Cyber Command: ‘No evidence’ that SolarWinds attackers compromised DoD networks

As the Biden administration assesses the fallout from the Russia-linked hacking campaign that has been called “the largest and most sophisticated attack the world has ever seen,” the executive director of a key military command involved in the response said Wednesday that attackers did not seem to compromise Defense networks.

Hundreds of public and private sector organizations were impacted by the incident discovered late last year that made use of multiple attack vectors, including a supply chain attack that allowed hackers to modify updates sent to customers using SolarWinds’ Orion software. Several federal departments and agencies, including the Treasury, the Department of State, and the Department of Justice, were reportedly hit by the breach, but the most serious target was perhaps the Pentagon—The New York Times reported in December that parts of the Department of Defense were compromised, but it was not clear to what extent.

On Wednesday, the executive director of U.S. Cyber Command, which is tasked with defending DoD networks and has also been involved in offensive cyber operations, said that while the attackers had a grasp on department infrastructure, they did not seem to successfully compromise it.

“To date, there’s no evidence of a compromise in DoD networks because of the SolarWinds attack,” said Dave Frederick of Cyber Command at a virtual event hosted by The Intelligence and National Security Alliance. “That doesn’t mean we weren't exposed... The layers of defense we had in place prevented the adversary from advancing from the toehold they had.”

Cyber Command has been acting in a supporting role in the U.S.’s overall response to the attack, and has been putting together options for the National Security Council and President Biden, said Frederick, who sits under General Paul Nakasone, the head of Cyber Command and the director of the National Security Agency. White House officials have suggested there will be a number of measures—including sanctions, a cybersecurity-related executive order, and the possibility of offensive retaliation using clandestine actions.

Although Frederick called the attack a “very serious” and “very damaging” incident, he cautioned that it was not the “Cyber Pearl Harbor” analogy that policymakers have warned about. The attack so far appears to be espionage, and did not result in any loss of life—but also unlike the real Pearl Harbor, the failure to detect it had more to do with an overabundance of information rather than a lack of it, he said.

When asked about the other unfolding cybersecurity incident that the White House is responding to—the exploitation of four newly-identified flaws in Microsoft Exchange Server by a China-linked group—Frederick said it’s “still pretty early” to offer an assessment, but that Cyber Command has been examining all the vulnerable servers across the DoD to make sure they’re quickly patched. He added that it was “very concerning about the indiscriminate, broad use of that exploit from the adversary, so it’s definitely going to be a concern.”

Frederick called Cyber Command’s defensive mission a “daunting job” due to the sprawling nature of the Defense Department’s network.