WASHINGTON — If Russian hackers suspected of a vast cybersecurity breach slipped into the Pentagon or military’s computer systems, the strength of protective network blockades is key to keeping them from burrowing in to try to access increasing amounts of information.
Those protections — in the form of secure network connections — have to stand up to meddling to keep hackers from hopping from network to network to potentially reach sensitive communications or even weapon systems, where they could steal or alter data or cause damage, experts say. However, observers point out that this breach appears so far to be a classic espionage campaign, though with some of the most sophisticated methods seen yet.
“We certainly have a high degree of activity around that right now,” Navy CIO Aaron Weis told C4ISRNET. “We have teams who have acted upon the direct orders from Cyber Command and have executed those things. We continue to engage around that. There are internal meetings that are ongoing where we’re ensuring that we’ve put the right things in place. Absolutely it’s got our full attention.”
Overall, the Pentagon has been largely silent about the breach publicly as it works through the long process to assess fallout from the intrusion, saying early on that no breach had been detected yet, despite media reports that said the agency was among government offices compromised through widely used software from SolarWinds, a network management company.
President-elect Joe Biden has criticized the Pentagon for not briefing him and his transition team fully, challenging President Donald Trump’s assertion that the situation is under control. The Pentagon disputed the idea that it is withholding information from Biden, saying briefings will continue in early January after a break over the holidays.
According to cybersecurity company FireEye, which uncovered the breach, the access that hackers achieved has allowed the malicious actor to move further into computer networks.
Several former government cybersecurity officials told C4ISRNET that lateral movement allowing the suspected Russian hackers to dig deeper posed a worst-case scenario with a myriad of possible outcomes spiraling from there. The challenge is that the DoD’s web of systems includes legacy and modernized networks that connect to weapons systems and control systems.
“If an adversary had gotten in and moved laterally, then all the network connection points — any place you have connections between networks and those trust relationships — that becomes very difficult to defend,” said retired Rear Adm. Danelle Barrett, former deputy Navy CIO and cybersecurity division director.
“Wherever you have those trust relationships, you have to always be really careful about what is going on back and forth across that tunnel,” Barrett said.
There are potentially two worst-case dimensions to this situation, said Jan Tighe, former commander of 10th Fleet/Fleet Cyber Command and deputy chief of naval operations for information warfare.
First, cyber threat hunters must find out whether the intruder persists on the network. Job No. 1 for response teams is to cut off any existing access the trespassers might have, Tighe said. If the intrusion was an espionage campaign, DoD will have to do a damage assessment of what information was affected. If the agency can’t be sure what data and communications were accessed, leaders have to make assumptions about what the hackers may have reached, she said.
The second, more troubling question is whether hackers altered data in any way, which Tighe said could be more problematic than destroying data.
“You have data, but you don’t know if it’s really the right data in your network. Depending on what aspect of the DoD you’re in, that could be very damaging,” she explained.
Once inside, the access would depend on what system the malicious code went to through updates to the SolarWinds software. For example, an upload to an agency’s central administration systems could be damaging, allowing access to information such as user logs and system locations, said Frank Downs, former NSA analyst and director of proactive services at cybersecurity firm BlueVoyant.
If the actor entered into a central network through the SolarWinds vulnerability and found lax security on connected systems, that could cause serious problems for the department.
“It all depends on what’s on the network and the permissions on the network, but they could hop from one node to another node to another node,” Downs said. “If you have security in depth, the chances are a lot lower that they’ll be able to get much greater access, but if you are just sitting on a perimeter baseline, it’s not looking good.”
If those systems administrator privileges are vulnerable, experts said accounts could be manipulated and privileges elevated to continually allow increased access.
“They’re going get in and build all sorts of backdoors that you’re not going to be able to figure out,” Barrett said. “They’re going to be able to manipulate accounts and do things and hide their tracks. You’re not going to catch them, and they’re probably still there now.”
Communication is likely disrupted during a survey of potential network damage. Specifically, officials shouldn’t send and receive emails on the network if investigators are searching for potential compromises, Tighe said, noting that one of the first things the Cybersecurity and Infrastructure Security Agency did was tell agencies to have a different way of communicating as they coordinate the response.
There’s also more risk through the software supply chain. Another concerning scenario is if the attackers find their way into an update for a hacked company’s software, infecting still more users through those software products or even the firmware on chips or other hardware, said Greg Conti, founder at cybersecurity firm Kopidion and former chief of the U.S. Army Cyber Institute.
“This could have second, third or fourth order effects as it propagates that we’ll never know,” said Conti. “This thing could attack, spread outward, companies could remediate, and then it could loop back in through another product that was compromised.”
Authorities believe that hackers had extensive access to some government or business networks for as long as nine months. With that time, could the hackers have figured out how to jump the air gap meant to block computer system users from accessing classified systems?
“I’m speculating, but people have done amazing things where they turn a RAM in a computer into a radio transmitter [to bridge into air-gapped networks],” Conti said. “There are hundreds of counterintuitive and crazy things people have done. This is a huge thing, and there’s a nonzero chance the attackers pulled out their super-secret best capability.”
Agencies could face another problem if they use the same credentials for users on unclassified and classified portions of network, allowing hackers to steal unclassified credentials and migrate to more protected areas, Tighe pointed out. While administrators work to have different credentials for each, rare cases where they are the same are worrying.
In another scenario, subtle, hard-to-detect data manipulations could be introduced into the software of a weapon system so that it malfunctions.
However, Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University, cautioned that there is no evidence that the Russians have taken that step, and it is unlikely because of the strong reaction it would likely provoke. He also noted that if the Russians were to even threaten such action, that would raise concerns.
“I’m not sure they’d even want to do that, because I think they realize if we found out they’d engaged in data manipulation or destruction, they’d be crossing a red line that would provoke a stiff response, but they might try to hold us at risk, and if they do, that’s a major problem also and might force us to get more aggressive sooner,” Jaffer said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.
Joe Gould is the Congress reporter for Defense News.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.