Marco Rubio says America must ‘retaliate, and not just with sanctions’ for massive cyber attack

Marco Rubio has demanded that the United States retaliate with more than sanctions for a massive cyber attack on the Pentagon, FBI and nuclear programs, which he said was likely carried out by Russia. 

On Friday Mike Pompeo, the Secretary of State, became the first U.S. official to publicly attribute a massive hacking campaign to Russia, after broad swathes of the federal government and private sector were revealed to be compromised. 

Later on Friday night Rubio, the acting chairman of the Senate Intelligence Committee, urged a strong response. 

‘The methods used to carry out the cyberhack are consistent with Russian cyber operations,’ he tweeted. 

Marco Rubio on Friday night called for ‘retaliation’ beyond sanctions for the cyber attack

Russia has denied being behind the attack, but Pompeo and Rubio have pointed the finger

Russia has denied being behind the attack, but Pompeo and Rubio have pointed the finger

‘But it’s crucial we have complete certainty about who is behind this. We can’t afford to be wrong on attribution, because America must retaliate, and not just with sanctions.’ 

Donald Trump has remained tight-lipped about the attack. Russia has denied being behind it. 

But the huge security breach, which is believed to have begun in the spring and gone undetected for months, is thought to have been so sophisticated that only a state-sponsored actor could pull it off.

The Russians are automatically the prime suspect for attacks of this scale and audacity. 

The Cybersecurity and Infrastructure Security Agency said the attack compromised federal agencies’ ‘critical infrastructure’ in a manner that was hard to detect and will be difficult to undo.

It means that calculating the true size of the attack will be difficult.

‘CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,’ they said on Thursday. 

‘CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.’  

Pompeo on Friday confidently pointed the finger at the Russians. 

‘This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,’ Pompeo told The Mark Levin Show on Friday.

Russian President Vladimir Putin’s spokesman has denied Kremlin involvement, and the Russian embassy said in a statement that the country ‘does not conduct offensive operations in the cyber domain.’  

The sprawling attack, which went undetected for nearly nine months, compromised the Departments of Homeland Security, Justice, Treasury, State and Energy, as well as a growing list of companies and local governments across the country. 

Officials with the nation’s cybersecurity agency warn that the breach could be difficult to undo, saying the hackers ‘demonstrated sophistication and complex tradecraft’ and that it was likely that they had built additional secret backdoors while active inside the compromised networks. 

Experts say there simply are not enough skilled threat-hunting teams to properly identify all the government and private-sector systems that may have been hacked, and warn infected networks may have to be ‘burned to the ground’ and rebuilt from scratch. 

Secretary of State Mike Pompeo has become the first U.S. official to publicly attribute a massive hacking campaign to Russia. He is seen above with Putin in 2019

Secretary of State Mike Pompeo has become the first U.S. official to publicly attribute a massive hacking campaign to Russia. He is seen above with Putin in 2019

Senator Chris Coons, a Delaware Democrat, said: 'It's pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war'

Senator Chris Coons, a Delaware Democrat, said: ‘It’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war’

The Pentagon was among the thousands of users of the infected network software. Teams are now hunting DoD networks for hidden backdoors and signs of the attackers

The Pentagon was among the thousands of users of the infected network software. Teams are now hunting DoD networks for hidden backdoors and signs of the attackers

Democrats in Congress have spoken out about the cyber attack in strong terms, demanding a harsh response and blasting President Donald Trump, who has not spoken about the attack or appeared in public for the past five days.

‘The situation is developing, but the more I learn this could be our modern day, cyber equivalent of Pearl Harbor,’ said Rep. Jason Crow, a Colorado Democrat, in a tweet on Friday.

‘Our nation is under assault. This cyberattack could be the largest in our history,’ he added, before slamming Trump for his lack of public response to the cyber attack.

Senator Chris Coons, a Delaware Democrat, told MSNBC: ‘It’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war.’ 

Coons, 57, called the attack ‘as destructive and broad scale an engagement with our military systems, our intelligence systems as has happened in my lifetime.’

Trump has not yet said anything publicly about the intrusion. 

He was being briefed ‘as needed,’ White House spokesman Brian Morgenstern told reporters on Friday. 

National security adviser Robert O’Brien was leading interagency meetings daily, if not more often, he said.

‘They’re working very hard on mitigation and making sure that our country is secure. We will not get into too many details because we’re just not going to tell our adversaries what we do to combat these things,’ Morgenstern said.

'The situation is developing, but the more I learn this could be our modern day, cyber equivalent of Pearl Harbor,' said Rep. Jason Crow, a Colorado Democrat

‘The situation is developing, but the more I learn this could be our modern day, cyber equivalent of Pearl Harbor,’ said Rep. Jason Crow, a Colorado Democrat

‘Cozy Bear’: The Russian hacker cell suspected in attack 

Russia denies involvement in the SUNBURST attack, but US officials say the nation is behind the ‘Advanced Persistent Threat’ (APT) that carried out the audacious breach.

Sources say that one top suspect is APT29, the Kremlin-linked group also known as Cozy Bear. 

Cozy Bear is best known as the group said to be responsible for the 2016 breach of the Democratic National Committee’s servers.

Experts believe that Cozy Bear operates as part of one of Russia’s intelligence agencies. 

Some doubt the attribution of SUNBURST to Cozy Bear, through, noting that the tools used in the attack have never been seen before.  

The Democratic chairs of four House committees given classified briefings on the hack by the Trump administration issued a statement complaining that they ‘were left with more questions than answers.’

‘Administration officials were unwilling to share the full scope of the breach and identities of the victims,’ they said.

Morgenstern said earlier that disclosing such details only helps U.S. adversaries.

The long-term planning of the attack became clear on Friday, as officials said that the hackers appeared to have conducted a dry run over a year ago, testing their ability to insert malicious code into network management software from SolarWinds Corp, which was later delivered to some 18,000 of the company’s customers.  

Private security companies say that the breach bears the hallmarks of a Kremlin operation. Some have pointed at the Russian hacking cell dubbed ‘Cozy Bear’ — though other experts argue that the tools and methods used in the new attack are different from any past breach, making attribution tricky.

‘At the moment, there are no technical links with previous attacks, so it may be an entirely new actor,’ security firm Kaspersy said in a blog post. 

FireEye, the cybersecurity company that discovered the intrusion into U.S. agencies and was among the victims, has already tallied dozens of casualties. It’s racing to identify more.

‘We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they left,’ said Bruce Schneier, a prominent security expert and Harvard fellow.

The only way to be sure a network is clean is ‘to burn it down to the ground and rebuild it,’ Schneier said.

He compared the situation to learning that a serial killer has been inside your house, with his own key. ‘You don’t know if he’s gone. How do you get work done? You kind of just hope for the best,’ he said.

A spokesman for Russian President Vladimir Putin denied Russia was behind the attack

A spokesman for Russian President Vladimir Putin denied Russia was behind the attack

Trump has not made any remarks addressing the attack and has not appeared in public for five days, but posted this Christmas card photo on Friday with First Lady Melania

Trump has not made any remarks addressing the attack and has not appeared in public for five days, but posted this Christmas card photo on Friday with First Lady Melania

Many federal workers – and others in the private sector – now must presume that unclassified networks are teeming with spies. 

Agencies will be more inclined to conduct sensitive government business on Signal, WhatsApp and other encrypted smartphone apps.

‘We should buckle up. This will be a long ride,’ said Dmitri Alperovitch, co-founder and former chief technical officer of the leading cybersecurity firm CrowdStrike. ‘Cleanup is just phase one.  

Meanwhile, Microsoft President Brad Smith called the attack a ‘moment of reckoning’ that ‘illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous.’ 

Microsoft, one of the thousands of companies to receive the malicious update, said it had notified more than 40 customers around the world whose networks were infiltrated by the hackers. 

The list of victims includes not only government agencies, but security and other technology firms as well as think tanks and government contractors. 

‘The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,’ Smith wrote in a blog post.

‘The coming months will present a critical test, not only for the United States but for other leading democracies and technology companies,’ he added. 

This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US

This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US

On Friday, increasing evidence emerged showing that the hacking campaign had been carefully planned and executed over more than a year.

A version of the SolarWinds Orion product, which was ultimately used to deliver the SUNBURST backdoor to customer networks, was tampered with in October 2019 but did not contain the backdoor, according to the U.S. Cybersecurity and Infrastructure Security Agency.

The tampered files went undetected, and in March of 2020, the hackers began using Orion updates to deliver their backdoor.

SolarWinds timeline: Company stocks and when they discovered attack 

March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’

SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have

November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares

December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds

December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given 

December 8: FireEye announces hackers broke into its servers

December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021 

December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company  

December 13: The infiltration of Orion becomes public

The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’

The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted

‘We’re thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run,’ a source familiar with the investigation told Yahoo News. 

‘They took their time. They decided to not go out with an actual backdoor right away. That signifies that they’re a little bit more disciplined and deliberate,’ the person added. 

SolarWinds, which disclosed its unwitting role at the center of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers. 

The attack was believed to be the work of an ‘outside nation state,’ SolarWinds said in a regulatory disclosure. 

In addition to major federal agencies and critical infrastructure, the hackers targeted entities as various as a county government in Arizona and a cable television company.

The Pima County, Arizona government and Cox Communications Inc were identified as victims of the intrusion by Reuters after running a publicly available coding script.

How hackers managed to install a secret backdoor in software used by hundreds of thousands of government departments and companies

The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion.

The popular software tool helps organizations monitor the performance of their computer networks and servers.

Hackers managed to install a secret network backdoor – which authorities are calling SUNBURST – into Orion’s software updates.

Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks. 

It is not yet clear how hackers managed to infiltrate SolarWinds and go undetected for nine months.  

During this time-frame, as many as 18,000 SolarWinds customers – including federal agencies and major companies – downloaded the compromised updates that contained the back door. 

The software update became an instrument for hackers to steal information undetected for nine months. 

Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down, the Cybersecurity and Infrastructure Security Agency has since revealed.  

The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult. 

CISA said that once inside a network, the hackers focused on gathering information and frequently targeted the emails of IT and security staff to monitor any countermeasures. 

The hackers are feared to have had access to government emails as far back as June.  

SolarWinds: The Texas company at the center of the biggest attack in American history

Before this week, few people were aware of SolarWinds, the Austin-based software company providing vital computer network monitoring services to major corporations and government agencies worldwide. 

But the revelation that elite cyber spies have spent months secretly exploiting SolarWinds’ software to peer into computer networks has put many of its highest-profile customers in national governments and Fortune 500 companies on high alert. 

It’s also raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock. 

The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds' premier software product, Orion. The Austin-based software company provides vital computer network monitoring services to major corporations and government agencies worldwide

The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion. The Austin-based software company provides vital computer network monitoring services to major corporations and government agencies worldwide

A SolarWinds SEC filing from December 7 – just days prior to the hack emerging -revealed that the company’s board had appointed a replacement CEO.  

SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. 

The SolarWinds board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on December 7, according to the financial filing. 

It was also on December 7 that the company’s two biggest investors, Silver Lake and Thoma Bravo, which control a majority stake in the publicly traded company, sold more than $280 million in stock to a Canadian public pension fund. 

The two private equity firms in a joint statement said they ‘were not aware of this potential cyberattack’ at the time they sold the stock.   

Global alarm bells ring: How the hack was first discovered by a California cyber-security firm FireEye

The breach of SolarWinds’ software was first discovered by one of its customers: The prominent cybersecurity firm FireEye.

The California-based cyber security firm, which is also a government contractor,  noticed a suspicious log-in on its network around December 8. 

SolarWinds timeline: Company stocks and when they discovered attack 

March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’

SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have

November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares

December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds

December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given 

December 8: FireEye announces hackers broke into its servers

December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021 

December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company  

December 13: The infiltration of Orion becomes public

The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’

The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted

FireEye says the attackers stole some of its ‘red team’ software, which mimics cyber-attacks to test the security of its clients’ computers. 

Two lawmakers, who were briefed on the hack this week, told Politico that FireEye representatives said that one of their employees had apparently been duped into revealing their two-factor authentication security details.

Company officials have denied the account given by congressional staffers and said none of its employees were tricked.

FireEye said they caught the breach when hackers tried to register a new device on its systems, which tipped the company off to the wider cyber-attack. 

Following an investigation, FireEye say they determined that SolarWinds’ Orion software had been hacked.    

‘We initially detected the incident because we saw a suspicious authentication to our VPN solution,’ a spokesperson has since said.  

‘The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.’  

They insist that the SolarWinds breach was the source of the attack against FireEye. 

Once it determined that there was a wider cyber-attack, a FireEye executive alerted SolarWinds on December 12 of the compromise. 

After learning of the SolarWinds breach, the National Security Council held an emergency meeting at the White House on December 12.  

The Cybersecurity and Infrastructure Security Agency and the FBI were brought in to investigate after some government agencies were confirmed to have been hacked. 

At this time, people with knowledge of the meeting reported that hackers believed to be working for Russia had been monitoring internal email traffic at the US Treasury and Commerce departments.

Sources told Reuters that they feared the hacks uncovered so far may have been be the tip of the iceberg.  

SolarWinds began alerting about 33,000 of its customers on December 13 that an ‘outside nation state’ – widely suspected to be Russia – had injected malicious code into some updated versions of its premier product, Orion.

The company said in a statement that updates to its monitoring software released between March and June of this year may have been subverted by what it described as a ‘highly-sophisticated, targeted and manual supply chain attack by a nation state’. 

The Cybersecurity and Infrastructure Security Agency issued an emergency directive ordering federal agencies to ‘disconnect or power down’ the SolarWinds Orion software due to the breach. 

From US nuclear agencies and the FBI to Fortune 500: Who is known to have been targeted by hackers so far 

The list of victims continues to grow from the cyberattack that is being described as the biggest hack in American history.

The two US agencies responsible for maintaining America’s nuclear weapons stockpile – Energy Department and the National Nuclear Security Administration – have already said they were compromised in the attack.  

The attack also breached the Pentagon, FBI, Treasury and State Departments.  

The DOE and the NNSA have warned Congress that their breached networks may include the Los Alamos National Laboratory, which conducts the government’s most sensitive and advanced nuclear research, Politico reported.

The US has an estimated 5,800 nuclear warheads, some of which are on missiles and bombs ready for launch from submarines, airplanes and land-based missiles, while others are held in storage. Most however are in storage, retired, or being decommissioned. 

The FBI (right) was targeted and has moved routine communication onto classified networks that are believed not to have been breached

The FBI (above) has moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.

Hacked: The Los Alamos National Laboratory in New Mexico conducts the government's most sensitive and advanced nuclear research

Hacked: The Los Alamos National Laboratory in New Mexico conducts the government’s most sensitive and advanced nuclear research

Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached

Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached

Their status is one of the government’s most closely-guarded secrets, as are efforts to create new weapons, which are part of the Los Alamos National Laboratory’s work.

Another attack was found in a field office of the Energy Department in Richland, Washington state, which Politico reported could have been an effort to gather information on how to disrupt the national electricity grid.

The sprawling attack also compromised broad swathes of the private sector, including Microsoft and likely most of the Fortune 500. 

The true scale of who has been affected and what information has been stolen may never be known, officials and experts say.  

How hackers used legitimate software updates as camouflage for the ‘SUNBURST’ attack 

WHAT HAPPENED?

The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information. 

It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said – and made off with hacking tools it uses to probe its customers’ defenses.

Its apparent monthslong timeline gave the hackers ample time to extract information from a lot of different targets.

FireEye executive Charles Carmakal said the company was aware of ‘dozens of incredibly high-value targets’ compromised’ by the hackers and was helping ‘a number of organizations respond to their intrusions.’ 

He would not name any, and said he expected many more to learn in coming days that they, too, were infiltrated. 

WHAT IS SOLARWINDS? 

SolarWinds, of Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.

Its compromised product, called Orion, accounts for nearly half SolarWinds’ annual revenue. The company’s revenue totaled $753.9 million over the first nine months of this year. 

Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks. 

HOW DID IT HAPPEN?

The US Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in US history.

CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products. 

Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.

The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.

Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.

The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.

‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.

CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.

Without offering further details, the agency warned that the hackers used ‘other initial access vectors beyond SolarWinds Orion,’ meaning even groups that do not use the network software could be compromised.