The Facts and Mysteries About Russia’s Hack of the U.S.

The sophisticated, damaging and ongoing hacking campaign that U.S. officials are blaming on Russia has alarmed security firms and sent shock waves through the U.S. government and private sector. Much remains unclear, including how many government agencies and private companies have been hacked and what information has been stolen or reviewed by the attackers. The motive also remains a mystery: Is it espionage or something even more destructive?

1. How did this happen?

The hack, discovered in December but which may have begun as early as last March, is what’s known as a supply chain attack or a third-party attack, meaning the initial target wasn’t the U.S. government but one of its software suppliers. In this case, the supplier was Texas-based SolarWinds Corp., which is used by many government agencies and Fortune 500 companies in managing their information technology. The hackers installed a so-called backdoor into SolarWinds’s popular Orion software. Over time, that infected software found its way onto the servers of some SolarWinds clients, allowing the hackers to return and access those computer systems. The Cybersecurity and Infrastructure Security Agency, known as CISA, said it has evidence that the hackers also used other methods to infiltrate networks, in addition to the backdoor in SolarWinds’s software.

2. Who was affected?

According to SolarWinds’s regulatory filings, the infected software may have reached as many as 18,000 of its customers, via updates that contained the malicious code. But the hackers almost certainly waged further attacks -- meaning actively infiltrating their computer networks -- on a smaller number of victims. Recorded Future Inc., a Massachusetts cybersecurity firm, said on Dec. 19 it had identified about 200 victims, an estimate backed by three people familiar with ongoing investigations. The list of known victims so far includes the federal departments of State, Treasury, Homeland Security, Commerce and Energy, including its nuclear weapons agency, and at least three states. It’s not yet clear how many private companies have been hacked. Microsoft Corp. said it had discovered that 40 of its customers were compromised, including government agencies, cybersecurity firms and other private-sector clients. The cybersecurity firm FireEye Inc. was also a victim; an investigation into the breach there is what led to the discovery of the SolarWinds backdoor.

3. What’s the damage?

The scope of the damage won’t be clear for some time. One of the major questions is whether the attackers’ goal was simple espionage -- exfiltrating or reviewing data from the organizations they hit -- or whether they also plan more destructive attacks sometime in the future. “If it is cyber-espionage, it is one of the most effective cyber-espionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye. Finding the extent of the hack, repairing compromised systems and remediating the damage will be costly and time-consuming for victims, cybersecurity experts say.

4. What evidence points to Russia?

U.S. intelligence agencies and the FBI said on Jan. 5 that the responsible party is “an Advanced Persistent Threat (APT) actor, likely Russian in origin,” and that the hack seems to be “an intelligence gathering effort.” (APT is a term used in the cybersecurity world to distinguish a continuous and sophisticated attacker.) A prime suspect is APT 29, a notorious group of hackers tied to the Russian government. The Kremlin denies involvement. President Donald Trump, who has previously contradicted U.S. assessments of Russian cyber activity -- including a Russian hacking and disinformation campaign in the lead up to the 2016 presidential election -- has downplayed the hack and Russia’s role in it. He suggested in a tweet that China was involved. Members of his party disagree. Marco Rubio, acting chairman of the Senate Judiciary Committee, said the hack -- which he characterized as “the gravest cyber intrusion in our history,” was conducted by “Russian intelligence.”

5. What is APT 29?

Also known in the security community as Cozy Bear or the Dukes, the hacking group dates back to 2008 and has long targeted corporations and governments. The U.S., U.K. and Canada have assessed that APT 29 is “a cyber-espionage group, almost certainly part of the Russian intelligence services.” It was one of two Russian hacking groups that breached the Democratic National Committee prior to the 2016 presidential race and, in July 2020, was accused by the U.S. and U.K. of targeting organizations involved in researching a vaccine for Covid-19. The cybersecurity firm Crowdstrike began tracking the group in 2014 and said it is known for casting “a wide net” of victims and for “changing tool sets frequently.”

6. Will the U.S. retaliate?

Previously the U.S. has retaliated for Russian cyber operations by imposing sanctions, indicting hackers and green-lighting classified cyber operations of its own. Unlike Trump, who has downplayed Russian cyber-attacks, President-elect Joe Biden is expected to take a harsher approach. “I want to be clear: My administration will make cybersecurity a top priority at every level of government -- and we will make dealing with this breach a top priority from the moment we take office,” Biden said on Dec. 17. One potential issue: The U.S. already has myriad sanctions in place targeting Vladimir Putin’s Russia for previous breaches of international amity.

The Reference Shelf

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.