Billions spent on US cyber-defences failed to detect giant Russian hack

The US Defence Department is one of many government agencies that made extensive use of the software that Russia bored into. ST PHOTO: KELVIN CHNG

WASHINGTON (NYTIMES) - Over the past few years, the US government has spent tens of billions of dollars on cyber-offensive capabilities, building a giant war room at Fort Meade, Maryland, for US Cyber Command, while installing defensive sensors all around the country - a system named Einstein to give it an air of genius - to deter the nation's enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the US government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it - because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.

The new US strategy of "defend forward" - essentially, putting American "beacons" into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counter-strikes - provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defence Department called Moonlight Maze.

Something else has not changed, either: an allergy inside the US government to coming clean on what happened.

The national security adviser, Robert C. O'Brien, cut short a trip to the Middle East and Europe on Tuesday and returned to Washington to run crisis meetings to assess the situation, but he and his colleagues have done whatever they could to play down the damage.

Asked Tuesday whether the Defence Department had seen evidence of compromise, the acting defence secretary, Christopher C. Miller, said, "No, not yet, but obviously looking closely at it."

Other government officials say that is trying to turn ignorance about what happened into happy spin - it is clear the Defence Department is one of many government agencies that made extensive use of the software that Russia bored into.

At the very moment in September that President Vladimir Putin of Russia was urging a truce in the "large-scale confrontation in the digital sphere," where the most damaging new day-to-day conflict is taking place, one of his premier intelligence agencies had pulled off a sophisticated attack that involved getting into the long, complex software supply chain on which the entire nation now depends.

"Stunning," Democratic Senator Richard Blumenthal of Connecticut, wrote Tuesday night. "Today's classified briefing on Russia's cyber-attack left me deeply alarmed, in fact downright scared. Americans deserve to know what's going on."

He called for the government to de-classify what it knows and what it doesn't know.

So far, and it is early yet, the hack appears to be limited to classic espionage, according to a person briefed on the matter.

Briefings on the intrusion, including to members of Congress, have discussed the extent of the Russian penetration but have not outlined what information was stolen - or whether the access the hackers gained might allow them to conduct destructive attacks or change data inside government systems, a fear that looms above mere spying.

Investigators have not discovered breaches into any classified systems, only unclassified systems connected to the internet. Still, the intrusion seems to be one of the biggest ever, with the amount of information put at risk dwarfing other network intrusions.

On Wednesday morning, Democratic Senator Dick Durbin of Illinois, called the Russian cyber-attack "virtually a declaration of war." He was wrong - all nations spy on each other and the United States uses cyber-infiltration to steal secrets as well - but disparate Russian intelligence units have, in previous attacks, used similar access to shut systems down, destroy data and, in the case of Ukraine, shut off power.

The Russians have denied any involvement. The Russian ambassador to the United States, Anatoly I. Antonov, said there were "unfounded attempts by the US media to blame Russia" for the recent cyber-attacks, in a discussion hosted by Georgetown University on Wednesday.

So far, though, President Donald Trump has said nothing, perhaps aware that his term in office is coming to an end just as it began, with questions about what he knew about Russian cyber-operations and when.

The National Security Agency has been largely silent, hiding behind the classification of the intelligence. Even the Cyber-security and Infrastructure Security Agency, the group within the Department of Homeland Security charged with defending critical networks, has been conspicuously quiet on the Russian mega hack.

Blumenthal's message on Twitter was the first official acknowledgement that Russia was behind the intrusion.

Curiously, the Russian attack barely featured as a footnote at a Senate Homeland Security and Governmental Affairs Committee hearing Wednesday, which featured testimony from Christopher Krebs, the cyber-security chief who was fired last month after refusing to back Trump's baseless claims of voter fraud.

The hack took place during Krebs' tenure as director of the Cyber-security and Infrastructure Security Agency, but senators did not ask him about it at the hearing, instead focusing on the hack that wasn't: baseless allegations of fraud in the November election.

Trump administration officials have acknowledged that several federal agencies - the State Department, the Department of Homeland Security, parts of the Pentagon as well as the Treasury and the Department of Commerce - had been compromised in the Russian hack.

But investigators are still struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected.

The hack is qualitatively different from the high profile hack-and-leak intrusions that the GRU, the Russian military intelligence division, has carried out in recent years. Those GRU intrusions, like the 2016 hack of the Democratic National Committee, were intended to be short term - to break in, steal information and make it public for a geopolitical impact.

The SVR, a stealthier secret-stealer believed to be behind the new hack, broke into the DNC systems too, and those of the State Department in 2015, but the intent was not to release the information they found or damage systems they entered. Instead it was hoping for long-term access, able to slowly monitor unclassified, but sensitive, government deliberations on a range of topics.

Inside banks and Fortune 500 companies, executives are also trying to understand the impact of the breach. Many use the network management tool that the hackers quietly bored into in order to carry out their intrusions, which is called Orion and made by Austin, Texas-based company SolarWinds.

Los Alamos National Laboratory, where nuclear weapons are designed, also uses it, as do major military contractors.

"How is this not a massive intelligence failure, particularly since we were supposedly all over Russian threat actors ahead of the election," Robert Knake, a senior Obama administration cyber-official, asked on Twitter on Wednesday.

"Did the NSA fall in a giant honey pot while the SVR" - Russia's most sophisticated spying agency - "quietly pillaged" the government and private industry?

Of course, the NSA is hardly all-seeing, even after placing its probes and beacons into networks around the world. But if there is a major investigation - and it is hard to imagine how one could be avoided - the responsibility of the agency, run by General Paul Nakasone, one of the nation's most experienced cyber-warriors, will be front and centre.

The SVR hackers took immense pains to hide their tracks, said the person briefed on the intrusion. They used American internet addresses, allowing them to conduct attacks from computers in the very city - or appearing so - in which their victims were based. They created special bits of code intended to avoid detection by American warning systems and timed their intrusions not to raise suspicions - working hours, for example - and used other careful tradecraft to avoid discovery.

The intrusion, said the person briefed on the matter, shows that the weak point for the American government computer networks remains administrative systems, particularly ones that have a number of private companies working under contract.

The Russian spies found that by gaining access to these peripheral systems, they could make their way into more central parts of the government networks.

SolarWinds was a ripe target, former employees and advisers say, not only for the breadth and depth of its software, but for its own dubious security precautions.

The company did not have a chief information security officer, and internal emails shared with The New York Times showed that employees' passwords were leaking out on GitHub last year. Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds' update mechanism - the vehicle through which 18,000 of its customers were compromised. The password was "solarwinds123." Government officials have yet to acknowledge what the Russians were seeking or what they stole - and perhaps that has not been determined.

Even if the Russians did not breach classified systems, it is not yet certain whether they got into the most classified networks. But experience shows that there is lots of highly sensitive data in places that do not have layers of classification.

That was the lesson of the Chinese hack of the Office of Personnel Management five years ago, during the Obama administration, when it turned out that the security-clearance files on 22.5 million Americans, and 5.6 million sets of fingerprints, were being stored on lightly protected computer systems in, of all places, the Department of the Interior.

They are now all in Beijing, after the files were spirited out without setting off alarms.

"An intrusion like this gives the Russians a rich target set," said Adam Darrah, a former government intelligence analyst, now director of intelligence at Vigilante, a security firm. "The SVR goes after these targets as a jumping-off point to more desirable targets like the CIA and NSA."

Join ST's Telegram channel and get the latest breaking news delivered to you.