Tag: Hacking

Categories
Politics

US to Accuse China of Microsoft Hacking

US to Accuse China of Microsoft Hacking

WASHINGTON — The Biden administration on Monday is expected to formally accuse the Chinese government of breaching Microsoft email systems used by many of the world’s largest companies, governments and military contractors, according to a senior administration official. The United States is also set to organize a broad group of allies, including all NATO members, to condemn Beijing for cyberattacks around the world.

The official, who spoke on the condition of anonymity, added that the United States was expected to accuse China for the first time of paying criminal groups to conduct large-scale hackings, including ransomware attacks to extort companies for millions of dollars. Microsoft had pointed to hackers linked to the Chinese Ministry of State Security for exploiting holes in the company’s email systems in March; the U.S. announcement will offer details about the methods that were used, and it is the first suggestion that the Chinese government hired criminal groups to work on its behalf.

Condemnation from NATO and the European Union is unusual, because most of their member countries have been deeply reluctant to publicly criticize China, a major trading partner. But even Germany, whose companies were hit hard by the hacking of Microsoft Exchange — email systems that companies maintain on their own, rather than putting them in the cloud — cited the Chinese government for its work.

Despite the broadside, the announcement will lack concrete punitive steps against the Chinese government such as sanctions similar to ones that the White House imposed on Russia in April, when it blamed the country for the extensive SolarWinds attack that affected U.S. government agencies and more than 100 companies.

By imposing sanctions on Russia and organizing allies to condemn China, the Biden administration has delved deeper into a digital Cold War with its two main geopolitical adversaries than at any time in modern history.

While there is nothing new about digital espionage from Russia and China — and efforts by Washington to block it — the Biden administration has been surprisingly aggressive in calling out both countries and organizing a coordinated response.

But so far, it has not yet found the right mix of defensive and offensive actions to create effective deterrence, most outside experts say. And the Russians and the Chinese have grown bolder. The SolarWinds attack, one of the most sophisticated ever detected in the United States, was an effort by Russia’s lead intelligence service to alter code in widely used network-management software to gain access to more than 18,000 businesses, federal agencies and think tanks.

China’s effort was not as sophisticated, but it took advantage of a vulnerability that Microsoft had not discovered and used it to conduct espionage and undercut confidence in the security of systems that companies use for their primary communications. It took the Biden administration months to develop what officials say is “high confidence” that the hacking of the Microsoft email system was done at the behest of the Ministry of State Security, the senior administration official said, and abetted by private actors who had been hired by Chinese intelligence.

The hacking affected tens of thousands of systems, including military contractors.

The last time China was caught in such broad-scale surveillance was in 2014, when it stole more than 22 million security-clearance files from the Office of Personnel Management, allowing a deep understanding of the lives of Americans who are cleared to keep the nation’s secrets.

President Biden has promised to fortify the government, making cybersecurity a focus of his summit meeting in Geneva with President Vladimir V. Putin of Russia last month. But his administration has faced questions about how it will also address the growing threat from China, particularly after the public exposure of the Microsoft hacking.

Updated 

July 16, 2021, 7:55 p.m. ET

Speaking to reporters on Sunday, the senior administration official acknowledged that the public condemnation of China would only do so much to prevent future attacks.

“No one action can change China’s behavior in cyberspace,” the official said. “And neither could just one country acting on its own.”

But the decision not to impose sanctions on China was also telling: It was a step many allies would not agree to take.

Instead, the Biden administration settled on corralling enough allies to join the public denunciation of China to maximize pressure on Beijing to curtail the cyberattacks, the official said.

The joint statement criticizing China, to be issued by the United States, Australia, Britain Canada, the European Union, Japan and New Zealand, is unusually broad. It is also the first such statement from NATO publicly targeting Beijing for cybercrimes.

The National Security Agency and the F.B.I. are expected to reveal more details on Monday about Chinese “tactics, techniques and procedures” in cyberspace, such as how Beijing contracts criminal groups to conduct attacks for the financial gain of its government, the official said.

The F.B.I. took an unusual step in the Microsoft hacking: In addition to investigating the attacks, the agency obtained a court order that allowed it to go into unpatched corporate systems and remove elements of code left by the Chinese hackers that could allow follow-up attacks. It was the first time that the F.B.I. acted to remediate an attack as well as investigate its perpetrators.

Categories
World News

REvil, Hacking Group Behind Main Ransomware Assault, Disappears

REvil, Hacking Group Behind Major Ransomware Attack, Disappears

The second theory is that Mr Putin ordered the group’s websites to be removed. If so, it would be a gesture to heed Mr Biden’s warning, which he had also expressed more generally when the two leaders met in Geneva on June 16. And it should only be a day or two before a US-Russian working group on the subject set up during the Geneva meeting is due to hold a virtual meeting.

A third theory is that REvil decided the heat was too intense and shut down the sites itself so as not to get caught in the crossfire between the American and Russian presidents. This is what another Russian group, DarkSide, did after the ransomware attack on Colonial Pipeline, the US company that had to shut down the pipeline that supplies gasoline and kerosene to much of the east coast in May after its computer network was breached.

However, many experts believe that DarkSide’s exit from the business was nothing more than digital theater and that all of the group’s major ransomware talents will be reassembling under a different name. If so, the same could happen to REvil, which Recorded Future, a Massachusetts-based cybersecurity firm, estimates is responsible for about a quarter of all sophisticated ransomware attacks on Western targets. .

Allan Liska, a senior intelligence analyst at Recorded Future, said if REvil went missing, he doubted it was voluntary. “If anything, these guys are show-offs,” said Mr. Liska. “And we saw no notes, no showing off. It feels like they gave up everything under pressure. “

There were indications that the pressure may have come from Russia. U.S. Cyber ​​Command commander and director of the National Security Agency Gen. Paul M. Nakasone was not expected to have full options for U.S. action against ransomware actors until later this week, several officials said. And there was no evidence that REvil’s websites were “seized” by a court order that the Justice Department frequently publishes.

Cyber ​​Command declined to comment.

While closing REvil would give Mr Putin and Mr Biden an opportunity to show that they are facing the problem, it could also give ransomware actors a chance to get away with their profits. The big losers would be the companies and cities that do not get their encryption keys and may be locked out of their data forever. (When ransomware groups break up, they often release their decryption keys. That didn’t happen on Tuesday.)

Mr Biden is expected to roll out a ransomware strategy in the coming weeks to prove that the Colonial Pipeline and other recent attacks show how crippling critical infrastructures pose a major national security threat.

Categories
Politics

Getting ready for Retaliation Towards Russia, U.S. Confronts Hacking by China

Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China

In writings and conversations over the past four years, Mr Sullivan has made it clear that he believes that traditional sanctions alone do not increase costs enough to force powers like Russia or China to talk about new rules for cyberspace.

However, government officials often fear that too strong a reaction could lead to escalation.

This is a particular problem with the Russian and Chinese attacks, in which both countries have clearly planted “back doors” to American systems that could be used for more destructive purposes.

American officials publicly say current evidence suggests that Russia’s intent in the SolarWinds attack was merely data theft. But several senior officials, who did not advocate an attribution, said they believed the size, scope, and cost of the operation suggested the Russians may have had much broader motives.

“I’m impressed with how many of these attacks undermine trust in our systems,” said Burt. “Just as there are efforts to get the country to distrust the electoral infrastructure, which is a central part of our democracy.”

Russia broke into the National Democratic Committee and state voter registration systems in 2016, mainly by guessing or obtaining passwords. However, when they hacked SolarWinds, they used a far more sophisticated technique that included code in the company’s software updates, rolling them deep into about 18,000 systems that used the network management software. Once inside, the Russians had high-level access to the systems with no passwords required.

Similarly, four years ago, a large majority of the Chinese government’s hacker attacks were carried out through email spear phishing campaigns. In recent years, China’s military hacking divisions have formed a new strategic support group, similar to the Pentagon’s Cyber ​​Command. Some of the key hacking operations are carried out by the more secretive Ministry of State Security, China’s premier intelligence agency, which maintains a satellite network of contractors.

Beijing also began hoarding so-called zero days, bugs in the code that are unknown to software providers and for which there is no patch.

Categories
Politics

As Understanding of Russian Hacking Grows, So Does Alarm

As Understanding of Russian Hacking Grows, So Does Alarm

On Election Day, General Paul M. Nakasone, the nation’s top cyberwarrior, reported that the battle against Russian interference in the presidential campaign had posted major successes and exposed the other side’s online weapons, tools and tradecraft.

“We’ve broadened our operations and feel very good where we’re at right now,” he told journalists.

Eight weeks later, General Nakasone and other American officials responsible for cybersecurity are now consumed by what they missed for at least nine months: a hacking, now believed to have affected upward of 250 federal agencies and businesses, that Russia aimed not at the election system but at the rest of the United States government and many large American corporations.

Three weeks after the intrusion came to light, American officials are still trying to understand whether what the Russians pulled off was simply an espionage operation inside the systems of the American bureaucracy or something more sinister, inserting “backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.

At a minimum it has set off alarms about the vulnerability of government and private sector networks in the United States to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly.

Those questions have taken on particular urgency given that the breach was not detected by any of the government agencies that share responsibility for cyberdefense — the military’s Cyber Command and the National Security Agency, both of which are run by General Nakasone, and the Department of Homeland Security — but by a private cybersecurity company, FireEye.

“This is looking much, much worse than I first feared,” said Senator Mark Warner, Democrat of Virginia and the ranking member of the Senate Intelligence Committee. “The size of it keeps expanding. It’s clear the United States government missed it.”

“And if FireEye had not come forward,” he added, “I’m not sure we would be fully aware of it to this day.”

Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R. intelligence service revealed these points:

  • The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

  • The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.

  • “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.

  • The government’s emphasis on election defense, while critical in 2020, may have diverted resources and attention from long-brewing problems like protecting the “supply chain” of software. In the private sector, too, companies that were focused on election security, like FireEye and Microsoft, are now revealing that they were breached as part of the larger supply chain attack.

  • SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.

  • Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.

The intentions behind the attack remain shrouded. But with a new administration taking office in three weeks, some analysts say the Russians may be trying to shake Washington’s confidence in the security of its communications and demonstrate their cyberarsenal to gain leverage against President-elect Joseph R. Biden Jr. before nuclear arms talks.

“We still don’t know what Russia’s strategic objectives were,” said Suzanne Spaulding, who was the senior cyberofficial at the Homeland Security Department during the Obama administration. “But we should be concerned that part of this may go beyond reconnaissance. Their goal may be to put themselves in a position to have leverage over the new administration, like holding a gun to our head to deter us from acting to counter Putin.”

The U.S. government was clearly the main focus of the attack, with the Treasury Department, the State Department, the Commerce Department, the Energy Department and parts of the Pentagon among the agencies confirmed to have been infiltrated. (The Defense Department insists the attacks on its systems were unsuccessful, though it has offered no evidence.)

But the hacking also breached large numbers of corporations, many of which have yet to step forward. SolarWinds is believed to be one of several supply chain vendors Russia used in the hacking. Microsoft, which had tallied 40 victims as of Dec. 17, initially said that it had not been breached, only to discover this week that it had been — and that resellers of its software had been, too. A previously unreported assessment by Amazon’s intelligence team found the number of victims may have been five times greater, though officials warn some of those may be double counted.

Publicly, officials have said they do not believe the hackers from Russia’s S.V.R. pierced classified systems containing sensitive communications and plans. But privately, officials say they still do not have a clear picture of what might have been stolen.

They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout.

The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent.

One main focus of the investigation so far has been SolarWinds, the company based in Austin whose software updates the hackers compromised.

But the cybersecurity arm of the Department of Homeland Security concluded the hackers worked through other channels, too. And last week, CrowdStrike, another security company, revealed that it was also targeted, unsuccessfully, by the same hackers, but through a company that resells Microsoft software.

Because resellers are often entrusted to set up clients’ software, they — like SolarWinds — have broad access to Microsoft customers’ networks. As a result, they can be an ideal Trojan horse for Russia’s hackers. Intelligence officials have expressed anger that Microsoft did not detect the attack earlier; the company, which said Thursday that the hackers viewed its source code, has not disclosed which of its products were affected or for how long hackers were inside its network.

“They targeted the weakest points in the supply chain and through our most trusted relationships,” said Glenn Chisholm, a founder of Obsidian Security.

Interviews with current and former employees of SolarWinds suggest it was slow to make security a priority, even as its software was adopted by America’s premier cybersecurity company and federal agencies.

Employees say that under Mr. Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.

But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.

The company has said only that the manipulation of its software was the work of human hackers rather than of a computer program. It has not publicly addressed the possibility of an insider being involved in the breach.

None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.

Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of “security architecture.”

Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.” After his basic recommendations were ignored, Mr. Thornton-Trump left the company.

SolarWinds declined to address questions about the adequacy of its security. In a statement, it said it was a “victim of a highly-sophisticated, complex and targeted cyberattack” and was collaborating closely with law enforcement, intelligence agencies and security experts to investigate.

But security experts note that it took days after the Russian attack was discovered before SolarWinds’ websites stopped offering clients compromised code.

Billions of dollars in cybersecurity budgets have flowed in recent years to offensive espionage and pre-emptive action programs, what General Nakasone calls the need to “defend forward” by hacking into adversaries’ networks to get an early look at their operations and to counteract them inside their own networks, before they can attack, if required.

But that approach, while hailed as a long-overdue strategy to pre-empt attacks, missed the Russian breach.

By staging their attacks from servers inside the United States, in some cases using computers in the same town or city as their victims, according to FireEye, the Russians took advantage of limits on the National Security Agency’s authority. Congress has not given the agency or homeland security any authority to enter or defend private sector networks. It was on these networks that S.V.R. operatives were less careful, leaving clues about their intrusions that FireEye was ultimately able to find.

By inserting themselves into the SolarWinds’ Orion update and using custom tools, they also avoided tripping the alarms of the “Einstein” detection system that homeland security deployed across government agencies to catch known malware, and the so-called C.D.M. program that was explicitly devised to alert agencies to suspicious activity.

Some intelligence officials are questioning whether the government was so focused on election interference that it created openings elsewhere.

Intelligence agencies concluded months ago that Russia had determined it could not infiltrate enough election systems to affect the outcome of elections, and instead shifted its attention to deflecting ransomware attacks that could disenfranchise voters, and influence operations aimed at sowing discord, stoking doubt about the system’s integrity and changing voters’ minds.

The SolarWinds hacking, which began as early as October 2019, and the intrusion into Microsoft’s resellers, gave Russia a chance to attack the most vulnerable, least defended networks across multiple federal agencies.

General Nakasone declined to be interviewed. But a spokesman for the National Security Agency, Charles K. Stadtlander, said: “We don’t consider this as an ‘either/or’ trade-off. The actions, insights and new frameworks constructed during election security efforts have broad positive impacts for the cybersecurity posture of the nation and the U.S. government.”

In fact, the United States appears to have succeeded in persuading Russia that an attack aimed at changing votes would prompt a costly retaliation. But as the scale of the intrusion comes into focus, it is clear the American government failed to convince Russia there would be a comparable consequence to executing a broad hacking on federal government and corporate networks.

Intelligence officials say it could be months, years even, before they have a full understanding of the hacking.

Since the extraction of a top Kremlin informant in 2017, the C.I.A.’s knowledge of Russian operations has been diminished. And the S.V.R. has remained one of the world’s most capable intelligence services by avoiding electronic communications that could expose its secrets to the National Security Agency, intelligence officials say.

The best assessments of the S.V.R. have come from the Dutch. In 2014, hackers working for the Dutch General Intelligence and Security Service pierced the computers used by the group, watching them for at least a year, and at one point catching them on camera.

It was the Dutch who helped alert the White House and State Department to an S.V.R. hacking of their systems in 2014 and 2015, and last month, they caught and expelled from the Netherlands two S.V.R. operatives accused of infiltrating technology companies there. While the group is not known to be destructive, it is notoriously difficult to evict from computer systems it has infiltrated.

When the S.V.R. broke into the unclassified systems at the State Department and White House, Richard Ledgett, then the deputy director of the National Security Agency, said the agency engaged in the digital equivalent of “hand-to-hand combat.” At one point, the S.V.R. gained access to the NetWitness Investigator tool that investigators use to uproot Russian back doors, manipulating it in such a way that the hackers continued to evade detection.

Investigators said they would assume they had kicked out the S.V.R., only to discover the group had crawled in through another door.

Some security experts said that ridding so many sprawling federal agencies of the S.V.R. may be futile and that the only way forward may be to shut systems down and start anew. Others said doing so in the middle of a pandemic would be prohibitively expensive and time-consuming, and the new administration would have to work to identify and contain every compromised system before it could calibrate a response.

“The S.V.R. is deliberate, they are sophisticated, and they don’t have the same legal restraints as we do here in the West,” said Adam Darrah, a former government intelligence analyst who is now director of intelligence at Vigilante, a security firm.

Sanctions, indictments and other measures, he added, have failed to deter the S.V.R., which has shown it can adapt quickly.

“They are watching us very closely right now,” Mr. Darrah said. “And they will pivot accordingly.”

Categories
Business

Treasury Division’s Senior Leaders Have been Focused by Russian Hacking

Treasury Department’s Senior Leaders Were Targeted by Russian Hacking

But on Monday there was no public statement attributing the hacking to Russia, possibly reflecting Mr Trump’s reluctance to confront Moscow on the matter and the doubts he has expressed about the gravity of the attack.

According to a senior administrative official, the meeting should “take stock of the information, investigations and actions taken to remediate the attack.” There was no preparation in this description to impose costs on the attacker. Mr Trump did not attend the meeting.

Both President-elect Joseph R. Biden Jr. and his new Chief of Staff Ron Klain have stated in recent days that the post-tenure response would go beyond sanctions to undermine the aggressor’s abilities. But he is likely to find that the government’s response options are limited for fear of escalation.

The list of attendees at the meeting was noteworthy as it gave clues as to which parts of the government may have been affected. White House officials said Treasury Secretary Steven Mnuchin, Secretary of Commerce Wilbur Ross, Acting Homeland Security Secretary Chad F. Wolf and Secretary of Energy Dan Brouillette were in attendance. All of these agencies have previously been identified as targets of hacking by news organizations.

John Ratcliffe, Director of National Intelligence, attended the meeting; likewise Gina Haspel, the CIA director, and General Paul M. Nakasone, the director of the National Security Agency and commander of the United States Cyber ​​Command. Secretary of State Mike Pompeo, who became the first senior civil servant to recognize that Russia was the most likely source of the attack before it was undercut by Mr Trump, did not attend. His deputy Stephen E. Biegun stood up for him.

General Nakasone, a veteran cyber warrior responsible for defending the national security systems, has been silent since the hacking was exposed. It was extremely embarrassing for the NSA and Cyber ​​Command that a private company, FireEye, was the first to alert the government that it had been hacked.

According to the details released by Wyden, after using the SolarWinds software update to break into Treasury’s systems, the Russian hackers performed a complex step in the Microsoft Office 365 system to create an encrypted “token” that identifies a computer for the larger network.

Categories
Politics

Extra Hacking Assaults Discovered, Officers Warn of Threat to U.S. Authorities

More Hacking Attacks Found, Officials Warn of Risk to U.S. Government

President Trump has not yet said anything about the attack.

Microsoft reiterated the government’s warning, announcing on Thursday that it had identified 40 companies, government agencies and think tanks that at least the suspected Russian hackers had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms like FireEye, tasked with securing large swaths of the public and private sectors.

“It’s early days, but we have already identified 40 victims – more than anyone else has reported – and believe the number should increase significantly,” said Brad Smith, President of Microsoft, in an interview on Thursday. “There are more non-government victims than government victims, with an emphasis on IT companies, especially in the security industry.”

The Department of Energy and its National Nuclear Security Administration, which maintains US nuclear stocks, were compromised as part of the larger attack. However, the investigation found that the hack had no impact on national security functions essential to the mission, Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.

“At this point, the investigation showed that the malware was only isolated for corporate networks,” said Ms. Hynes. The nuclear agency hack was previously reported by Politico.

Officials have not yet publicly named the attacker responsible, but intelligence agencies have told Congress that they believe this was done by the SVR, an elite Russian intelligence agency. A Microsoft heat map of infections shows that the vast majority – 80 percent – are in the US, while Russia has no infections at all.