Officials have raised concerns for years about the potential that networks associated with the Department of Energy were susceptible to cyber breaches from foreign adversaries, according to four current and former officials.
Now such a breach has taken place. On Thursday, the Department of Energy announced that it was responding to a “cyber incident” in which officials discovered malware related to corrupted versions of SolarWinds software on its networks, including at the National Nuclear Security Administration (NNSA). NNSA, which is housed within DOE, is responsible for maintaining the country’s nuclear stockpile. The DOE statement, a copy of which was obtained by The Daily Beast, said the incident was “related to the Solar Winds compromise,” which hackers have used to break into a range of federal agencies networks over the past nine months. A spokesperson for DOE said the department was responding to the incident “in real time” and that only business networks were affected.
Politico was the first to report that hackers had breached networks at DOE, NNSA, and the Federal Energy Regulatory Commission (FERC), including those at the Sandia and Los Alamos national laboratories, as well as the Office of Secure Transportation. U.S. officials reportedly believe the intrusions are the work of Russia’s Foreign Intelligence Service.
One individual who previously worked with NNSA said the laboratories in Sandia and Los Alamos operate on two separate systems, one classified and one unclassified. Although it appears no classified information was accessed, the former employee said the unclassified system holds sensitive information such as payroll data, job descriptions, and other business material.
“This simply should not have happened,” one former senior national security official said. “We need to be asking questions about whether we need to defend ourselves differently.”
According to current and former officials, concerns about cyber breaches were aired internally within the federal agencies and by the intelligence community at several points throughout the last three years, raising questions about what steps the government took in response. The years-long conversation about network vulnerability, particularly as it relates to the U.S. nuclear weapons systems and the national electrical grid, highlights the lengths to which the U.S. still needs to go to safeguard sensitive national security interests, former officials say.
“We have always assessed that these breaches could have extraordinary consequences on our infrastructure and on our security,” said Dan Coats, former director of national intelligence. “We are dealing with a global war. A cyber war. It is a global game of chess. You make one move and someone finds a way around it. We need to make it so all the defenses are in place. But you can only play defense so long. We got to get the ball out of their hands and go on offense.”
There’s no evidence that the hacks have sought to damage networks or attack critical infrastructure that controls kinetic hardware. But the broad scope of the break-ins has left cybersecurity experts debating how to respond to the intrusions. Some, like former Trump homeland security adviser Tom Bossert, have argued for an aggressive response and that “all elements of national power must be placed on the table.” Others, however, view the break-ins as more akin to traditional espionage and argue against war metaphors and martial language to guide a response.
The Washington Post first reported on Sunday that hackers, believed to be Russian, had compromised the Departments of Treasury and Commerce through network monitoring software made by SolarWinds.
Shortly before the Post story was published, cybersecurity firm FireEye reported that hackers had broken into the company and stolen software tools used to mimic attacks in a breach later attributed to the SolarWinds vulnerability. Since then, the Post has reported that a host of other federal agencies, including the Departments of Defense, State, Homeland Security, and National Institutes of Health, were potentially affected by the hack.
The hackers infiltrated their targets by breaking into SolarWinds’ network and using their access to push out a malicious update of the company’s program, Orion, to customers.
In a statement to the Securities and Exchange Commission, SolarWinds officials said that as many as 18,000 of its 300,000 customers were potentially exposed to the corrupted version of its software. The company also reported that the vulnerability in its software was installed as far back as March, meaning hackers may have had nine months to root around victims’ networks undisturbed.
Once installed, the malware stays dormant for a period of two weeks, after which it camouflages itself to look like normal network traffic as it reaches out to a command and control server and receives instructions and relays information outside the targets’ network, according to a technical assessment published by FireEye.
Neither U.S. officials nor cybersecurity experts have formally attributed the hacks to any actor, but officials told the Post they believe the break-ins were carried out by hackers from Russia’s Foreign Intelligence Service, often referred to by the nicknames “APT 29” and “Cozy Bear.” APT 29 hackers are known for their stealth and skill and were allegedly responsible for 2014 breaches of email systems at the State Department. The hackers were also allegedly responsible for an attempt to spear phish federal agencies and think tanks with malware-laden emails impersonating a State Department official in 2018.
In an update published on Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) wrote that the hackers behind the SolarWinds break-ins have “demonstrated patience, operational security, and complex tradecraft.” Cybersecurity officials alo warned that the SolarWinds vulnerability “is not the only initial infection vector this APT actor leveraged,” suggesting that hackers may have found other backdoors to gain access to federal agencies’ networks.
U.S. Sens. Jim Inhofe (R-OK) and Jack Reed (D-RI), chairman and ranking member of the Senate Armed Services Committee, respectively, said in a statement Thursday evening that they had been notified about the “sophisticated and ongoing cybersecurity intrusion” affecting federal agencies.
“There is still much we don’t know about the massive cyber hack that breached U.S. cyber defenses, including federal agencies and major private sector companies. But we do know the cyber intrusion appears to be ongoing and has the hallmarks of a Russian intelligence operation,” the statement said. “The U.S. government must do everything possible to counter it.”
Former and current officials who spoke to The Daily Beast said the incoming Biden administration will ultimately have to determine whether to take the step to punish Russia, potentially through sanctions, for the attack and whether to do so in the days following the inauguration.
“We are literally at war against people who are trying to undermine us,” Coats said. “There are some parts of the federal government that have had significant success in terms of dealing with these issues. But this really is going to turn into an all hands on deck situation.”