• alhglobalanalyst

CTG Weekly Security Brief Russian Hackers Attack U.S. Govt

Updated: Dec 26, 2020

Week of 12/14/2020 | Issue 1

Team: Behavior/Leadership

NAME Krystel von Kumberg

Date: 12/17/2020

Location: USA

Parties involved: USA; Russia; government agencies; think tanks; non-governmental organizations; IT companies; Global; Canada; Mexico; Belgium; Spain; United Kingdom; Israel; United Arab Emirates

The event: State-sponsored hackers suspected to be working for Russia added malicious code to software updates for an IT product used across the federal government, using code to open doors into agency networks and using a sophisticated technique to access federal workers’ emails. However, in some cases, victims appeared to have been breached despite never using the problematic software. The breaches appear to have begun between March and June, when the hackers compromised the software company SolarWinds, which sells IT management products to hundreds of government and private-sector clients, including federal agencies and Fortune 500 companies. US media reports said the FBI was investigating a group working for the Russian foreign intelligence service, SVR. The SVR unit is known as “Cozy Bear” was one of the teams that hacked the Democratic National Committee during the 2016 election. It was reported that hackers gained access to the Treasury and an agency of the Commerce Department on Sunday. The hacks were linked to an attack last week on cybersecurity firm FireEye, which said its own defenses were breached by sophisticated attackers who stole tools used to test customers' computer systems. The sophisticated cyber campaign created a deepening crisis Monday as the scope of the intruders’ reach accelerated with the Department of Homeland Security, the State Department, and the National Institutes of Health. Moreover, the Department of Energy (DOE) and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. On Thursday, December 17th, DOE and NNSA officials began coordinating notifications about the breach to their congressional oversight bodies after being briefed by Rocky Campione, the chief information officer at DOE. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE. The hackers have been able to do more damage at FERC than the other agencies with evidence of highly malicious activity.

The implications:

  • "This is probably going to be one of the most consequential cyberattacks in U.S. history,” one U.S. official said after the National Security Council held its second meeting in three days about the attacks. “That's the view from inside the government — that we're dealing with something of a scale that I don't think we've had to deal with before."[1] The implications of this series of attacks are largely unknown at this moment in time but is likely to be coined as the cyber Pearl Harbor, because of its scale and extensive reach into a great variety of both government and private entities.

  • "At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission-essential national security functions of the department, including the National Nuclear Security Administration.” Additionally, “when DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network,” Shaylyn Hynes said in a statement.[2] It is unclear whether such statements can help mitigate the damage to public perception concerning the lack of cyber defense mechanisms put in place to counter foreign interference, as well as the potential benefits foreign and malicious actors, can have to the national security structure of the United States and its partners after this breach.

  • CISA, an arm of the Department of Homeland Security, has been without a permanent leader since President Trump fired its widely respected director, Chris Krebs, in mid-November. This has led to government officials doubting their ability to deal with this problem and questioning whether it has the staffing and tools to help the rest of the executive branch respond to this cyberespionage incident. This uncertainty is amplified by the fact that no one seems to have seen this attack coming and that the response from CISA as well as the President appears to lack an effective or cohesive strategy. It is important to note that the President has yet to make a statement about these attacks.

  • There are fears that the attack on the Federal Energy Regulatory Commission may have been part of a plan to disrupt the nation's bulk electric grid. “FERC does not directly manage any power flows, but it does store sensitive data on the grid that could be used to identify the most disruptive locations for future attacks.”[3] The perceived threat of a critical infrastructure attack is therefore high and the long-term consequences of this attack are extremely severe, as this vital information can certainly be used to carry out malicious attacks in the future.

  • The list of victims of cyberespionage is expected to grow and to include even more federal agencies and a number of private companies. Microsoft, which has helped respond to the breach, revealed late Thursday that it had identified more than 40 government agencies, think tanks, non-governmental organizations, and IT companies infiltrated by these hackers. It said four in five were in the United States — nearly half of the tech companies — with victims also in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates. “This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” Microsoft reported.[4]

  • Cyber defense capabilities need to be boosted; combatting vulnerabilities, disrupting, and deterring attacks before they can happen is key. Several sources have said that the US government was unaware of the breach until the end of last week or when CISA went public on Sunday night, which has and will certainly continue to prompt concerns about how the hackers evaded detection from multiple agencies for so many months (although the period of time is still being investigated).[5]

  • Tom Kellermann, cybersecurity strategy chief of the software company VMware, said the hackers are now “omniscient to the operations” of federal agencies they’ve infiltrated “and there is a viable concern that they might leverage destructive attacks within these agencies” now that they’ve been discovered.[6] It is highly likely that this cyberespionage-esque attack that has taken place will prove to be invaluable to malign states and actors involved because of the vast information collected, but rather than being devastating in the short-term, the large scale of the attack likely means that the vast information gathered will not be as useful now, because it has to be further analysed and verified, but will be weaponized in the future and could have devastating long-term effects.

[1] 'Massively disruptive' cyber crisis engulfs multiple agencies, Politico, October 14 2020,

[2] DOE Update on Cyber Incident Related to Solar Winds Compromise, Department of Energy, October 18th 2020,

[3] Nuclear weapons agency breached amid massive cyber onslaught, Politico, October 17 2020,

[4] Hack against US is ‘grave’ threat, cybersecurity agency says, APNews, October 17 2020,

[5] US cybersecurity agency warns suspected Russian hacking campaign broader than previously believed, CNN, October 17 2020,

[6] Ibid

© The Counterterrorism Group (CTG) - 2020 - This website and all of its contents are copyrighted by The Counterterrorism Group, Inc. 2020. Any use, reproduction or duplication of the contents of this website without the express written permission of The Counterterrorism Group (CTG) is strictly prohibited.

Interested in joining us? Learn more