2020 United States federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce. In the following days, more departments and private organizations reported breaches.

The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware. A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents,   and to perform federated authentication across victim resources via single sign-on infrastructure.

In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution. U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for days after the attack, before suggesting that China, not Russia, might have been responsible for it, and that "everything is well under control".

Background
SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack. SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers. Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.

On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.

Methodology
Multiple attack vectors were used in the course of breaching the various victims of the incident.

Microsoft exploits
"If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data."

The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.

At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.

Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.

Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.

Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of single sign-on infrastructure increased the viability of the attack.

SolarWinds exploit
"This is classic espionage. It's done in a highly sophisticated way... But this is a stealthy operation."

Here, too, the attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point.

The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019. In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion. The first known modification, in October 2019, was merely a proof of concept. Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.

In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below). If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers. The communications were designed to mimic legitimate SolarWinds traffic. If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further. The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.

The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components, and seeking additional access. Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents. This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory. Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network. Having accessed data of interest, they encrypted and exfiltrated it.

The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others. By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).

FBI investigators in February 2021 found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.

VMware exploits
Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers. As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.

Microsoft exploits
During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed. The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication. Later, in June and July 2020, Volexity observed the attacker utilizing the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals. Volexity said it was not able to identify the attacker.

Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.

Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol. This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised. Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.

SolarWinds exploit
On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker. FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.

After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself.

Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.

The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.

Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.

July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on LinkedIn.

VMware exploits
Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.

Conclusions by investigators
SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation. Russian-sponsored hackers were suspected to be responsible. U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29). FireEye gave the suspects the placeholder name "UNC2452"; incident response firm Volexity called them "Dark Halo". On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR. One security researcher offers the likely operational date, February 27, 2020, with a significant change of aspect on October 30, 2020.

In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla,  a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.

Statements by U.S. government officials
On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.

On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack.

On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, downplaying its severity and suggesting without evidence that China, rather than Russia, might be responsible. The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."

On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."

On December 21, 2020, former Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.

On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit. On June 10, 2021, FBI Director Christopher Wray attributed the attack to Russia's SVR specifically.

Denial of involvement
The Russian government said that it was not involved.

The Chinese foreign ministry said in a statement, "China resolutely opposes and combats any form of cyberattacks and cyber theft."

Impact
SolarWinds said that of its 300,000 customers, 33,000 use Orion. Of these, around 18,000 government and private users downloaded compromised versions.

Discovery of the breaches at the U.S. Treasury and Commerce Departments immediately raised concerns that the attackers would attempt to breach other departments, or had already done so. Further investigation proved these concerns to be well-founded. Within days, additional federal departments were found to have been breached. Reuters quoted an anonymous U.S. government source as saying: “This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.”

Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies. Other prominent U.S. organizations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies. Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca. FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.

Through a manipulation of software keys, the hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.

Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted. These investigations were complicated by: the fact that the attackers had in some cases removed evidence; the need to maintain separate secure networks as organizations' main networks were assumed to be compromised; and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. As of mid-December 2020, those investigations were ongoing.

As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used. Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come. Possible future uses could include attacks on hard targets like the CIA and NSA, or using blackmail to recruit spies. Cyberconflict professor Thomas Rid said the stolen data would have myriad uses. He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.

Even where data was not exfiltrated, the impact was significant. The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. Anti-malware companies additionally advised searching log files for specific indicators of compromise.

However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review. Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime. Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.

The Justice Department disclosed in July 2021 that 27 of its federal prosecutors' offices around the country had been affected, including 80% of Microsoft email accounts breached in four New York offices. Two of the offices, in Manhattan and Brooklyn, handle many prominent investigations of white-collar crime, as well as of people close to former president Trump.

Technology companies and business
On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.

On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.

GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected.

On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to SolarWinds software.

SolarWinds unpublished its featured customer list after the hack, although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.

Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price. Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.

The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.

U.S. government
On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.

Security agencies
On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations. On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks. The Russian government said that it was not involved in the attacks.

On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate. The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group. The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.

The DOE helped to compensate for a staffing shortfall at CISA by allocating resources to help the Federal Energy Regulatory Commission (FERC) recover from the cyberattack. The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.

On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.

The Cyber Safety Review Board did not investigate the underlying weakness.

Congress
The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials. The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation. Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain. The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.

Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.

On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials. Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".

On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.

The judiciary
The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system. It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.

President Trump
President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction". On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election. He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible. Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest, calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."

Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.

President Biden
Then president-elect Joe Biden said he would identify and penalize the attackers. Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions. On December 22, 2020, Biden reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.

In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.

In March 2021, the Biden administration expressed growing concerns over the hack, and White House Press Secretary Jen Psaki called it “an active threat”. Meanwhile The New York Times reported that the US government was planning economic sanctions as well as "a series of clandestine actions across Russian networks" in retaliation.

On April 15, 2021, the United States expelled 10 Russian diplomats and issued sanctions against 6 Russian companies that support its cyber operations, as well as 32 individuals and entities for their role in the hack and in Russian interference in the 2020 United States elections.

Rest of the world
NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks." On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK. The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.

On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.

On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.

Cyber espionage or cyberattack?
The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war. Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid). Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force. Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks." Law professor Michael Schmitt concurred, citing the Tallinn Manual.

By contrast, Microsoft president Brad Smith termed the hack a cyberattack, stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure." U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.

Debate on possible U.S. responses
Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).

Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."

Cybersecurity author Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.

In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.