White House warns SolarWinds breach cleanup will take time

Written by

The White House has a message for America: it’s going to take a long time to sort through the fallout from the massive espionage operation spurred on by the SolarWinds breach uncovered late last year.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger stressed during a White House briefing Wednesday that the way the suspected Russian hackers infiltrated a SolarWinds network management software update with malicious code has made it more difficult for federal investigators to track down the details of the compromise.

“We believe it took them months to plan and execute this compromise. It will take us some time to uncover this layer by layer,” Neuberger said, estimating it will take a number of months for the U.S. government to get its hands around the issue properly. “Many of the private sector compromises are technology companies including networks of companies whose products can be used to launch other intrusions.”

Since FireEye uncovered the espionage campaign involving software built by SolarWinds, a federal contractor, last fall, the Biden administration has ordered a review of the breach. Federal government entities and numerous private sector companies have come forward week by week to acknowledge they have been compromised as part of the breach.

To date, nine federal agencies and approximately 100 private sector entities have been compromised, according to Neuberger.

The list of victims is only likely to grow, Neuberger warned, as the U.S. government continues to assess the full impact. Investigators will likely be uncovering other follow-up intrusions that stem from or are linked to the SolarWinds breach, Neuberger said.

“Due to the sophistication of the techniques that were used, we believe we’re at the beginning stages of understanding the scope and scale and we may find additional compromises, particularly given the technology companies that were compromised,” Neuberger said. “We have not ruled out potential additional activity,” she said, referring to data manipulation or deletion.

Private sector assessments of the breach in recent months have deemed the hackers were careful to mask their work from victims’ view to make any eventual removal and remediation efforts even more difficult. Neuberger noted Wednesday that the hackers specifically “focused on the identity part of the network, which is the hardest to clean up.”

As the U.S. intelligence community tracks down the full reach of the campaign, federal investigators are also still working to understand who exactly is responsible for it, according to Neuberger, who echoed a previous U.S. government assessment that the SolarWinds campaign is “likely” Russian in origin.

Not a one-off data breach

Neuberger stressed that the information security community should not be thinking about the operation as an isolated espionage incident, indicating the U.S. is on alert for potentially more disruptive activities.

“When there is a compromise of this scope and scale both across government and across the U.S. technology sector with these follow-on intrusions, it is more than a single incident of espionage. It’s fundamentally of concern for the ability of this to become disruptive,” Neuberger said, without going into details about what kinds of disruption could be at stake. “The scope and scale [of the threat], to networks and information, makes this more than an isolated case of espionage.”

While the hackers infiltrated a number of entities via the SolarWinds hack, a Reuters investigation revealed that suspected Chinese actors also leveraged a SolarWinds software flaw alongside the Russians to target a federal payroll entity, according to Reuters.

Part of the complexity of understanding the depths of the SolarWinds breach is that the hackers appear to have worked to conceal their activities from the U.S. intelligence community by working from within the country, Neuberger added.

“There’s a lack of domestic visibility. As a country we have chosen to have both privacy and security. The intelligence community largely has no visibility into private sector networks,” Neuberger said. “The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity.”

Neuberger indicated that current authorities and culture around breaches in the federal government will need to change to improve the way the federal government responds to breaches like this one, adding that the Biden administration is still considering possible responses to the breach.

President Joe Biden pressed Russian President Vladimir Putin on the SolarWinds breach during a phone call last month, according to the White House, but it was unclear what that amounted to in the end.

Russia has denied being involved in the operation.

The Biden administration also is expected to release an executive order in the coming days that will order a 100-day review of supply chain issues in the U.S., including those related to cyberattacks, according to Yahoo! News.