Some of America’s most deeply held institutional secrets may have been stolen in a large hacking operation being blamed on elite Russian government operatives.
Intrigue surrounds what may have been exposed, from nuclear secrets to Covid-19 vaccine data to next-generation weapons systems.
On Sunday, the Texas company SolarWinds alerted thousands of customers that an “outside nation state” had found a back door into software tool utilized by some of the biggest government agencies and companies in the United States.
These hackers are consummate professionals at covering their tracks, experts said. Some theft may never be detected.
But the campaign – which cybersecurity experts said exhibits the tactics and techniques of Russia’s SVR foreign intelligence agency – will rank among the most prolific in the annals of cyberespionage.
US government agencies, including the treasury and commerce departments, were among dozens of high-value public and private sector targets known to have been infiltrated as far back as March through a commercial software update distributed to thousands of SolarWinds clients worldwide.
A US government statement indicated the Pentagon used the software. It said it had “issued guidance and directives to protect” its networks. It would not say – for “operational security reasons” – whether any of its systems may have been hacked.
The acting defense secretary, Chris Miller, told CBS News on Tuesday there was so far no evidence of compromise.
In the months since the update went out, the hackers carefully exfiltrated data, often encrypting it so it wasn’t clear what was being taken, and making sophisticated efforts at covering their tracks.
Thomas Rid, a Johns Hopkins University cyber conflict expert, said the campaign’s likely efficacy can be compared to Russia’s three-year 1990s “Moonlight Maze” hacking of US government targets, including Nasa and the Pentagon.
A US investigation determined the height of the documents stolen – if printed out and piled up – would be three times the height of the Washington Monument in the nation’s capital.
In this case “several Washington Monument piles of documents that they took from different government agencies is probably a realistic estimate”, Rid said. “How would they use that? They themselves most likely don’t know yet.”
The Trump administration has not put out details of agencies were hacked. And so far no private-sector victims have come forward. Traditionally, defense contractors and telecommunications companies have been popular targets with state-backed cyber spies, Rid said.
Intelligence agents generally seek the latest on weapons technologies and missile defense systems, and develop dossiers on rival government employees, potentially for recruitment as spies.