'Powerful tradecraft': how foreign cyber-spies compromised America

Christopher Bing, Joseph Menn, Raphael Satter and Jack Stubbs
·7 min read
Exterior view of SolarWinds headquarters in Austin
Exterior view of SolarWinds headquarters in Austin

By Christopher Bing, Joseph Menn, Raphael Satter and Jack Stubbs

(Reuters) - Speaking at a private dinner for tech security executives at the St. Regis Hotel in San Francisco in late February, America's top cyber defense chief boasted how well his organizations protect the country from spies.

U.S. teams were “understanding the adversary better than the adversary understands themselves,” said General Paul Nakasone, boss of the National Security Agency (NSA) and U.S. Cyber Command, according to a Reuters reporter present at the Feb. 26 dinner. His speech has not been previously reported.

Yet even as he spoke, hackers were embedding malicious code into the network of a Texas software company called SolarWinds Corp, according to a timeline published by Microsoft and more than a dozen government and corporate cyber researchers.

A little over three weeks after that dinner, the hackers began a sweeping intelligence operation that has penetrated the heart of America’s government and numerous corporations and other institutions around the world.

The results of that operation came to light on Dec. 13, when Reuters reported that suspected Russian hackers had gained access to U.S. Treasury and Commerce Department emails. Since then, officials and researchers say they believe at least half-a-dozen U.S. government agencies have been infiltrated and thousands of companies infected with malware in what appears to be one of the biggest such hacks ever uncovered.

Secretary of State Mike Pompeo said on Friday Russia was behind the attack, calling it “a grave risk” to the United States. Russia has denied involvement.

Revelations of the attack come at a vulnerable time as the U.S. government grapples with a contentious presidential transition and a spiraling public health crisis. And it reflects a new level of sophistication and scale, hitting numerous federal agencies and threatening to inflict far more damage to public trust in America’s cybersecurity infrastructure than previous acts of digital espionage.

Much remains unknown -- including the motive or ultimate target.

Seven government officials have told Reuters they are largely in the dark about what information might have been stolen or manipulated -- or what it will take to undo the damage. The last known breach of U.S. federal systems by suspected Russian intelligence -- when hackers gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff in 2014 and 2015 -- took years to unwind.

U.S. President Donald Trump on Saturday downplayed the hack and Russia’s involvement, maintaining it was “under control” and that China could be responsible. He accused the "Fake News Media" of exaggerating its extent.

The NSC, however, acknowledged that a “significant cyber incident” had taken place. “There will be an appropriate response to those actors behind this conduct,” said NSC spokesman John Ullyot. He did not respond to a question on whether Trump had evidence of Chinese involvement in the attack.

Several government agencies, including the NSA and the Department of Homeland Security, have issued technical advisories on the situation. Nakasone and the NSA declined to comment for this story.

Lawmakers from both parties said they were struggling to get answers from the departments they oversee, including Treasury. One senate staffer said his boss knew more about the attack from the media than the government.

'POWERFUL TRADECRAFT'

The hack first came into view last week, when U.S. cybersecurity firm FireEye Inc disclosed that it had itself been a victim of the very kind of cyberattack that clients pay it to prevent.

Publicly, the incident initially seemed mostly like an embarrassment for FireEye. But hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.

Days before the hack was revealed, FireEye researchers knew something troubling was afoot and contacted Microsoft Corp and the Federal Bureau of Investigation, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.

Their message: FireEye has been hit by an extraordinarily sophisticated cyber-espionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.

About half a dozen researchers from FireEye and Microsoft, set about investigating, said two sources familiar with the response effort. At the root of the problem, they found, was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.

In 2017, Russian operatives used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malware known as NotPetya in a widely used accountancy program. Russia has denied that it was involved. The malware quickly infected computers in scores of other countries, crippling businesses and causing hundreds of millions of dollars of damage.

The latest U.S. hack employed a similar technique: SolarWinds said its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.

Once downloaded, the program signaled back to its operators where it had landed. In some cases where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.

In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft’s Azure cloud platform - which stores customers’ data online - to forge authentication "tokens." Those gave them far longer and wider access to emails and documents than many organizations thought was possible.

Hackers could then steal documents through Microsoft's Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.

A separate advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency on Dec. 17 said that the SolarWinds software was not the only vehicle being used in the attacks and that the same group had likely used other methods to implant malware.

"This is powerful tradecraft, and needs to be understood to defend important networks," Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.

It is unknown how or when SolarWinds was first compromised. According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds' code as early as October 2019, a few months before it was in a position to launch an attack.

“HARDENING OUR NETWORKS”

Pressure is growing on the White House to act.

Republican Senator Marco Rubio said "America must retaliate, and not just with sanctions." Mitt Romney, also a Republican, likened the attack to repeatedly allowing Russian bombers to fly undetected over America. Senator Dick Durbin, a Democrat, has called it "virtually a declaration of war."

Democratic lawmakers said they had received little information from the Trump administration beyond what’s in the media. "Their briefings were obtuse, sorely lacking in details and really seemed an attempt to provide us with the barest of minimum in information that they had to give us," Democratic Representative Debbie Wasserman Schultz told reporters after a classified briefing.

Ullyot, the National Security Council spokesman, declined to comment on the congressional briefings. The White House was “focused on investigating the circumstances surrounding this incident, and working with our interagency partners to mitigate the situation,” he said in a statement to Reuters.

President-elect Joe Biden has warned that his administration would impose "substantial costs" on those responsible. House of Representatives Intelligence Committee Chairman Adam Schiff, also a Democrat, said Biden “must make hardening our networks – both public and private infrastructure – a major priority.”

The attack puts a spotlight on those cyber defenses, reviving criticism that the U.S. intelligence agencies are more interested in offensive cyber operations than protecting government infrastructure.

"The attacker has the advantage over defenders. Decades worth of money, patents and effort have done nothing to change that," said Jason Healey, a cyber conflict researcher at Columbia University and former White House security official in the George W. Bush administration.

"Now we learn with the SolarWinds hack that if anything, the defenders are falling farther behind. The overriding priority must be to flip this, so that defenders have the easier time."

(Chris Bing and Raphael Satter reported from Washington. Jack Stubbs reported from London, and Joseph Menn reported from in San Francisco. Additional reporting by Alexandra Alper. Writing by Jonathan Weber. Editing by Bill Rigby and Jason Szep)

Latest Stories

  • Report: Saints place Michael Thomas on IR, but he will return for playoffs

    The Saints want Michael Thomas to rest his injured ankle for the playoffs.

  • Canadian Oshae Brissett one of three players waived by Raptors

    The Toronto Raptors have waived Canadian guard/forward Oshae Brissett, forward/centre Henry Ellenson and forward Alize Johnson.

  • Thomas Bryant fined $45K for making contact with official while trying to fight Blake Griffin

    Thomas Bryant touched and shoved an NBA official while trying to fight Blake Griffin.

  • Gennadiy Golovkin sets record with 7th-round TKO vs. Kamil Szeremeta

    The boxer known as "GGG" moved to an unfathomable 41-1-1 after the victory.

  • Marcus Peters fined $12,500 by NFL for spit incident with Jarvis Landry

    Marcus Peters denied spitting at Jarvis Landry during Monday's game.

  • Jerry Rice responds to Randy Moss snub in now deleted post: 'You just got Mossed'

    Jerry Rice believes the stats don't lie, and that he's the best receiver in NFL history.

  • Week 15 fantasy football rankings: Chasing a championship

    Complete positional rankings to prepare you for your semifinal matchup.

  • 'Become a defensive monster': Kyle Lowry on Raptors goals

    Toronto Raptors point guard Kyle Lowry is hoping his squad can become one of the best defensive teams in the league as they aim to integrate new faces to a complicated system.

  • Steelers rookie G Dotson out, RB Conner questionable

    PITTSBURGH — The Pittsburgh Steelers will have to try to clinch the AFC North title with a new-look offensive line.The Steelers (11-2) ruled out rookie left guard Kevin Dotson for Monday night's game against the Bengals (2-10-1). Dotson suffered a shoulder injury in last Sunday's loss to Buffalo after replacing starter Matt Feiler, who was lost for the season in the same game with a pectoral injury.J.C. Hassenauer, who started two games at centre earlier this season when Maurkice Pouncey was on the reserve/COVID-19 list, will likely take over at left guard.Pittsburgh has dropped two straight following an 11-0 start but can still lock up the division title by beating the Bengals for the 12th straight time, or if Cleveland loses on Sunday night to the New York Giants.The Steelers also have former seventh-round pick Derwin Gray and recently acquired Danny Isidora on the roster. Pittsburgh signed Isidora off the practice squad this week after placing Feiler on injured reserve.Pittsburgh running back James Conner is questionable with a quad injury. Conner ran for just 18 yards on 10 carries last week after missing two games while being on the reserve/COVID-19 list. Benny Snell would likely start in Conner's place.___More AP NFL: https://apnews.com/NFL and https://twitter.com/AP_NFLThe Associated Press

  • Atlanta United returns to CONCACAF Champions League in 2021

    ATLANTA — Despite a disappointing season, Atlanta United will play in the CONCACAF Champions League for a third straight year in 2021.The CONCACAF Council has approved a request by the the United States Soccer Federation to award Atlanta a spot in the 16-team continental championship as the current holder of the U.S. Open Cup, the team announced Saturday.United won the Cup in 2019, earning a spot in this year's Champions League. The club was eliminated in the quarterfinals Wednesday by Mexico's Club América.The U.S. Open tournament was cancelled in 2020 because of the coronavirus pandemic, so Atlanta United will take that spot again in the Champions League. They'll be joined from Major League Soccer by MLS Cup champion Columbus Crew, Supporters Shield winner Philadelphia Union and the Portland Timbers, who claimed the MLS Is Back Tournament.Atlanta United was also eliminated in the quarterfinals after earning its first Champions League spot in 2019 as winner of the MLS Cup. The only other club that will be returning to the tournament for the third straight year in 2021 is Costa Rica's Saprissa.United will be looking for a comeback season after slumping to 12th in the Eastern Conference and failing to make the playoffs for the first time in the franchise's four years.The club announced Argentina's Gabriel Heinze as its new coach Friday.___More AP soccer: https://apnews.com/apf-Soccer and https://twitter.com/AP_SportsThe Associated Press

  • Liverpool and Everton back as EPL frontrunners after wins

    LONDON — It's like the clock has been wound back 35 years with Liverpool and Everton as the English league frontrunners.Seeing Liverpool at the top of the Premier League is a more familiar sight. A 7-0 rout of Crystal Palace on Saturday was the type of ruthless attacking display that helped Jürgen Klopp end the team's 30-year title drought last season.Everton hasn't won the league since 1985 and 1987 when they sandwiched a runner-up season to its neighbour. A 2-1 victory over Arsenal was Everton's third success in eight days, taking Carlo Ancelotti's side up to second, five points behind the champions.Everton can be overtaken by either Tottenham or Leicester, who meet on Sunday. Staying in the top four would be significant not only as a sporting achievement but also financially for Everton, given the club reported losses of 140 million pounds ($185 million) in the last financial year — in part due to the pandemic.Liverpool and Everton are among only four of the 20 Premier League clubs allowed fans — albeit only 2,000 —- due to coronavirus restrictions. Southampton was also allowed a crowd on Saturday but still lost to Manchester City 1-0.Surprisingly, though, it is Southampton in fifth place — a place and a point ahead of Pep Guardiola's expensively assembled City side that won the 2018 and 2019 titles.SALAH, FIRMINO DOUBLESAn emphatic victory at Palace was a stylish way to end a five-game winless for Liverpool, which could even start with Mohamed Salah on the bench.The league top scorer still managed two goals after coming on in the second half, and set up one of Roberto Firmino's double.Salah was one of seven different players to provide the assists — starting with Sadio Mane for Takumi Minamino inside two minutes, allowing the Japan forward to net his first Premier League goal a year after his transfer was announced.Firmino set up Mane to net on the turn in the 35th before scoring himself before halftime after being released by Andy Robertson.Henderson curled the fourth into the top corner seven minutes into the second half after meeting Trent Alexander-Arnold’s cutback.Salah's entry from the bench — a rare spot for the striker — started with an assist for Firmino to chip goalkeeper Vicente Guaita in the 68th.Salah had to wait until the 81st to score himself, nodding in after Joel Matip headed on a corner.The Egyptian curled his 13th of the league into the top left after being set up by Alex Oxlade-Chamberlain, who made his first appearance since July following a knee injury.ARTETA WOESArsenal is in an even worse state than it was when Mikel Arteta took charge last December. The London club is five places worse off in 15th.It's seven games without a win in the league for Arteta, who played for Everton as well as Arsenal.Yerry Mina’s header on the stroke of halftime was Everton's only shot on target but it was enough to seal the victory after Rob Holding’s own goal opener was cancelled out by Nicolas Pepe’s penalty.STERLING SCORESAfter back-to-back draws, Manchester City collected three points thanks to Raheem Sterling scoring from Kevin De Bruyne's cross at Southampton. The south coast side had lost only one of its previous 11 games.___More AP soccer: https://apnews.com/Soccer and https://twitter.com/AP_SportsRob Harris, The Associated Press

  • Gladbach's Marcus Thuram spits in opponent's face

    LEVERKUSEN, Germany — Borussia Mönchengladbach striker Marcus Thuram spat in an opponent's face and overshadowed Robert Lewandowski winning a top-of-the-table Bundesliga clash for Bayern Munich against Bayer Leverkusen on Saturday.Thuram faces a lengthy ban after spitting on Hoffenheim defender Stefan Posch after an argument between the pair over a tackle in a game which Hoffenheim won 2-1.Thuram went to ground following a challenge from Posch. Thuram then spat from close range at Posch, who reeled back in shock, wiping his face. Thuram walked away with Posch in pursuit as the game continued before the referee eventually intervened. Thuram was issued a red card and Posch a yellow.Thuram’s ban could be longer than the five games served by Schalke defender Ozan Kabak after he spat in an opponent's direction in September but missed.BAYERN BACK ON TOPA last-minute goal by Robert Lewandowski returned Bayern Munich to the top spot after beating Bayer Leverkusen 2-1.Two days after being crowned as FIFA's best male player, Lewandowski made the difference against Leverkusen with one goal to level the score and the winner in the final seconds of added time.Neither goal was highlight-reel material — opposition blunders played essential roles — but it was enough to overhaul Leverkusen, which had gone unbeaten as it emerged as the surprise league leader.The win was testament to Bayern's ability to play its way out of trouble. It was the seventh Bundesliga game in a row in which the German champion has come back to earn points after conceding the opening goal. Bayern went two points clear of Leverkusen and Leipzig.Leverkusen took the lead with a moment of genius, and gave it away with a moment of confusion.Patrik Schick opened the scoring in style, floating at the edge of the box at a corner and then meeting Nadiem Amiri's cross with an unstoppable volley into the top corner.Leverkusen gave Bayern a helping hand just before halftime when goalkeeper Lukas Hradecky collided with defender Jonathan Tah. They watched Thomas Müller's cross float to the unmarked Lewandowski to head into an empty net.Bayern dominated the second half. In added time, Tah lost the ball, leaving space for Lewandowski to hit a shot which deflected off Edmond Tapsoba and over the diving Hradecky.Coach Hansi Flick praised his team's grit in beating Leverkusen, one of only three clubs to defeat Bayern since Flick took charge 13 months ago. Losing at the last minute was “undeserved, disappointing," in Leverkusen coach Peter Bosz's verdict.SENT OFF FOR SPITTINGThuram put himself on course for a long ban and his team on course for defeat.Referee Frank Willenborg received a signal to consult video and showed the French player the red card. The score was 1-1, and 10-man Gladbach went on to concede another goal and lose.“It's a shame for the team and a shame for him,” Gladbach teammate Valentino Lazaro said. “It doesn't fit with his character at all.”Midfielder Christoph Kramer showed less understanding for Thuram.“His fuses blew. That should of course never happen to him. You can't excuse it,” Kramer said.Gladbach coach Marco Rose apologized “on behalf of the whole club” and added, “It simply doesn't belong on a football pitch. It goes way beyond the limits.”Posch was booked for his part in the altercation and subsequently substituted for Kevin Akpoguma, who set up on-loan Tottenham left back Ryan Sessegnon for Hoffenheim’s winner from close range in the 86th.SCHALKE MISERY CONTINUESEven a change of coach did little to help Schalke snap its long run without a win. Fabian Klos scored early in the second half for relegation rival Arminia Bielefeld to beat interim coach Huub Stevens’ team 1-0.Stevens replaced the fired Manuel Baum on Friday for the game against Bielefeld and cup game against Ulm on Tuesday before Schalke finds a permanent replacement for the new year. Its winless run in the Bundesliga is at 29 games and closing in on Tasmania Berlin's league record of 31 straight games without a victory from the 1965-66 season.Leipzig dropped back in the title race after drawing with Cologne 0-0.Eren Dinkci scored in the last minute for Werder Bremen to win at Mainz 1-0, and Eintracht Frankfurt won at Augsburg 2-0.___Fahey reported from Berlin.___More AP soccer: https://apnews.com/Soccer and https://twitter.com/AP_SportsJames Ellingworth And CiaráN Fahey, The Associated Press

  • World junior hockey championship pre-tournament games reduced because of COVID-19

    EDMONTON — Canada won't play Sweden in a pre-tournament game before the world junior hockey championship in Edmonton because of Sweden's extended quarantine.Exhibition games scheduled for Sunday and Monday ahead of the tournament starting Christmas Day were cancelled because German players and Swedish staff tested positive for the COVID-19 virus.Canada was scheduled to face the Swedes at Rogers Place on Monday. Canada's warmup game Wednesday against Russia remains on the schedule. A reduction in pre-competition games delayed that phase until Tuesday, when Switzerland faces Austria and the U.S. meets Finland.Canada takes on Russia and Slovakia plays the Czech Republic on Wednesday. Germany and Sweden won't play any pre-tournament games.Players and personnel from all participating countries were required to isolate in hotel rooms for four days upon arrival in Edmonton and undergo daily testing.Teams without positive tests began skating Friday.Eight German players tested positive, so the majority of the team remains in quarantine until Dec. 24. A pair of Swedish staff members were also infected. That team continues isolating until Monday, with the exception of those exempt from serving longer periods based on previous positive tests that "provide a personal immunity and no threat of infection to others," the IIHF said in a statement.Canada opens defence of its world junior title Dec. 26 versus Germany.This report by The Canadian Press was first published Dec. 19, 2020.The Canadian Press

  • Oklahoma withstands late Iowa State comeback, wins sixth straight Big 12 title in dramatic fashion

    The Sooners’ Big 12 conference title streak now sits at six thanks to a 27-21 win over No. 6 Iowa State on Saturday

  • Trey Sermon keeps No. 4 Ohio State's playoff hopes alive in Big Ten title game win over No. 14 Northwestern

    The Buckeyes have won four straight Big Ten titles and are in line for another playoff berth.

  • Arsenal loses to Everton 2-1 for seventh game without a win

    LIVERPOOL, England — Mikel Arteta’s woes deepened when Arsenal was beaten by Everton 2-1 to go seven games without a win in the English Premier League as he marked a year in charge of the London club on Saturday.While Arsenal dropped to 15th, Everton — which Arteta played for like Arsenal — is up to second after a third win in eight days.Everton scored from only one shot on target as Rob Holding’s own goal opener was followed — after Nicolas Pepe’s equalizing penalty — by Yerry Mina’s header on the stroke of halftime.Arsenal was not helped by the absence of top scorer Pierre-Emerick Aubameyang with a tight calf but the visitors conceded possession from the off and lacked any intensity or desire to break up their opponents’ play.___More AP soccer: https://apnews.com/Soccer and https://twitter.com/AP_SportsThe Associated Press

  • Gonzaga reminds nation who's No. 1, handling No. 3 Iowa after extended COVID break

    Even after the extended break off the court, Gonzaga looks like the strongest college basketball team in the country.

  • Week 15 Injury Wrap: Saints return Drew Brees, lose Michael Thomas

    Two New Orleans stars take center stage as we examine Week 15 injury news. Scott Pianowski has your mandatory look around.

  • Ohio State's first-half flop costs bettor a perfect 3-for-3 on $100K college football bets

    The early part of Saturday’s college football action was very eventful for one bettor at BetMGM. 

  • Northwestern's Brandon Joseph makes ridiculous one-handed interception vs. Ohio State

    The pick was Joseph's sixth of the season. And it may be the best catch you see all weekend.