Mitt Romney demanded Sunday that the U.S. response to the Russia cyber attack be ‘of like magnitude or greater’ as he slams President Donald Trump for claiming the hack was actually from China.
‘What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications,’ the Utah senator told CNN’s ‘State of the Union’ Sunday morning.
‘This is the same thing you can do in a wartime setting, so it’s extraordinarily dangerous, and an outrageous affront on our sovereignty and one that’s going to have to be met with a strong response,’ Romney continued. ‘Not just rhetorical, important as that is, but also with a cyber response of like magnitude or greater.’
Democratic Senator Mark Warner, ranking member of the Intelligence Committee, called the Kremlin’s takeaway from the cyber attack a ‘big haul.’
‘So the adversary very probably, as the secretary of state said, Russia, came away with a big, big haul,’ Warner said of the extent of the attack to ABC’s ‘This Week’ host Sunday morning. ‘And we’re still determining how extensive this attack will be. It will take us literally weeks to continue to ferret this out and then potentially months to remediate.’
President Trump has deflected blame from Russia, claiming instead that the attack came from China.
Romney said that Trump has a ‘blind spot’ for Russia.
‘I was disappointed with the president’s comment,’ Romney told NBC’s ‘Meet the Press’ on Sunday. ‘But I think we’ve come to recognize that the president has a blind spot when it comes to Russia.’
Republican Senator Mitt Romney said Sunday morning that the response to Russia’s attack be ‘of like magnitude or greater’ to their hack that has compromised several U.S. agencies
Intelligence Committee Ranking Member Mark Warner said Sunday that Russia got away with a ‘big, big haul’ from their hack
Trump has refused to acknowledge that Russia was behind the hack, instead insisting it could have been China
Trump tweeted claiming that China could be behind the attack, despite Secretary of State Mike Pompeo publicly blaming Russia the day before
The comments from the Republican senator came after Trump contradicted members of his own administration to suggest that China may be behind the sprawling attack, which compromised key federal agencies.
‘The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control,’ Trump tweeted on Saturday.
‘Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),’ he continued.
‘There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA,’ the president concluded in a two-part tweet bringing up, again, his yet-to-be-proven claim of widespread voter fraud.
Romney said it was ’embarrassing’ when asked by a reporter on Capitol Hill Sunday about reports Trump is considering telling the Justice Department to appoint Sidney Powell as special counsel to investigate this election.
‘You know, I think it’s embarrassing to have the president focus on these matters when so many people are suffering with COVID, when so much is expected of our nation, when we’ve been through our cyberspace invaded by Russians,’ Romney said.
‘The President could go out in this last chapter talking about the great success on the vaccine, for which he deserves a great deal of credit,’ he continued.
Trump’s assertion that China may be behind the hacking spree, runs counter to comments by Secretary of State Mike Pompeo and multiple lawmakers briefed on the matter.
‘We can say pretty clearly that it was the Russians that engaged in this activity,’ Pompeo said on Friday in an interview.
Russia has denied involvement in the attack.
When asked if he agrees with his congressional colleagues’ statements on the Russia hack being a ‘declaration of war,’ Romney was a little less assertive, saying: ‘I’ll step back to respond to that.’
‘You can bring a country to its knees if people don’t have electricity, don’t have water and can’t communicate. And basically, what Russia appears to have done, put themselves in those systems in our country,’ the Utah senator told NBC host Chuck Todd.
‘They don’t need rockets to take those things out,’ Romney said of integral infrastructure. ‘They potentially have the capability to take out all of those things and doing it remotely at very small cost. So this is a very dangerous and damaging invasion of cyberspace, which has enormous national security implications.’
Republican Senator Marco Rubio, acting Chairman of the Intelligence Committee, told Fox News on Thursday: ‘And as far as attribution, when you attribute it to somebody, you have got to know it for sure because it’s a very — this is almost, I would argue — an act of war, absolutely.’
Democratic Senator Warner said he was also upset with the president deflecting blame from the Kremlin.
‘This is extraordinarily serious, and when the President of the United States tries to deflect or is not willing to call out the adversary as we make that attribution, he is not making our country safer,’ the Intelligence Committee’s top Democrat told ABC’s ‘This Week’ on Sunday morning.
He said there is no doubt in his mind that the cyber attack came from Russia.
Romney said in a different interview with NBC on Sunday morning that he is ‘disappointed’ Trump blamed the attack on China, claiming: ‘The president has a blind spot when it comes to Russia’
Warner also refused to say whether or not he classifies the attack as an ‘act of war’ because there are not a set of ‘cyber norms’.
Microsoft researchers said Saturday they discovered a second cyber attack on the U.S. government.
They said an unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign, as the number of victims in the attack rose to 200.
The second backdoor, dubbed SUPERNOVA by security experts, appears distinct from the SUNBURST attack that has been attributed to Russia, raising the possibility that multiple adversaries were attempting parallel attacks, perhaps unbeknownst to each other.
‘The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,’ Microsoft said in a security blog on Friday.
The second backdoor is a piece of malware that imitates SolarWinds’ Orion product but it is not ‘digitally signed’ like the other attack, suggesting this second group of hackers did not share the same access to the network management company’s internal systems.
Chinese leader Xi Jinping is seen with Russian President Vladimir Putin. There is now evidence two adversaries compromised SolarWinds products, after Trump contradicted his own secretary of state to suggest China, rather than Russia was to blame
Microsoft’s headquarters is seen above. The company says a second a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign
Microsoft identified the types of targets compromised in the attack in the above graphic
It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file’s compile times.
The SUNBURST backdoor was first deployed in March, though the same group behind it appears to have tampered with SolarWinds products as early as October 2019.
In past breaches, security researchers have found evidence that more than one suspected Russian hacking group penetrated the same system, duplicating their efforts in a way that suggested each did not know what the other was doing.
One such case was the breach of the Democratic National Committee’s servers in 2016, when CrowdStrike researchers found evidence that Russian hacking groups dubbed Fancy Bear and Cozy Bear had both broken into the system.
It’s also possible that the SUPERNOVA and SUNBURST attacks represent the actions of separate nations attempting to use SolarWinds products to penetrate other high-value U.S. targets.
In a statement, a SolarWinds spokesman did not address SUPERNOVA, but said the company ‘remains focused on collaborating with customers and experts to share information and work to better understand this issue.’
‘It remains early days of the investigation,’ the spokesman said.
Hackers used malicious code inserted into legitimate products from SolarWinds to target hundreds of high-value targets. Above, the company’s Texas headquarters is seen
A graphic shows how the SUNBURST attack unfolded in networks that were compromised
Meanwhile, cybersecurity firm Recorded Future says it has identified 198 victims of the attack who were actively compromised through the backdoor, though the final number could rise further, according to Bloomberg.
Though compromised network software from SolarWinds Corp was downloaded by nearly 18,000 customers since March, the hackers only activated their Trojan horse backdoor, dubbed SUNBURST, on a handful of high-value targets.
The researchers did not name the victims, though experts at Microsoft have said most victims were government agencies, defense contractors, and technology providers. The departments of Homeland Security, Justice, Treasury, Commerce, Energy and State are known to be among the compromised victims.
Though Pompeo on Friday attributed the SUNBURST attack to Russia, Trump on Saturday broke his lengthy silence about the breach to suggest that China may be responsible.
Romney in a tweet on Thursday said the hack was ‘like Russian bombers have been repeatedly flying undetected over our entire country.’
Experts say that attribution of a skilled cyber breach can be difficult to pin down, and note that the tools used in the SUNBURST attack have never been seen before.
‘Cyber attribution is exceptionally complex and relies on analysis not only of the tools and techniques used, but also the possible motivations,’ Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told DailyMail.com.
‘What evidence the US government has that points to the attack being carried out by Russia – or, for that matter, China – is unclear at this point,’ he added.
The hack first came into view last week, when U.S. cybersecurity firm FireEye Inc disclosed that it had itself been a victim of the very kind of cyberattack that clients pay it to prevent.
Publicly, the incident initially seemed mostly like an embarrassment for FireEye. But hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.
Days before the hack was revealed, FireEye researchers knew something troubling was afoot and contacted Microsoft Corp and the Federal Bureau of Investigation, three people involved in those communications told Reuters. Microsoft and the FBI declined to comment.
Their message: FireEye has been hit by an extraordinarily sophisticated cyber-espionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.
A heatmap shows the locations of known victims of the breach identified by Microsoft
About half a dozen researchers from FireEye and Microsoft, set about investigating, said two sources familiar with the response effort.
At the root of the problem, they found, was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.
In 2017, Russian operatives used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malware known as NotPetya in a widely used accountancy program. Russia has denied that it was involved. The malware quickly infected computers in scores of other countries, crippling businesses and causing hundreds of millions of dollars of damage.
The latest U.S. hack employed a similar technique: SolarWinds said its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program signaled back to its operators where it had landed. In some cases where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft´s Azure cloud platform – which stores customers´ data online – to forge authentication ‘tokens.’ Those gave them far longer and wider access to emails and documents than many organizations thought was possible.
The Pentagon was among the SolarWinds customers who received the malicious updates. Teams are now searching DoD networks for evidence of intrusion and backdoors
Los Alamos National Laboratory, which conducts the nation’s most advanced nuclear research, was also a target in the massive cyber espionage campaign
Hackers could then steal documents through Microsoft’s Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.
‘This is powerful tradecraft, and needs to be understood to defend important networks,’ Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.
It is unknown how or when SolarWinds was first compromised. According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds’ code as early as October 2019, a few months before it was in a position to launch an attack.
How hackers used legitimate software updates as camouflage for the ‘SUNBURST’ attack
The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.
It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said – and made off with hacking tools it uses to probe its customers’ defenses.
Its apparent monthslong timeline gave the hackers ample time to extract information from a lot of different targets.
FireEye executive Charles Carmakal said the company was aware of ‘dozens of incredibly high-value targets’ compromised’ by the hackers and was helping ‘a number of organizations respond to their intrusions.’
He would not name any, and said he expected many more to learn in coming days that they, too, were infiltrated.
WHAT IS SOLARWINDS?
SolarWinds, of Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
Its compromised product, called Orion, accounts for nearly half SolarWinds’ annual revenue. The company’s revenue totaled $753.9 million over the first nine months of this year.
Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks.
HOW DID IT HAPPEN?
The US Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in US history.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.
Without offering further details, the agency warned that the hackers used ‘other initial access vectors beyond SolarWinds Orion,’ meaning even groups that do not use the network software could be compromised.