Officials also are developing defensive measures aimed at making it harder for Russia and other sophisticated adversaries to compromise federal and private-sector computer networks, said the officials, several of whom spoke on the condition of anonymity because of the matter’s sensitivity.
Part of the administration’s response, too, will be an attribution statement stronger than the one the intelligence community released in January saying that Moscow was “likely” to have been behind the SolarWinds operation. A White House official said last week that the Russian campaign hit nine U.S. government agencies and about 100 private companies.
But the aim of the various measures, officials said, is to convey a broader message that the Kremlin for years has used cyber tools to carry out an array of actions hostile to the interests of the United States and its allies: interfering in elections, targeting coronavirus vaccine research and creating a permissive atmosphere for criminal hackers who, among their activities, have run ransomware botnets that have disrupted U.S. public health facilities.
In a speech to the Munich Security Conference last week, President Biden said that “addressing . . . Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
National security adviser Jake Sullivan said Sunday that the response, expected in the coming weeks, “will include a mix of tools seen and unseen, and it will not simply be sanctions.” The bottom line, he told CBS’s “Face the Nation,” is that “we will ensure that Russia understands where the United States draws the line on this kind of activity.”
The administration also is working on an executive order to improve the Department of Homeland Security’s ability to ensure the resilience of government networks. Part of that is deploying a new technology, a senior administration official said, that gives the department’s Cybersecurity and Infrastructure Security Agency (CISA) “visibility” into networks that was missing during the SolarWinds hacks.
“You can’t defend against something you can’t see,” the official said in an interview.
The punishment for the hacks is intended to be part of broader measures aimed at holding Moscow accountable for other actions, such as its use of a banned chemical weapon against anti-corruption activist Alexei Navalny.
Politico on Monday reported on the administration’s plan to impose sanctions for the poisoning and jailing of Navalny, in coordination with European allies. On Monday Secretary of State Antony Blinken welcomed the European Union’s decision to sanction Russia in response to actions taken against Navalny and his supporters.
The government in January characterized the SolarWinds operation as “an intelligence-gathering effort.” Espionage is an activity the United States and virtually every other country conducts against adversaries — and even allies. But senior Biden administration officials have said they view the Russian activity as more than just classic espionage.
Last week, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at a news briefing that “when there is a compromise of this scope and scale, both across government and across the U.S. technology sector . . . it’s more than a single incident of espionage. It’s fundamentally of concern for the ability for this to become disruptive” — damaging computers or undermining their operation.
What’s notable about these breaches is they were enabled by the Russians’ hacking software used in the victims’ networks — what is known as a “supply chain” attack.
For instance, some of the victims had downloaded contaminated software updates from the Texas company SolarWinds, which was the Russians’ initial steppingstone into their computers. About 18,000 entities worldwide received the updates. But only a fraction were compromised. The Russians designed the operation so they could choose which recipients to victimize. Those they chose to ignore received a “kill switch” disabling the malware.
Some U.S. officials argue privately that that feature — the selective targeting and disabling of the malware — made the campaign “discriminate” and not as alarming as an attack that compromised every person whose computer downloaded the contaminated update.
But the senior administration official viewed it differently. “We’re seeing that this kind of broad, indiscriminate compromise, and the access that it enabled the hackers to have, crosses a line of concern to us because it can be turned to be disruptive so quickly,” the official said. “So, at its centrality, it is destabilizing.”
Interfering with the supply chain is concerning, said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative, if only because it undermines customer confidence in the integrity of the software supplier and may lead consumers to distrust software updates that are important to patching vulnerabilities.
Herr stressed that the United States must accept responsibility for not securing its software supply chain. “This is huge egg on the face of the U.S. cybersecurity establishment — both public and private sector,” he said. “It’s not shame on the Russians. It’s shame on us.”
Others also counseled restraint. When it comes to cyberspying, said Fiona Hill, a former deputy assistant to President Donald Trump and former senior director for Russia at the National Security Council, the best offense is a good defense. “There’s a huge risk if we say we’re going to take action through cyber-retaliation,” Hill said. “If you do tit-for-tat vengeance, you always risk getting in a cycle.’’
Paul R. Kolbe, a former chief of the CIA’s Russia operations, said sanctions against Russia have generally been ineffective. “It gives us the satisfaction of having taken some action and sends a signal of displeasure,” he said. “But I’m hard-pressed to find a single act that we’ve sanctioned Russia for that’s actually changed its behavior.”
The Washington Post reported in December that intelligence officials think the SVR, Moscow’s foreign intelligence service, carried out the intrusions, but the administration has not decided whether to say that publicly.
Some intelligence officials were pushing for a stronger attribution before the change of administrations last month, but White House officials, wary of angering Trump, who publicly played down the notion that Moscow carried out the hacks, softened the attribution to “likely,” said several people familiar with the matter.
Biden has ordered the intelligence community to provide an assessment of the breaches. Last week, Neuberger said the government found that computer systems at nine federal agencies were compromised. She did not name them, but The Post has confirmed the identities with U.S. officials. They include NASA and the Federal Aviation Administration, which have not previously been publicly identified.
The Transportation Department, which houses the FAA, and NASA did not dispute that they were compromised. A spokesman for the Transportation Department said it is “continuing to investigate and look into the [FAA] situation.” A NASA spokeswoman said the agency is continuing to work with CISA on “mitigation efforts to secure NASA’s data and network.”
The seven other agencies are the Departments of State, Justice, Treasury, Energy, Commerce and Homeland Security, as well as the National Institutes of Health (part of the Department of Health and Human Services). In all cases, officials said, the data stolen was unclassified and no operational systems were breached.
“Our general assumption is this was designed to be a long-term operation, low and slow, targeting very few accounts in each individual agency and being selective about the exfiltration so as to avoid detection,” a second U.S. official said.
In some ways, SolarWinds is a misnomer for the campaign. The Russians hacked other companies’ software to gain access to victims’ networks. They compromised the email security firm Mimecast as well as a Microsoft corporate partner that handles cloud-access services. And they broke into two federal agencies using “brute force” password cracking, or algorithms that guess passwords, officials said.
The SVR hacked the State Department, the White House and the Joint Chiefs of Staff unclassified networks in 2014 and 2015. But that operation was “noisier,” using phishing emails that were easier to detect, said Dmitri Alperovitch, founder of the Silverado Policy Accelerator and a cybersecurity expert who investigated the earlier hacks.
“Ultimately, those campaigns — at least against those high-priority targets — weren’t very successful, because the intruders were quickly discovered and ejected,” he said. “I believe that realization drove them to the supply-chain model — to get into victims’ networks through third-party suppliers.”
John Hudson, Ian Duncan, Dan Diamond and Christian Davenport contributed to this report.