Written by Sean Lyngaas
President-elect Joe Biden said on Thursday he has instructed his advisers to learn as much as possible about a hacking campaign that’s roiled the U.S. government, as the investigators warned that the suspected Russian effort represented a “grave risk.”
In a statement, Biden pledged to “elevate cybersecurity as an imperative across the government,” following revelations about how hackers have exploited technology built by SolarWinds, a federal contractor, to worm their way into networks belonging to reported victims including the departments of Treasury, Commerce and Homeland Security.
“Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation,” Biden said in a statement.
The Department of Homeland Security also on Thursday released additional technical details on the hacking effort that the Washington Post has connected to a Russian intelligence agency, calling it a “grave risk” to federal and state networks and warning that the attackers have multiple ways of compromising organizations.
Public discussions of the hacking campaign have largely focused on the attackers’ compromise of SolarWinds software to infiltrate U.S. networks. DHS’s Cybersecurity and Infrastructure Security Agency now says the hackers aren’t relying solely on the SolarWinds backdoor for access.
“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures that have not yet been discovered,” CISA said in the government’s most detailed public analysis of the hacking campaign yet.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the agency said.
CISA did not identify the particular hacking group thought responsible, but the agency said it expects “removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The vulnerable SolarWinds software is also widely used among Fortune 500 in the private sector. Breaches of the organizations began as early as March, and the victims span government, critical infrastructure and private sector organizations, CISA said.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” the statement continued, using an acronym that refers to suspected government-linked hacking operations.
Federal investigators have briefed lawmakers, and the incoming Biden administration, on the gravity of the hacking campaign. A handful of officials, including Secretary of State Mike Pompeo and Sen. Richard Blumenthal, D-Conn., have implicated in the hacking. The Kremlin has denied the allegations.
While the FBI investigates the breaches, lawmakers have begun their own investigation. House Democrats in charge of the Homeland Security and Oversight and Reform committees on Thursday wrote to the heads of the FBI and Department of Homeland Security, and the director of national intelligence, asking for “damage assessments” on the consequences of the hacking campaign for federal agencies. The lawmakers also said they expected to receive a classified briefing on the matter on Friday.
The consequences of the breaches are likely to be far-reaching, with current and former U.S. officials already reconsidering U.S. approaches to cyberdefense.