SolarWinds Hacked From Inside U.S., 100+ Orgs Compromised

‘As a country, we choose to have both privacy and security. [As a result], the intelligence community largely has no visibility into private sector networks,’ says Anne Neuberger, a top Biden administration cybersecurity official.

The likely Russian hackers behind the SolarWinds campaign launched their attack from inside the United States to complicate U.S. government efforts to observe their activity.

Nine federal agencies and roughly 100 private sector companies were compromised through a malicious update to the SolarWinds Orion network monitoring platform, according to a top cybersecurity official in the Biden administration. Many of the private sector compromises were of technology companies, with a focus on vendors whose products could be used to launch additional intrusions, Anne Neuberger said.

“There’s a lack of domestic visibility,” Neuberger, deputy national security advisor for cyber and emerging technology, said during a press briefing Wednesday. “So, as a country, we choose to have both privacy and security. [As a result], the intelligence community largely has no visibility into private sector networks.”

[Related: Feds: SolarWinds Breach Is Likely Russian Intel Gathering Effort]

The techniques used by the SolarWinds hackers have led Neuberger to believe that any files or emails on a compromised network were likely to have been compromised. Neuberger said the hackers focused on U.S. government agencies that would be of interest to an adversarial nation from a foreign intelligence perspective, and said there’s “certainly” a national security impact from the information hackers got.

“This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners,” Neuberger said. “So as we contemplate future response options, we’re considering holistically what those activities were.”

The SolarWinds hackers focused on the identity part of the network, which Neuberger said is the hardest to clean up. As a result, Neuberger said the U.S. government needs to increase its visibility into federal networks so that threats originating from sophisticated foreign actors can be detected and blocked.

An upcoming executive action from the Biden administration will likely end up taking eight actions to address security gaps that have been identified in the U.S. government’s review of the SolarWinds attack, Neuberger said. The federal probe into the SolarWinds attack is expected to last for several more months, but Neuberger said remediation steps are being implemented as the investigation proceeds.

As far as cost is concerned, Neuberger said the U.S. government will need to make cybersecurity investments that provide sufficient visibility into networks in the future. There’s additionally a cost associated with how a malicious actor could use the information compromised during the SolarWinds campaign, both from a monetary and from a national security perspective, according to Neuberger.

“Where this is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage,” Neuberger said. “It’s fundamentally of concern for the ability of this to become disruptive.”

Neuberger cautioned that the U.S. government is still in the beginning stages of understanding the scope and scale of the SolarWinds attack. As a result, Neuberger said additional compromises might be detected, particularly given the technology companies that were breached.

The U.S. government is having daily conversations with private sector organizations in possession of visibility and technology that’s key to understanding the scope and scale of compromise, according to Neuberger. However, Neuberger said there are both legal barriers as well as other disincentives to the private sector sharing information with the government that need to be overcome.

Despite the barriers, Neuberger said the U.S. government has been sharing its insights both with private sector entities who’ve been compromised as well as those who have broader visibility. And in return, Neuberger said private sector firms have shared their insights to ensure it’s possible for the U.S. to determine the scope and scale of what occurred.

“This is a sophisticated actor who did their best to hide their tracks,” Neuberger said. “We believe it took them months to plan and execute this compromise. It’ll take us some time to uncover this layer by layer.”