Russian Hackers’ Motive Baffles U.S.: Mere Espionage, or Worse?
(Bloomberg) -- As researchers from Silicon Valley to Washington race to understand the full impact of the massive cyber-attack that breached computer networks in the government and private sector, one of their thorniest unanswered questions centers on motive.
Already, investigators and government officials have pointed to an elite group of hackers tied to the Russian government and suggested a fairly obvious rationale: that it was an espionage operation aimed at nabbing classified intelligence and other inside information.
But some lawmakers and people involved in the investigations have said that the magnitude and breadth of the hack point to other objectives, including undermining Americans’ faith in the systems themselves. U.S. cybersecurity officials have warned that the attackers pose a “grave risk” to federal, state and local government agencies, in addition to the private sector and critical infrastructure, which could include anything from the electrical grid to transportation networks.
Some have even likened the attack to an act of war, raising the stakes in how the U.S. might respond.
Chris Inglis, former deputy director of the U.S. National Security Agency, said the attack extended beyond typical cyber-espionage because the attackers dispersed their malicious code so widely, even to potential targets with no obvious intelligence value.
“They’ve blown out the possibility that this is a simply an intelligence operation,” he said. “They’re clearly attacking the confidence that we as a society have in those systems.”
Melissa Hathaway, former cybersecurity adviser to presidents George W. Bush and Barack Obama, said in a panel discussion on the attacks Tuesday that “key utilities” in the U.S. were also at risk. “We cannot ignore the fact that this is also a protocol that can be used against the industrial control systems.”
The hacks are ongoing too, with the hackers still operating within breached networks, according to Microsoft Corp. That access gives them the ability to conduct a more damaging attack, like deleting data or shutting down systems. “When you have this much of persistent access, you have leverage,” Hathaway said.
The debate over the motive comes as some members of Congress and former U.S. officials are calling for an aggressive response beyond what has been tried following previous cyber-attacks. Determining the motive for the suspected Russian hackers’ ambitious attack is important as it will help determine in part how President Donald Trump -- or more likely incoming President-elect Joe Biden -- responds.
Trump has downplayed the attack, while Biden has vowed to hold the culprits to account. “They can be assured we will respond and respond in kind,” Biden said.
A wide range of possibilities are on the table, including both overt measures and others that are unlikely to ever become public. They include targeted sanctions, Justice Department indictments against the hackers, covert operations and the use of the U.S.’s own formidable offense cyber capabilities, according to a person familiar with the discussions.
Biden’s incoming chief of staff, Ron Klain, said on “Face the Nation” on Sunday that the options aren’t limited to sanctions. “It’s steps and things we could do to degrade the capacity of foreign actors to engage in this sort of attack.” But he added, “I think there’s still a lot of unanswered questions about the purpose, nature and extent of these specific attacks.”
Inquiries into the attack are ongoing, and it may take months before investigators determine what the hackers stole -- or secretly reviewed -- and what their motivations were.
The U.S. response may also be muddied by its own cyber-attacks in Russia and elsewhere, much of which haven’t been made public. In 2015, after Chinese hackers breached the Office of Personnel Management, then Director of National Intelligence James Clapper suggested the U.S. would do the same thing if given the chance. “You have to kind of salute the Chinese for what they did,” he said. “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
In the most recent cyber-attack, the hackers installed malicious code into updates of popular IT software from Texas-based SolarWinds Corp., whose customers include U.S government agencies and Fortune 500 companies, authorities have said. SolarWinds has said as many as 18,000 customers received the malicious update, which served as a sort of secret backdoor that hackers could later use to dive deeper into computer networks.
The hackers breached the departments of Treasury, Commerce, State and Homeland Security as well as the National Nuclear Security Administration. They also hacked into the cybersecurity company FireEye Inc., whose investigation of its own breach led to the discovery of the malicious update in SolarWinds’s Orion software.
Bloomberg News reported that investigators have identified at least 200 government agencies and companies that were hacked using SolarWinds’s backdoor, but the identities of many of the victims aren’t yet publicly known.
U.S. officials including outgoing Attorney General William Barr, as well as cybersecurity experts, have fingered Russia as the most likely culprit; some experts have suggested the attack bears the hallmarks of Russia’s APT 29 hacking group, which is also known as Cozy Bear.
In the days after the attack, Senator Mark Warner, Democrat from Virginia, was among those who pointed to spying as motive. The vice chairman of the Senate Intelligence Committee, Warner said the attack was “a very, very sophisticated espionage attempt to take information, key information.”
Dmitri Alperovitch, co-founder and former chief technology officer of the cybersecurity firm CrowdStrike, agreed with Warner’s take.
“Motive has been obvious since the beginning. This is a data and intelligence collection operation,” said Alperovitch, who is now chairman of the Silverado Policy Accelerator.
Read More: Trump Gets Echo of ’s Russia Crisis With Lame-Duck Hack
The fact that the hackers gained access to the email accounts of high-ranking U.S. government officials supports the idea that the suspected Russian hackers were engaged in a massive spying operation. On Monday, Senator Ron Wyden, Democrat from Oregon and the ranking member of the Senate Finance Committee, provided the most compelling evidence to date to support the espionage theory. Following a briefing from Treasury officials, Wyden said hackers had gained access to the email accounts of the department’s highest-ranking officials but that Treasury still doesn’t have a full accounting of what the hackers did.
The hackers also broke into about three-dozen email accounts at the Commerce Department’s National Telecommunications and Information Administration, including those of senior leadership, Wall Street Journal reported.
Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and an adviser to the Department of Homeland Security, said it’s simply too soon to know for sure what the hackers were after, even as it looks initially like a “massive intelligence coup.”
“That doesn’t necessarily mean they can’t use those footholds for more disruptive actions in the future,” he said. “It’s hard to know until the damage assessment is complete.”
©2020 Bloomberg L.P.