Revelations of Cyberattacks on U.S. Likely Just “Tip of the Iceberg”

Pazzanese: Russia’s foreign intelligence service, the SVR, is believed to be responsible. Does it look like the work of Russian hackers? Could it be anyone else?
Lauren Zabierek: There’s definitely a limited pool of actors that could pull off such a sustained, targeted, far-reaching campaign. I certainly can’t attribute it to a specific actor; I would definitely leave it up to the experts to make that determination. In general, the Russians are definitely interested in government targets, in sowing distrust, especially with the FireEye piece of it, in those particular institutions, and the targeted and sustained espionage against our federal entities, whereas a North Korean attack or breach would be more financially motivated. The Wanna Cry hack was really intended to generate finances. China, again very generally, tends to focus on intellectual property theft or stealing data on people. But to me, this definitely seems more like a Russian operation.

I do think it’s interesting that they targeted this particular piece of software that many of us haven’t heard of that is used by a large swath of customers. I think that alone probably took a very long time to discover on their part. So then, that initial targeting and then probing into seeing what vulnerabilities are there and if there are any zero-day vulnerabilities, and then developing the exploits for those, and then penetrating those holes and then getting in — the timeline they’re saying it began in spring 2020 — that seems very, very quick. Not a lot of time to execute such an attack.

Kolbe: The Chinese have the capabilities to do it and it would be well within their M.O. But from what I’m reading, the specific malware tools being used are pretty clearly identifiable with the Russians and with SVR.

Pazzanese: As the list of victimized entities grows, does that suggest more about what they were after?

Kolbe: One of the striking things is how long this has apparently taken place. They’ve had a lot of time to sit quietly in the digital shadows, mapping out the networks, studying them, seeing where they link to, seeing where pockets of information are that may be useful, going after some things that they know they want. But also, almost certainly, finding and scooping up things for use on a rainy day.

As far as scope, it just shows it’s much wider. It shows a really voracious appetite for lots of different, potentially valuable sources of information and data. Nothing I’ve seen really shows — and it’s going to be a while before folks figure out, if ever, what was actually accessed and what was actually exfiltrated and stolen — but the fact that it’s so many organizations across such a broad scope of activities indicates a “casting a wide net” approach. But certainly then within those organizations, there are undoubtedly efforts to identify and target the most valuable datasets. Almost certainly they weren’t able to get to everything that they might have had access to. [Something] like 13,000 or 18,000 different companies had uploaded the software. I mean, that’s a massive potential effort.

Pazzanese: The U.S. is still litigating the last major Russian breach from 2015‒2016. Are you surprised an attack of this magnitude has happened again so soon?
Kolbe: No, I’m surprised that we don’t hear about more. SVR, the Chinese, others, they’ve all built huge capabilities, they’re well-resourced, well-staffed, [and] focused on doing exactly this. This is not a one-off, this is not something unusual. The extent of it sounds quite grand, but, is, in fact, what’s reality and what’s taking place every day. I guarantee you that there are other operations similar in size and scope, if not larger, that haven’t been discovered.

Pazzanese: How does an investigation of this get done and how long could that take?
Kolbe: There will be a huge forensics operation to determine what happened, i.e., following the breadcrumbs, with what breadcrumbs that they can find, trying to determine where did it come in, what systems did it proliferate out into? And that may be impossible to determine because a lot of times what happens is as folks maneuver through the networks, they’re erasing their tracks as they go. And if there’s been exfiltrating of information, i.e., stealing it, it won’t be gone, so it’s hard to determine if it’s been stolen or not. So we may actually never know exactly what systems were accessed and what information was lost. So it’s a massive forensics job, a massive triage of what would have been most important, and then a damage assessment: If this was lost, what does it mean?

Pazzanese: That could take a long time to complete. Potentially months?
Kolbe: Easily.

Pazzanese: What can be done to shore up breached systems while an investigation is underway?
Zabierek: There are a lot of things that we can do in the meantime. You have your incident responders who are going to essentially clear out and rebuild or clear out and shut down any sort of holes in the network. So, kick out any intruders, potentially patch any of those vulnerabilities if they need to continue working with that particular software.

CISA, the Cybersecurity Infrastructure Security Agency, they’re responsible for protecting federal networks and, of course, the Department of Defense is responsible for protecting DoD networks. So right now you definitely have cyber defenders in the DoD working to make sure that our DoD networks are protected and not being compromised. But there is a real lack of capability now without a confirmed director.

Later, once attribution is finalized, then the federal government, the administration, whether it’s before Biden takes leadership or not, can make a decision on what they’re going to do at that level. We have the Office of Cyber Engagement in the State Department, but that bureau had been folded into, I think, economic affairs. So you don’t have that confirmed, high-level cyber diplomat anymore to engage diplomatically.

You do have CyberCom [U.S. Cyber Command] that is going to be engaging in cyberspace; the intelligence community is doing certain things. But from a domestic standpoint, the current administration has hobbled our ability to respond in certain ways. I’m not really sure what they would do. If there is a national cyber director [under the Biden administration], for instance, and they reinstall that State Department Bureau of Cyber Affairs, then I think that you’ll have a much stronger response.

Pazzanese: Will an investigation and U.S. response be hampered by the transition to a new administration?
Kolbe: I don’t think so. It fits into a long, long, long pattern of spy vs. spy. And whether it’s human spies or cyber spies, digital spies or human spies, that game continues. Spies will get caught, there will be a brief flurry of press and protests and expressions of shock, and then folks get back to business. I don’t think the Biden administration will allow what’s essentially an uncovered espionage operation change their views of Russia, which I think are pretty clear-eyed to begin with. It’s not going to help any renewal of discussions. But on things like arms control and other issues that are a core interest in bilateral relations, it’s also not going to impact those, I don’t think.

Pazzanese: Would President-elect Biden and Vice President-elect Harris receive detailed intelligence about this so they’re up to speed?
Kolbe: Absolutely, if for no other reason than transition staff is a highly attractive target themselves.

Interviews were edited for clarity and length.

Christina Pazzanese is Harvard staff writer. This interview, which has been edited for clarity and length, is published courtesy of the Harvard Gazette, Harvard University’s official newspaper.