WASHINGTON - The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter.
The administration is casting the SolarWinds operation, which hacked government agencies and private companies, as “indiscriminate” and potentially “disruptive.” That would allow officials to claim that the Russian hacking was not equivalent to the kind of espionage the U.S. also conducts, and to sanction those responsible for the operation.
Officials also are developing defensive measures aimed at making it harder for Russia and other sophisticated adversaries to compromise federal and private sector networks, said the officials, several of whom spoke on the condition of anonymity because of the matter’s sensitivity.
Part of the administration’s response, too, will be an attribution statement stronger than the one the intelligence community released in January saying that Moscow “likely” was behind the SolarWinds operation. A White House official said last week that the Russian campaign hit nine U.S. government agencies and about 100 private companies.
But the aim of the various measures, officials said, is to convey a broader message that the Kremlin for years has used cyber tools to carry out an array of actions hostile to the interests of the United States and its allies: interfering in elections, targeting coronavirus vaccine research and creating a permissive atmosphere for criminal hackers who, among other things, have run ransomware botnets that have disrupted American public health facilities.
In a speech to the Munich security conference last week, President Joe Biden said that “addressing . . . Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
National security adviser Jake Sullivan said Sunday that the response, expected in the coming weeks, “will include a mix of tools seen and unseen, and it will not simply be sanctions.” The bottom line, he told CBS’s “Face the Nation,” is that “we will ensure that Russia understands where the United States draws the line on this kind of activity.”
The administration is also working on an executive order that will improve the Department of Homeland Security’s ability to ensure the resilience of government networks. Part of that is deploying a new technology, a senior administration official said, that gives federal defenders at the department’s Cybersecurity and Infrastructure Security Agency “visibility” into networks that was missing in the SolarWinds hacks.
“You can’t defend against something you can’t see,” the official said in an interview.
The punishment for the cyber hacks is intended to be part of broader measures aimed at holding Moscow accountable for other actions, such as its use of a banned chemical weapon against anti-corruption activist Alexei Navalny.
Politico on Monday reported on the administration’s plan to impose sanctions for the poisoning and jailing of Navalny, in coordination with European allies.
The government in January characterized the Solar Winds operation as “an intelligence-gathering effort.” Espionage is an activity the United States and virtually every other country conducts against its adversaries - and even allies. But senior Biden administration officials have said they view the Russian activity as more than just classic espionage.
Last week, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at a news briefing that “when there is a compromise of this scope and scale, both across government and across the U.S. technology sector . . . it’s more than a single incident of espionage. It’s fundamentally of concern for the ability for this to become disruptive” - damaging computers or undermining their operation.
What’s notable about these breaches is they were enabled by the Russians hacking software used in the victims’ networks - what is known as a “supply chain” attack.
For instance, some of the victims had downloaded poisoned software updates from the Texas company SolarWinds, which was the Russians’ initial steppingstone into their computers. About 18,000 entities worldwide received the updates. But only a fraction were compromised. The Russians designed the operation so they could choose which targets to victimize. Those they chose to ignore received a “kill switch” dismantling the malware.
Some U.S. officials argue privately that that feature - the selective targeting and disabling of the malware - made the campaign “discriminate,” and not as alarming as an attack that compromised every person whose computer downloaded the poisoned update.
But the senior administration official viewed it differently. “We’re seeing that this kind of broad, indiscriminate compromise, and the access that it enabled the hackers to have, crosses a line of concern to us because it can be turned to be disruptive so quickly,” the official said. “So, at its centrality, it is destabilizing.”
Meddling with the supply chain is concerning, said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative, if only because it undermines customer confidence in the integrity of the software supplier and may lead consumers to distrust software updates that are important to patching vulnerabilities.
Herr stressed that the United States must accept responsibility for not securing its software supply chain. “This is huge egg on the face of the U.S. cybersecurity establishment - both public and private sector,” he said. “It’s not shame on the Russians. It’s shame on us.”
Others also counseled restraint. When it comes to cyber spying, said Fiona Hill, a former deputy assistant to president Donald Trump and senior director for Russia at the National Security Council, the best offense is a good defense. “There’s a huge risk if we say we’re going to take action through cyber retaliation,” Hill said. “If you do tit-for-tat vengeance, you always risk getting in a cycle.’'
Paul Kolbe, former chief of the CIA’s Russian operations, said sanctions with Russia have generally been ineffective. “It gives us the satisfaction of having taken some action and sends a signal of displeasure,” he said. “But I’m hard-pressed to find a single act that we’ve sanctioned Russia for that’s actually changed its behavior.”
The Washington Post reported in December that intelligence officials think the SVR, Moscow’s foreign intelligence service, carried out the intrusions, but the administration has not decided whether to say that publicly.
Some intelligence officials were pushing for a stronger attribution before the administration change last month, but White House officials, wary of angering Trump, who publicly played down the notion that Moscow carried out the hacks, softened it to “likely,” said several people familiar with the matter.
Biden has ordered the intelligence community to provide an assessment of the breaches. Last week, Neuberger said the government has found that nine federal agencies were compromised. She did not name them, but The Post has confirmed the identities with U.S. officials. They include NASA and the Federal Aviation Administration, which have not been previously publicly identified.
The Transportation Department, which houses the FAA, and NASA did not dispute that they were compromised. A DOT spokesman said the department is “continuing to investigate and look into the [FAA] situation.” A NASA spokeswoman said the agency is continuing to work with CISA on “mitigation efforts to secure NASA’s data and network.”
The seven other agencies are the departments of State, Justice, Treasury, Energy, Commerce and Homeland Security, as well as the National Institutes of Health (part of the Health and Human Services). In all cases, the data stolen was unclassified and no operational systems were breached.
“Our general assumption is this was designed to be a long-term operation, low and slow, targeting very few accounts in each individual agency and being selective about the exfiltration so as to avoid detection,” a second U.S. official said.
In some ways, SolarWinds is a misnomer for the campaign. The Russians hacked other companies’ software to gain access to victims’ networks. They compromised the email security firm Mimecast, and a Microsoft corporate partner that handles cloud-access services. And they broke into two federal agencies using “brute force” password cracking, or algorithms that guess passwords, officials said.
The SVR hacked the State Department, the White House and the Joint Chiefs of Staff unclassified networks in 2014 and 2015. But that operation was “noisier,” using phishing emails that were easier to detect, said Dmitri Alperovitch, founder of the Silverado Policy Accelerator and a cybersecurity expert who investigated the earlier hacks.
“Ultimately, those campaigns - at least against those high-priority targets - weren’t very successful, because the intruders were quickly discovered and ejected,” he said. “I believe that realization drove them to the supply-chain model - to get into victims’ networks through third-party suppliers.”
- - -
The Washington Post’s John Hudson, Ian Duncan, Dan Diamond and Christian Davenport contributed to this report.