cyberattacks since 2014 — the year the West imposed sweeping sanctions on Russia for its invasion of Ukraine.

“We have received no reply from Washington,” the Russian Embassy to the US wrote on Facebook, regarding Putin’s Sept. 25 proposal for US-Russia cybersecurity cooperation.

This latest attack will likely spur a broader self-evaluation by the US government regarding its vulnerability to supply-chain cyberattacks. The attack also underscores how shoring up America’s cyberdefenses remains a daunting challenge, similar to that of counterterrorism in the sense that US security officials have to be more imaginative than America’s adversaries in order to successfully anticipate their next method of attack.

“On the cutting edge yes, imagination is called for. But I think the US Federal Agencies and military are still playing catch up,” said Stiennon, the cybersecurity research analyst. “Banks and defense contractors are much better at cyber defense. While the [US National Security Agency] is probably even more sophisticated than Russian cyber teams, those capabilities are not translated into our defenses.”

In 2014 and 2015 Russian intelligence agencies launched a cyberattack on US government agencies, stealing troves of sensitive information — including details about President Barack Obama’s schedule. And in May 2015, Russian hackers used malware to target a number of American and international banks, stealing some $900 million.

Russia NATO military buildup, Coffee or Die
Parade of Victory in the Great Patriotic War. Photo by Russian Presidential Press and Information Office via Wikimedia Commons.

While Russia has not conducted a major cyberattack against the US in several years, there has been a steady stream of alleged Russian attacks against the US and its Western allies this year, underscoring, what some experts say, is a less audacious but ever-present cyberthreat from Moscow.

“The Kremlin’s cyberattacks are often a part of the Kremlin’s efforts to shape perceptions and support the Kremlin’s information operations. For example, Russia’s cyberattacks on Ukraine’s electric grid and other critical infrastructure are intended to undermine trust the Ukrainian government’s ability to provide basic services,” said Nataliya Bugayova, a national security research fellow who specializes in Russian affairs at the Institute for the Study of War, a US think tank.

“Similarly, IF the Kremlin is behind the recent wave of cyberattacks, the choice to target US government agencies and a prominent cyber security provider would align with its goal to undermine trust towards public and private sector institutions more broadly,” Bugayova told Coffee or Die Magazine in an email.

In July, multiple news sites reported that Russian hackers had tried to steal COVID-19 vaccine research from Western firms. In September, Reuters reported that Russian hackers had targeted the Biden presidential campaign.

Moreover, Russia’s cyberattacks against the US generally reflect the execution of tradecraft honed on other cyber-battlefields — most notably that of Ukraine, where Russia has also been waging a low-intensity trench war for years.

“These attacks definitely are similar to others we have seen from Russian groups,” Stiennon said, referring to the recent SolarWinds cyberattacks.

Since its invasion of Ukraine in 2014, Russia has maintained a low-level cyberoffensive against its former Soviet ally, targeting banks, railroads, the mining industry, and power grid. Military communications and secure databases have also been attacked, according to Ukrainian officials. Pro-Russian hackers have also leaked stolen, sensitive information from Ukrainian government networks and the accounts of government officials.

After more than six years of war, many towns in eastern Ukraine have been devastated. Photo by Nolan Peterson.

Cyberwarfare has been a key component of Russia’s ongoing, conventional military campaign in eastern Ukraine’s embattled Donbas region. Online disinformation campaigns have helped to cloud Western media reports about Russia’s direct involvement in military operations in the Donbas, as well as in Ukraine’s Crimean territory.

Russia has also launched cyberattacks against the governments of countries across Europe, including the Netherlands, Estonia, Germany, and Bulgaria.

“It is evident that Russia has fully embraced cyber espionage as part of their overall strategy to further their global interests,” LookingGlass, a US cybersecurity firm, said in a 2015 report. Nevertheless, Russian officials resolutely deny their country’s responsibility for the recently uncovered cyberattacks.

“We declare responsibly: malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy to the US wrote on its Facebook page, adding: “Russia does not conduct offensive operations in the cyber domain.”

Nolan Peterson
Nolan Peterson
Nolan Peterson is a senior editor for Coffee or Die Magazine and the author of Why Soldiers Miss War. A former US Air Force special operations pilot and a veteran of the wars in Afghanistan and Iraq, Nolan is now a conflict journalist and author whose adventures have taken him to all seven continents. In addition to his memoirs, Nolan has published two fiction collections. He lives in Kyiv, Ukraine, with his wife, Lilya.
More from Coffee or Die Magazine
Coffee Or Die Photo
From the Team Room to Team Room Design: An Operator’s Creative Journey

BRCC partners with Team Room Design for an exclusive T-shirt release!

Coffee Or Die Photo
Get Your Viking On: The Exclusive 30 Sec Out BRCC Shirt Club Design

Thirty Seconds Out has partnered with BRCC for an exclusive shirt design invoking the God of Winter.

Grizzly Forge BRCC shirt
Limited Edition: Grizzly Forge Blades on an Awesome BRCC Shirt

Lucas O'Hara of Grizzly Forge has teamed up with BRCC for a badass, exclusive Shirt Club T-shirt design featuring his most popular knife and tiomahawk.

BRCC Limited Edition Josh Raulerson Blackbeard Skull Shirt
From Naval Service to Creative Canvas: BRCC Veteran Artist Josh Raulerson

Coffee or Die sits down with one of the graphic designers behind Black Rifle Coffee's signature look and vibe.

Medal of Honor is held up.
Biden Will Award Medal of Honor to Army Helicopter Pilot Who Rescued Soldiers in Vietnam Firefight

Biden will award the Medal of Honor to a Vietnam War Army helicopter pilot who risked his life to save a reconnaissance team from almost certain death.

dear jack mandaville
Dear Jack: Which Historic Battle Would You Want To Witness?

Ever wonder how much Jack Mandaville would f*ck sh*t up if he went back in time? The American Revolution didn't even see him coming.

west point time capsule
West Point Time Capsule Yields Centuries-Old Coins

A nearly 200-year-old West Point time capsule that at first appeared to yield little more than dust contains hidden treasure, the US Military Academy said.

  • About Us
  • Privacy Policy
  • Careers
Contact Us
Contact Us
© 2024 Coffee or Die Magazine. All Rights Reserved