Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack
The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times.
WASHINGTON — Over the past few years, the United States government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for United States Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.
It now is clear that the broad Russian espionage attack on the United States government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.
Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.
The new American strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.
Something else has not changed, either: an allergy inside the United States government to coming clean on what happened.
The national security adviser, Robert C. O’Brien, cut short a trip to the Middle East and Europe on Tuesday and returned to Washington to run crisis meetings to assess the situation, but he and his colleagues have done whatever they could to play down the damage.
Asked on Tuesday whether the Defense Department had seen evidence of compromise, the acting defense secretary, Christopher C. Miller, said, “No, not yet, but obviously looking closely at it.” Other government officials say that is trying to turn ignorance about what happened into happy spin — it is clear the Defense Department is one of many government agencies that made extensive use of the software that Russia bored into.
Over the past few days, the F.B.I., the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence formed an urgent response group, the Cyber Unified Coordination Group, to coordinate the government’s responses to what the agencies called a “significant and ongoing cybersecurity campaign.”
At the very moment in September that President Vladimir V. Putin of Russia was urging a truce in the “large-scale confrontation in the digital sphere,” where the most damaging new day-to-day conflict is taking place, one of his premier intelligence agencies had pulled off a sophisticated attack that involved getting into the long, complex software supply chain on which the entire nation now depends.
“Stunning,” Senator Richard Blumenthal, Democrat of Connecticut, wrote on Tuesday night. “Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on.”
He called for the government to declassify what it knows, and what it does not know.
So far, and it is early yet, the hacking appears to be limited to classic espionage, according to a person briefed on the matter.
Briefings on the intrusion, including to members of Congress, have discussed the extent of the Russian penetration but have not outlined what information was stolen — or whether the access the hackers gained might allow them to conduct destructive attacks or change data inside government systems, a fear that looms above mere spying.
Investigators have not discovered breaches into any classified systems, only unclassified systems connected to the internet. Still, the intrusion seems to be one of the biggest ever, with the amount of information put at risk dwarfing other network intrusions.
On Wednesday morning, Senator Richard J. Durbin, Democrat of Illinois, called the Russian cyberattack “virtually a declaration of war.” He was wrong — all nations spy on each other, and the United States uses cyberinfiltration to steal secrets as well — but disparate Russian intelligence units have, in previous attacks, used similar access to shut systems down, destroy data and, in the case of Ukraine, shut off power.
The Russians have denied any involvement. The Russian ambassador to the United States, Anatoly I. Antonov, said there were “unfounded attempts by the U.S. media to blame Russia” for the recent cyberattacks, in a discussion hosted by Georgetown University on Wednesday.
President Trump has said nothing, perhaps aware that his term in office is coming to an end just as it began, with questions about what he knew about Russian cyberoperations, and when. The National Security Agency has been largely silent, hiding behind the classification of the intelligence. Even the Cybersecurity and Infrastructure Security Agency, the group within the Department of Homeland Security charged with defending critical networks, has been conspicuously quiet.
Mr. Blumenthal’s message on Twitter was the first official acknowledgment that Russia was behind the intrusion.
Curiously, the Russian attack barely featured as a footnote at a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday, which featured testimony from Christopher Krebs, the cybersecurity chief who was fired last month after refusing to back Mr. Trump’s baseless claims of voter fraud. The hacking took place during Mr. Krebs’s tenure as director of the Cybersecurity and Infrastructure Security Agency, but senators did not ask him about it at the hearing, instead focusing on the hacking that wasn’t: baseless allegations of fraud in the November election.
Some Trump administration officials have acknowledged that several federal agencies — the State, Homeland Security, Treasury and Commerce Departments, as well as parts of the Pentagon — were compromised in the Russian hacking. But investigators are still struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected.
The hacking is qualitatively different from the high profile hack-and-leak intrusions that the G.R.U., the Russian military intelligence division, has carried out in recent years. Those G.R.U. intrusions, like the 2016 hacking of the Democratic National Committee, were intended to be short term — to break in, steal information and make it public for a geopolitical impact.
The S.V.R., a stealthier secret-stealer believed to be behind the new hacking, broke into the D.N.C. systems too, and those of the State Department in 2015, but the intent was not to release the information they found or damage systems they entered. Instead it was hoping for long-term access, able to slowly monitor unclassified, but sensitive, government deliberations on a range of topics.
Inside banks and Fortune 500 companies, executives are also trying to understand the impact of the breach. Many use the network management tool that the hackers quietly bored into in order to carry out their intrusions, which is called Orion and made by the Austin, Texas-based company SolarWinds. Los Alamos National Laboratory, where nuclear weapons are designed, also uses it, as do major military contractors.
“How is this not a massive intelligence failure, particularly since we were supposedly all over Russian threat actors ahead of the election,” Robert K. Knake, a senior Obama administration cybersecurity official, asked on Twitter on Wednesday. “Did the N.S.A. fall in a giant honey pot while the S.V.R.” — Russia’s most sophisticated spying agency — “quietly pillaged” the government and private industry?
Of course, the N.S.A. is hardly all-seeing, even after placing its probes and beacons into networks around the world. But if there is a major investigation — and it is hard to imagine how one could be avoided — the responsibility of the agency, run by Gen. Paul M. Nakasone, one of the nation’s most experienced cyberwarriors, will be front and center.
The S.V.R. hackers took immense pains to hide their tracks, said the person briefed on the intrusion. They used American internet addresses, allowing them to conduct attacks from computers in the very city — or appearing so — in which their victims were based. They created special bits of code intended to avoid detection by American warning systems and timed their intrusions not to raise suspicions — working hours, for example — and used other careful tradecraft to avoid discovery.
The intrusion, said the person briefed on the matter, shows that the weak point for the American government computer networks remains administrative systems, particularly ones that have a number of private companies working under contract. The Russian spies found that by gaining access to these peripheral systems, they could make their way into more central parts of the government networks.
SolarWinds was a ripe target, former employees and advisers say, not only for the breadth and depth of its software, but for its own dubious security precautions.
The company did not have a chief information security officer, and internal emails shared with The New York Times showed that employees’ passwords were leaking out on GitHub last year. Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds’ update mechanism — the vehicle through which 18,000 of its customers were compromised. The password was “solarwinds123.”
Even if the Russians did not breach classified systems, experience shows that there is lots of highly sensitive data in places that do not have layers of classification. That was the lesson of the Chinese hacking of the Office of Personnel Management five years ago, during the Obama administration, when it turned out that the security-clearance files on 22.5 million Americans, and 5.6 million sets of fingerprints, were being stored on lightly protected computer systems in, of all places, the Department of the Interior.
They are now all in Beijing, after the files were spirited out without setting off alarms.
“An intrusion like this gives the Russians a rich target set,” said Adam Darrah, a former government intelligence analyst, now director of intelligence at Vigilante, a security firm. “The S.V.R. goes after these targets as a jumping off point to more desirable targets like the C.I.A. and N.S.A.”