President Donald Trump played down the SolarWinds breach and shifted blame to China in his first public remarks on a cyberattack that’s crippled numerous federal agencies.
“The Cyber Hack is far greater in the Fake News Media than in actuality,” Trump tweeted at 11:30 a.m. ET Saturday. “I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).”
Trump’s remarks around attribution contradict what Secretary of State Mike Pompeo said Friday in an interview with conservative talk radio program “The Mark Levin Show.”
“There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. Government systems and it now appears systems of private companies and companies and governments across the world as well,” Pompeo told Levin, according to a transcript produced by the State Department. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
With his remarks, Pompeo became the first administrative official to blame Russia for injecting malicious code into updates of the SolarWinds Orion network monitoring platform and using that to infiltrate U.S. government agencies, critical infrastructure entities and private firms. The U.S. Departments of Defense, State, Treasury, Energy, Homeland Security and Commerce have all been breached, Reuters reported.
The Washington Post was the first to attribute the SolarWinds attack to hackers affiliated with the Russian intelligence service, also known as APT29 or Cozy Bear, in an article Sunday. Then on Tuesday, U.S. Sen. Richard Blumenthal, D-Conn., backed the Post’s assertion, tweeting “Stunning. Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared.”
No cybersecurity vendors have formally attributed the months-long campaign to Russia yet. Microsoft President Brad Smith came the closest when he noted in a blog post Thursday that the malicious SolarWinds Orion updates reached organizations in “many major national capitals outside Russia.”
APT29 first made a name for itself by hacking the State Department and White House during the Obama years. The hacking group also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, The Post said.
The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and, more recently, have attempted to steal coronavirus vaccine research, according to The Post.
FireEye put the Russia hacking campaign in the public consciousness Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the threat intelligence vendor’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information.
Then on Thursday, Reuters reported that Microsoft was compromised via SolarWinds, with suspected Russian hackers using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN Thursday that Reuters’ sources are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
On Friday afternoon, KrebsOnSecurity reported that a VMware vulnerability allowing federated authentication abuse and access to protected data was used by the SolarWinds hackers to attack high-value targets. VMware told CRN Friday that it had received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.”
A couple of hours later, Bloomberg reported that internal machines used by Cisco researchers were targeted via SolarWinds, with roughly two dozen computers in a Cisco lab compromised through malicious Orion updates. The San Jose, Calif.-based networking giant told CRN its security team moved quickly to address the issue, and that there isn’t currently any known impact to Cisco offers or products.