Nearly a week after the US government announced that multiple federal agencies had been targeted by a sweeping cyber-attack, the full scope and consequences of the suspected Russian hack remain unknown.
Key federal agencies, from the Department of Homeland Security to the agency that oversees America’s nuclear weapons arsenal, were reportedly targeted, as were powerful tech and security companies including Microsoft. Investigators are still trying to determine what information the hackers may have stolen, and what they could do with it.
After days of silence, Donald Trump on Saturday dismissed the hack, which federal officials said posed a “grave risk” to every level of government, and said it was “well under control”. Joe Biden has promised a tougher response to cyber-attacks but offered no specifics. Members of Congress are demanding more information about what happened, even as officials scrambling for answers call the attack “significant and ongoing”.
Here’s a look at what we know, and what we still don’t, about the worst-ever cyber-attack on US federal agencies.
What happened?
The hack began as early as March, when malicious code was snuck into updates to a popular software called Orion, made by the company SolarWinds, which provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
That malware gave elite hackers remote access to an organization’s networks so they could steal information. The apparent months-long timeline gave the hackers ample opportunity to extract information from targets including monitoring email and other internal communications.
Microsoft called it “an attack that is remarkable for its scope, sophistication and impact”.
Who has been affected?
At least six US government departments, including energy, commerce, treasury and state, are reported to have been breached. The National Nuclear Security Administration’s networks were also breached, Politico reported on Thursday.
Dozens of security and other technology firms, as well as non-governmental organizations, were also affected, Microsoft said on Thursday. While most affected by the attack were in the US, Microsoft said it had identified victims in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
“It’s certain that the number and location of victims will keep growing,” Microsoft added.
Who is responsible for the attack?
On Friday evening, secretary of state Mike Pompeo became the first Trump official to publicly confirm the attack was linked to Russia, telling a conservative radio host: “I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
Previously, US officials speaking on condition of anonymity, as well as prominent cybersecurity experts, told media outlets they believed Russia was the culprit, specifically SVR, Russia’s foreign intelligence outfit.
Andrei Soldatov, an expert on Russia’s spy agencies and the author of The Red Web, told the Guardian he believes the hack was more likely a joint effort of Russia’s SVR and FSB, the domestic spy agency Vladimir Putin once led.
Russia has denied involvement: “One shouldn’t unfoundedly blame the Russians for everything,” a Kremlin spokesman said.
The infiltration tactic involved in the current hack, known as the “supply chain” method, recalled the technique Russian military hackers used in 2016 to infect companies that do business in Ukraine with the hard-drive-wiping NotPetya virus – the most damaging cyber-attack to date.
What information has been stolen, and how is it being used?
That remains unclear.
“This hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in the terms of the breadth of the intrusion itself,” Stephen Lynch, head of the House of Representatives oversight committee, said after attending a classified briefing on Friday.
Thomas Rid, a Johns Hopkins cyber-conflict expert, told the Associated Press it was likely the hackers had harvested such a vast quantity of data that “they themselves most likely don’t know yet” what useful information they’ve stolen.
What can be done to fix the networks that have been compromised?
That’s also unclear, and potentially very difficult.
“Removing this threat actor from compromised environments will be highly complex and challenging for organizations,” said a statement from the cybersecurity and Infrastructure Security Agency (Cisa) on Thursday.
One of Trump’s former homeland security advisers, Thomas Bossert, has said publicly that a real fix may take years, and be both costly and challenging.
“It will take years to know for certain which networks the Russians control and which ones they just occupy,” Bossert wrote in the New York Times. “The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.
“A ‘do-over’ is mandatory and entire new networks need to be built – and isolated from compromised networks.”
How has Trump responded?
For most of the week, the president said nothing. On Saturday morning, he sent a tweet dismissing the seriousness of the attack and contradicting his own officials’ statements about Russia’s responsibility.
Officials at the White House had been prepared to put out a statement on Friday afternoon, accusing Russia of being “the main actor”, but were told at the last minute to stand down, the AP reported, citing a US official familiar with the conversations.
The Republican senator and former presidential candidate Mitt Romney criticized Trump’s long silence as unacceptable in response to an attack he said was “like Russian bombers have been repeatedly flying undetected over our entire country”.
“Not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary,” Romney said.
Trump tweeted on Saturday that he was skeptical of holding Russia responsible, a statement made just hours after his secretary of state said publicly the attack was “clearly” linked to Russia.
“Russia, Russia, Russia is the priority chant when anything happens,” Trump tweeted, questioning, without any evidence, whether China might have been behind the attack instead.
“Another day, another scandalous betrayal of our national security by this president,” Adam Schiff, the California Democrat who chairs the House intelligence committee and led impeachment proceedings against Trump, said in response.
How has Biden responded?
So far, there’s been tough talk but no clear plan from the president-elect.
“We need to disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place,” Biden said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.
“There’s a lot we don’t yet know, but what we do know is a matter of great concern.”
Could this attack have been prevented or deterred?
“What we could have done is had a coherent approach and not been at odds with each other,” said Fiona Hill, a Russia expert and former National Security Council member, to PBS NewsHour, criticizing conflict and dysfunction within the Trump administration and between the US and allies on Russia-related issues.
That dysfunction was on new display on Saturday, as Trump publicly disputed his own secretary of state’s explanation.
If “we don’t have the president on one page and everybody else on another, and we’re working together with our allies to push back on this, that would have a serious deterrent effect”, Hill said.
Other cybersecurity experts said the federal government could also do more to simply keep up to date on cybersecurity issues, and said the Trump administration had failed on this front, including by eliminating the positions of White House cybersecurity coordinator and state department cybersecurity policy chief.
“It’s been a frustrating time, the last four years. I mean, nothing has happened seriously at all in cybersecurity,” Brandon Valeriano, a Marine Corps University scholar and adviser to a US cyber-defense commission, to the AP.
What options does the US have to respond politically?
Some experts are arguing the US needs to do more to punish Russia. The federal government could impose formal sanctions, as when the Obama administration expelled diplomats in retaliation for Kremlin military hackers’ meddling in Trump’s favor in the 2016 election. Or the US could fight back more covertly by, for instance, making public details of Putin’s financial dealings.
But as the Guardian’s Luke Harding pointed out, cyber-attacks are “cheap, deniable, and psychologically effective”, and Biden’s options for responding are limited.
“The answer eluded Barack Obama, who tried unsuccessfully to reset relations with Putin,” Harding wrote. “The person who led this doomed mission was the then secretary of state, Hillary Clinton, herself a Russian hacking victim in 2016.”
The state department said on Saturday the US was halting work at consulates in Vladivostock and Yekaterinburg, citing safety and security issues at facilities where operations had been curtailed because of Covid-19. The decision did not affect Russian consulates in the US, the department said, but the closures will leave the embassy in Moscow as the last US diplomatic mission in Russia.
What are other potential consequences of the hack?
SolarWinds may face legal action from customers and government entities affected by the breach. The company filed a report with the Securities and Exchange Commission on Tuesday, detailing the hack.
The company said total revenue from affected products was about $343m, or roughly 45% of its total revenue. SolarWinds’ stock price has fallen 25% since news of the breach first broke.
Moody’s Investors Service said on Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs”.
The Associated Press contributed reporting