Officials are also developing safeguards to make it harder for Russia and other sophisticated opponents to compromise federal and private sector networks, officials said, several of whom spoke on condition of anonymity because of the sensitivity of the issue.
Part of the administration’s response will also be a statement of attribution, stronger than what the intelligence community issued in January, saying Moscow was “probably” behind Operation SolarWinds. A White House official said last week that the Russian campaign had affected nine US government agencies and about 1
But the purpose of the various measures, officials said, is to send a broader message that the Kremlin has been using cyber tools for years to carry out a series of actions hostile to the interests of the United States and its allies: interfering in elections, targeting coronavirus surveys. vaccines and creating a soothing atmosphere for hackers who, among other things, released ransomware botnets that violated American public health facilities.
In a speech at a security conference in Munich last week, President Biden said that “an address. . . Russian recklessness and hacking on computer networks in the United States and throughout Europe and the world has become critical to protecting our collective security. “
National Security Adviser Jake Sullivan said Sunday that the response expected in the coming weeks “will include a combination of tools, unseen and unseen, and it will not be just sanctions.” Ultimately, he told CBS “Stand Up Nation” is that “we will ensure that Russia understands where the United States puts the line of this kind of activity.”
The administration is also working on an executive order that will improve the Ministry of National Security’s ability to ensure the sustainability of government networks. Part of that is the introduction of new technology, said a senior official in the administration, which gives federal advocates at the Cybersecurity and Infrastructure Security Agency the “visibility” infrastructure in networks that are missing from SolarWinds hacks.
“You can’t defend yourself against something you don’t see,” the employee said in an interview.
The penalty for cyber hacks is intended to be part of broader measures aimed at holding Moscow accountable for other actions, such as the use of banned chemical weapons against anti-corruption activist Alexei Navalny.
In January, the government described Operation Solar Winds as an “intelligence gathering effort”. Espionage is an activity that the United States and virtually every other country conducts against its opponents – and even allies. But senior Biden officials said they saw Russia’s activities as more than classic espionage.
Last week, Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told a news briefing that “when there is a compromise of this scope and scale in both the government and the US technology sector. . . this is more than a single case of espionage. There is a fundamental concern about the ability to make this destructive ”- damaging computers or undermining their work.
What is noticeable about these violations is that they were activated by the Russians hacking software used in the victims’ networks – what is known as a “supply chain” attack.
For example, some of the victims downloaded a poisonous software update from the Texas company SolarWinds, which is the initial step of the Russians to their computers. About 18,000 organizations around the world received the updates. But only a small part was compromised. The Russians designed the operation so that they could choose which targets to be victimized. Those who chose to ignore were given a “killing key” to remove the malware.
Some U.S. officials say in private that this feature – the selective targeting and deactivation of malware – has made the campaign “discriminatory” and less alarming than an attack that compromises anyone whose computer has downloaded the poisoned update.
But the senior administration official looked at it differently. “We see that this kind of broad, indiscriminate compromise and the access it has given to hackers is crossing the line of concern for us because it can become destructive so quickly,” the official said. “So, in its central part, it destabilizes.”
Supply chain interference is worrying, said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative, though only because it undermines customer confidence in the integrity of the software provider and can lead consumers to distrust software updates. that are important for resolving vulnerabilities.
Herr stressed that the United States must take responsibility for failing to secure its software supply chain. “This is a huge egg on the face of the American cybersecurity organization – both in the public and private sectors,” he said. “It’s not a shame for the Russians. We are ashamed. ”
Others also advise restraint. As for cyber espionage, said Fiona Hill, a former vice aide to President Donald Trump and Russia’s senior director at the National Security Council, the best violation is good defense. “There is a huge risk if we say that we will take action through cyberattack,” Hill said. “If you take revenge on a tit, you always risk getting into a cycle.”
Paul R. Kolbe, a former head of Russia’s CIA operations, said sanctions with Russia were generally ineffective. “It gives us satisfaction that we have taken some action and sends a signal of dissatisfaction,” he said. “But I am under a lot of pressure to find a single act for which we have sanctioned Russia, which has actually changed its behavior.”
The Washington Post reported in December that intelligence officials believed the SVR, Moscow’s foreign intelligence service, had carried out the raids, but the administration had not decided whether to say so publicly.
Some intelligence officials insisted on a stronger attribution before the change of administration last month, but White House officials, wary of angering Trump, who publicly underestimated the idea that Moscow had committed hacks, softened it to “probably,” several sources said. the question.
Biden has ordered the intelligence community to assess the violations. Last week, Neuberger said the government had found that nine federal agencies had been compromised. She did not name them, but The Post confirmed her identity with US officials. These include NASA and the Federal Aviation Administration, which have not previously been publicly identified.
The Transportation Department, which houses the FAA, and NASA have not disputed that they have been compromised. A DOT spokesman said the department “continues to investigate and investigate [FAA] A NASA spokesman said the agency was continuing to work with CISA on “mitigation efforts to secure NASA’s data and network.”
The other seven agencies are the ministries of state, justice, treasury, energy, trade and national security, as well as the National Institutes of Health (part of health and social services). In all cases, the stolen data is unclassified and no operating systems have been compromised.
“Our general assumption is that this is designed to be a long-term operation, low and slow, targeting very few accounts in each agency and opting for exfiltration to avoid detection,” said a second U.S. official.
In some ways, SolarWinds is the wrong name for the campaign. The Russians hacked other companies ‘software to gain access to the victims’ networks. They have compromised email protection firm Mimecast and Microsoft’s corporate partner in cloud access services. And they invaded two federal agencies, using “brute-force” password cracking or password-assisting algorithms, officials said.
SVR infiltrated unclassified networks of the State Department, the White House and the Joint Chiefs of Staff in 2014 and 2015. But the operation was “noisier” using phishing emails that were easier to detect, said Dmitry Alperovich, the founder of Silverado’s political accelerator and cybersecurity expert investigating earlier hacks.
“In the end, these campaigns – at least against these high-priority targets – were not very successful because the offenders were quickly identified and expelled,” he said. “I believe that the implementation has led them to the supply chain model – to enter the victims’ networks through third-party suppliers.”
John Hudson, Ian Duncan, Dan Diamond and Christian Davenport contributed to this report.