The Hack Roundup: White House Says Neuberger Leading Federal Response

A spokeswoman for the National Security Council disputed Congressional intelligence leaders’ characterization of the federal response to widespread unauthorized intrusion into federal and private-sector networks as leaderless, saying Deputy National Security Advisor Anne Neuberger has been in charge of coordinating the effort. 

On Tuesday, the chair and ranking member of the Senate Select Intelligence Committee sent a letter to the heads of agencies making up the Unified Coordination Group and urged them to choose a leader. 

“The briefings we have received convey a disjointed and disorganized response to confronting the breach,” reads the letter to Director of National Intelligence Avril Haines, National Security Agency Director Gen. Paul Nakasone, Federal Bureau of Investigation Director Christopher Wray, and Cybersecurity and Infrastructure Security Agency Acting Director Brandon Wales. 

“Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks,” wrote Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla. “The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed.”

Just hours later, The New York Times reported, National Security Council spokeswoman Emily Horne said Neuberger “since day one” has been running an interagency process on the hacking campaign, which used software from ubiquitous IT management company SolarWinds and other attack vectors.

Politico’s Eric Geller tweeted a statement from Horne Wednesday noting three lines of effort: remediating compromised federal agencies, identifying issues with the government’s incident response and partnership with the private sector—which could include executive actions—and launching a study of lessons learned to prevent similar events in the future. 

“We do have a leader for our SolarWinds response,” the statement reads. “In the first weeks of the Biden administration, DNSA Neuberger has held a series of consultations with both Democratic and Republican members of Congress on our approach to SolarWinds specifically,  and our cybersecurity strategy broadly. We look forward to continuing to work with Congress on these issues.”  

Rubio and Warner released a new statement Wednesday evening responding to the news: “The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response. The committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible.”

Participating in a meeting of the president’s National Security Telecommunications Advisory Committee Wednesday, Neuberger shared more details about how she plans to respond to the hack and the larger cybersecurity strategy. 

“When I think about what my priorities are, what do I need to ensure we're investing time and effort into it, it’s to use the phrase to ‘build back better’ from the SolarWinds incident with modernized defenses in cyberspace,” she said, referring to the Biden campaign slogan.

The Biden administration invoked the SolarWinds breaches in proposing $9 billion for the Technology Modernization Fund and “rapid hiring” of cybersecurity talent.  

Overall, Neuberger said the administration’s strategy would focus on measurable outcomes to prevent incidents like the recent hack of a Florida water treatment plant. She said it would include NSTAC recommendations to accelerate the adoption of cybersecurity guidelines, promote software and supply chain assurance, and ensure youth leadership in key emerging technologies. 

There would also be a redoubling of international engagement toward collaborating on emerging technology, negotiating norms for responsible state behavior and establishing military relationships through U.S. Cyber Command, she said.

On Feb. 4, during a question and answer session with SolarWinds CEO Sudhakar Ramakrishna, SolarWinds consultant Alex Stamos attributed the hacking campaign to the Russian Foreign Intelligence Service, or SVR. 

“What we are talking about here since mid-December has been a discussion of an intrusion into at least dozens, probably hundreds of American businesses and government agencies by an organization called the SVR,” he said. 

In another session of the same event later that day, Stamos sought to reinforce his position saying, “a number of other agencies and private groups have attributed the campaign that we, that SolarWinds, found themselves a part of, to the SVR, the Foreign Intelligence Service of Russia."

The Unified Coordination Group has said the hack appears to be an intelligence-gathering mission and is “likely Russian in origin.” Stamos’ firm, the Krebs Stamos Group, did not respond to a request for comment on what “private groups” he was referring to. On Feb. 5, a spokesperson for SolarWinds told Nextgov the firm itself was not making any attribution. 

The SolarWinds spokesperson also said the company is “absolutely” considering whether phishing or other common methods of obtaining credentials created the initial access point into their networks. A blog the company published Feb. 3 noted suspicious activity in its Microsoft Office 365 environment but said “our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365.”

On Feb. 4, Microsoft addressed a series of questions about its place amid the hack, stressing that “data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way.”

Sen. Ron Wyden, D-Ore., is asking why Microsoft didn’t take steps earlier to help their customers defend against a token-forging tactic used in the campaign which FireEye had warned about years ago. His questions, which the Washington Post reported Tuesday, raise the issue of how the encryption keys necessary to pull off such an attack should be stored.  

“I want to know why Microsoft didn’t provide its customers with tools to better protect and detect the theft of encryption keys, and why government agencies failed to deploy their own defenses,” Wyden told the Post. “I’m also interested in what steps FireEye took to warn Microsoft, its customers and the U.S. government about a vulnerability it knew about nearly two years ago.”

The Post reported Microsoft saying in a Dec. 20 post that its Defender software was updated to detect the tool—called [Azure Directory Federated Services] Dump—used in such attacks. Microsoft said this was “the initial tool used” in the hacking campaign, according to the story, but then updated the post with a less specific description after the paper’s inquiry to FireEye.

On Monday, Bleeping Computer reported Microsoft’s intention to start alerting its customers to suspected nation-state hacking activity. 

The Cybersecurity and Infrastructure Security Agency released analyses of the SUNBURST and TEARDROP malware the hackers used, emphasizing the lengths they went through to avoid detection and recommending best practices for organizations to strengthen their security posture against the malicious tools.