SIM Report: North America, Issue 10
On 5 January, four US intelligence and national security agencies issued a rare joint statement attributing a recent multi-agency cyberattack to an Advanced Persistent Threat (APT) actor of ‘likely’ Russian origin. The statement, co-authored by the FBI, National Security Agency (NSA), Office of the Director of National Intelligence (DNI), and Cybersecurity and Infrastructure Security Agency (CISA), said the attack was ‘ongoing’ and appeared to be for ‘intelligence gathering’ purposes. The agencies described the attack as a ‘serious compromise’ affecting fewer than 10 government agencies, and said that the intrusion would take a ‘sustained and dedicated effort to remediate’.
The statement signals a high degree of confidence among the intelligence and security communities that Russian actors were behind the large attack, details of which were first made public over the weekend of 12-13 December. At the time of its discovery, hackers had reportedly been able to penetrate network management software produced by Texas-based company SolarWinds for seven months, with the hack affecting government agencies, defence contractors and other private firms, including telecommunications companies which used the popular software. Among the government agencies reportedly penetrated were the departments of Treasury, Commerce, State, Energy, and Homeland Security, while tech giant Microsoft also reported breaches of its network. The full extent of the attack has yet to emerge from official statements and media reports, however lawmakers have confirmed that dozens of treasury department emails had been compromised and systems used by high-ranking treasury officials had been accessed.
While former president Donald Trump had cast doubt on initial speculation that the hack had been carried out by Russian actors, instead suggesting that it may have been ordered by China, responsibility for the US government’s response has now shifted to President Joe Biden. In comments on 17 December prior to taking office, Biden noted that his administration would seek to ‘disrupt and deter’ adversaries from carrying out offensive cyber activities, and that those responsible for cyberattacks against the US would face ‘substantial costs’. Moreover, Biden stressed that Washington would work together with its allies and partners in response to hostile cyber activities. Biden’s comments, alongside his wider stated commitments to boost multilateralism and coordinate with allied countries as president, indicate his administration will pursue a more deliberative approach to hostile cyber activities. This is likely to manifest in Washington appealing to allies for coordinated retaliation against countries deemed responsible for cyberattacks, while the US is also more likely to support retaliation on behalf of victimised allies.
Despite the recent transfer of power in Washington, the core state and state-backed cyberthreats to the US remain unaltered. Longstanding adversaries, including Russia, Iran, and North Korea continue to wield potent offensive cyber capabilities able to degrade US systems, while the US’s growing geostrategic rivalry with China means that government and corporate entities face an increasing number and complexity of cyber threats. Organisations with interests in US public and private sector cybersecurity should monitor updates and actions of the Biden administration and assess how evolving geopolitical rivalries impact the threat panorama. IT infrastructure should be regularly updated to minimise the risk of breaches, while staff should be assisted in identifying suspicious content and communications.