Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of homeland security (DHS) and members of cybersecurity staff whose jobs included hunting threats from foreign countries, the Associated Press (AP) has learned.
The intelligence value of the hacking of then acting secretary Chad Wolf and his staff is not publicly known but the symbolism is stark. Their accounts were accessed in what is known as the SolarWinds intrusion, throwing into question how the US government can protect individuals, companies and institutions if it can’t protect itself.
“The SolarWinds hack was a victory for our foreign adversaries and a failure for DHS,” said Rob Portman, top Republican on the Senate homeland security committee. “We are talking about DHS’s crown jewels.”
The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. But an inquiry by the AP found new details about the breach at DHS and other agencies, including the energy department, where hackers accessed top officials’ private schedules.
The AP interviewed more than a dozen current and former officials, who spoke on the condition of anonymity.
Tim Wade, a technical director at California-based cybersecurity firm Vectra, told the Guardian it is impossible to know precisely what information has been accessed in this breach. But while government protocols prevent sending highly classified or sensitive information over email, hackers could still have obtained plenty of valuable information.
“The concerns raised by this story should not be understated,” he said. “Even unclassified communication between sensitive parties can disclose a great deal of actionable intelligence.”
The vulnerabilities at homeland security in particular intensify the worries following the SolarWinds attack and an even more widespread hack affecting Microsoft Exchange’s email program, especially because in both cases the hackers were detected not by the government but by a private company.
In December, officials discovered a sprawling, months-long cyber-espionage effort done largely through a hack of widely used software from Texas-based SolarWinds. At least nine federal agencies were hacked, and dozens of private-sector companies.
US authorities have said the breach appears to be the work of Russian hackers. Gen Paul Nakasone, who leads the Pentagon’s cyber force, said last week the Biden administration was considering a “range of options” in response. Russia has denied any role.
Since then, a series of headline-grabbing hacks has further highlighted vulnerabilities. A hacker tried to poison the water supply of a small town in Florida in February and this month a breach was announced, involving thousands of Microsoft Exchange email servers, the company says was carried out by Chinese state hackers. China has denied involvement.
Senator Mark Warner, a Virginia Democrat and head of the Senate intelligence committee, said the government’s initial response to SolarWinds was disjointed.
“What struck me was how much we were in the dark for as long as we were in the dark,” Warner said.
One former administration official, who confirmed the Federal Aviation Administration (FAA) was among agencies affected by the breach, said the response was hampered by outdated technology. The FAA initially told the AP it had not been affected by the SolarWinds hack, only to then say it was continuing to investigate.
At least one other cabinet member was affected. The hackers were able to obtain the private schedules of officials at the energy department, including then secretary Dan Brouillette, one former official said.
DHS spokesperson Sarah Peck said “a small number of employees’ accounts were targeted in the breach” and the agency “no longer sees indicators of compromise on our networks”.
The Biden administration has pledged to issue an executive order to address “significant gaps in modernization and in technology of cybersecurity across the federal government”. But it faces highly capable foreign hackers backed by governments that aren’t afraid of US reprisals, outdated technology, a shortage of cybersecurity professionals and a complex leadership and oversight structure.
The recently approved stimulus package includes $650m for the Cybersecurity and Infrastructure Security Agency to harden cyber defenses. Federal officials said that amount is only a down payment on much bigger planned spending.
“We must raise our game,” Brandon Wales, who leads the cybersecurity agency, told a recent House hearing.
The Biden administration tapped Anne Neuberger, the deputy national security adviser for cyber and emergency technology, to respond to the SolarWinds and Microsoft breaches. It hasn’t appointed a national cyber director, frustrating some members of Congress.
“We’re trying to fight a multi-front war without anybody in charge,” said Senator Angus King, an independent from Maine.
The administration says it’s reviewing how to set up the position.
“Cybersecurity is a top priority,” said White House spokeswoman Emily Horne.
Kari Paul contributed reporting