Congress

Four Things We Learned (And Four Things That Remain Unclear) About the Russia Hack

The U.S. Senate and House of Representatives hauled the CEOs of SolarWinds, FireEye, CrowdStrike and Microsoft onto (semi-virtual) Capitol Hill last week to answer questions about the sweeping Russian compromise of U.S. government and corporate networks—the first public hearings dedicated to the campaign to date.   

In honor of the occasion, The Record watched 7.5 hours of testimony so you didn’t have to. Here are eight key takeaways: 

Four things we learned: 

Congress is taking it seriously. Congress does not have a sterling reputation when it comes to conducting hearings on cutting-edge technology. But cybersecurity enthusiasts should take heart: Overall, Congress displayed a strong understanding of core cybersecurity concepts throughout the week. If nothing else, the Tuesday Senate hearing boasted full committee participation, a strong indicator of how seriously congress is taking things. By contrast, it is representatives from Amazon who appear to be asleep at the wheel—their absence from the hearings on Tuesday drew the ire of several lawmakers. 

Momentum is building toward new information-sharing mechanisms. If there was one thing everyone agreed on last week, it’s that the government and the private sector need a better way to share information about digital threats. Important questions remain—such as to whom new rules would apply, where companies would report, and whether victims would receive liability protection in exchange for transparency—but one detail appears likely to stick. Any forthcoming legislation, witnesses agreed, should distinguish between two distinct priorities: post facto breach notification and ex ante threat intelligence sharing.  

Don’t expect more victims to come forward. Two weeks ago, the U.S. government announced it had identified about 100 private companies and nine government agencies that had been targeted for second-stage activity by the Russians. However, don’t expect more disclosures anytime soon. FireEye, Microsoft, and SolarWinds each said they came forward about their respective breaches because they felt they had a moral—not a legal—obligation to do so. In fact, that is why those companies found themselves in the unique position of inviting more regulation and oversight from the government. 

It might be time for a new name. Approximately 30% of the victims in the ongoing campaign did not use SolarWinds’s Orion software, according to lawmakers, the witnesses, and other astute readers of the Wall Street Journal. So, is it time for a name that doesn’t pin all the blame on SolarWinds? Rep. Peter Meijer (R., MI) was the only congressperson bold enough to try one out. During his questioning, Meijer referred to the intrusions as the “Holiday Bear campaign,” a nod to the many corporate security teams that spent their winter holiday trying to fend off the Kremlin. We’ll see if it sticks.

The footholds these hackers gained into private networks, including some of the world’s largest IT vendors, may provide opportunities for future intrusions for years to come.”

Sen. mark warner, during the first public hearing on russian cyberattack

Four things that remain unclear:

We still don’t know how the hackers got into SolarWinds. It’s one of the central questions remaining for investigators, but SolarWinds CEO Sudhakar Ramakrishna offered some breadcrumbs last week. According to Ramakrishna, the company has narrowed their investigation to three possible intrusion vectors: password spraying, credential theft, or a vulnerability in third-party software. Those looking to settle a score with the New York Times will be disappointed, however: Ramakrishna equivocated when asked about a controversial Times article suggesting the hackers broke into SolarWinds through JetBrains, a Czech software development company. 

We don’t know exactly what the hackers were after. Although we don’t know the specifics, FireEye CEO Kevin Mandia did say that the digital sleuths primarily went after documents and emails relating to U.S. government personnel and projects. For his part, Brad Smith, president of Microsoft, suggested that the intrusions also served a counter-intelligence function. The attackers appeared to infiltrate U.S. technology companies, surmised Smith, not to steal IP but to ascertain how they track Russian cyber operators. Still, “We may never know how the [stolen] information will be used and how it is benefiting our adversary,” cautioned Mandia. 

The Russians did it—but it has yet to be pinpointed to a definitive group. Since FireEye disclosed it had been breached in early December, the Russians have been rumored to be the culprits behind the ongoing campaign. But two months and one “watered-down” U.S. government attribution statement later, no one has been able to prove it. Don’t get confused: All that really means is the Russians took a remarkable degree of care to cover their tracks. Consider this: the Russians only compromised 77 individual accounts in the 60 corporate victims that Microsoft has direct knowledge of, according to Smith. 

It is unclear what the U.S. will do next. In the short-term, responding to the Russian campaign falls less on Congress than the White House, which is already planning to implement new sanctions against the Kremlin sometime this week. But legislators did express broad support for imposing consequences on Russia and drawing clearer lines for permissible behavior in cyberspace. One problem for the U.S.? Any response will need to take into account Russia’s persistent access to a wide number of U.S. systems. “The footholds these hackers gained into private networks, including some of the world’s largest IT vendors, may provide opportunities for future intrusions for years to come,” warned Sen. Mark Warner.  

And one bonus word of caution. 

Be wary of the blame game. Both the current and former CEOs of SolarWinds have come under criticism for appearing to blame an intern’s lackluster cyber hygiene for the company’s breach. SolarWinds’s record of poor security practices notwithstanding, the soundbite that provoked the backlash is misleading. For one, the two CEOs never suggested that that incident, which occured in 2017, bore any connection to the Russian intelligence operation. Moreover, the notion that marginal improvements in cyber hygiene would have thwarted the intrusion belies the skill, savvy, and patience of the Russian sleuths.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles