What do you think? Leave a respectful comment.

Russia seen as likely culprit in major U.S. cyberattack. How widespread was it?

Between March and May this year, hackers broke into several U.S. federal agencies, including the one designed to fend off cyberattacks against the country, officials said Sunday. The significant breaches were only discovered recently with Russia considered the likely culprit. Nick Schifin spoke with Dmitri Alperovitch, a cybersecurity expert and chair of Silverado Policy Accelerator, to discuss.

Read the Full Transcript

  • Judy Woodruff:

    It is the most significant hack of the U.S. government in years. Multiple agencies, including the Departments of Treasury and Homeland Security were successfully infiltrated, and the perpetrators appear to be Russia.

    Nick Schifrin reports.

  • Nick Schifrin:

    Judy, the victims include the very agency designed to protect the country from cyberattack.

    The Department of Homeland Security, Treasury and Commerce were breached between March and May, when they downloaded an update to network administration software called SolarWinds that, unbeknownst to them, had been infected with malicious code.

    The hacks were only discovered recently. And in the last few days, government agencies and companies around the world by the thousands have rushed to figure out whether they were victims as well. And officials tell "PBS NewsHour" they suspect Russian intelligence.

    To discuss this, we're joined by Dmitri Alperovitch, co-founder of the Silverado Policy Accelerator, a Washington-based think tank.

    Dmitri Alperovitch, welcome back to the "NewsHour."

    How widespread is this? And how did it happen?

  • Dmitri Alperovitch:

    Nick, this could be one of the most consequential cyber-espionage operations we have seen to date.

    The reality is that SolarWinds, this I.T. management vendor, is used by hundreds of thousands of organizations globally, including some of the most secure agencies in the U.S. government and governments globally, some of the biggest Fortune 500 companies.

    And the fact that the Russian intelligence, as it appears, may have had access to those organizations over the course of the last nine months, since last March, is very troubling. Now, we believe that fewer than I think 100 organizations were ultimately compromised, but we may still learn over the next couple of weeks about who they may be.

  • Nick Schifrin:

    SolarWinds has so many clients, and yet it seems if the perpetrators only used their access to steal information from a few important agencies. How significant is that fact?

  • Dmitri Alperovitch:

    I think it's really important, because we're dealing with an A-team here, some of the best in Russian intelligence, that are likely behind this.

    And what they wanted to do is really have a cherry-pick of the best targets, the most exquisite, the most hard-to-get targets that they could get through this potential vulnerability. So we may very well see some really groundbreaking announcements in the coming days about who may have been behind — who may have been hit by this attack.

  • Nick Schifrin:

    And is that selectivity, if you will, by the perpetrators, is that why it's taken so long to detect them?

  • Dmitri Alperovitch:

    It is.

    They were very stealthy. Their operational tradecraft was phenomenal, and they wanted to make sure that they could use this access through this backdoor in SolarWinds for as long as possible, while remaining undetected.

  • Nick Schifrin:

    The attack is believed to be perpetrated by SVR — that is the equivalent of the CIA in Russia — and not Russia's military intelligence, the GRU, which, of course, hacked and leaked in 2016.

    Why is that distinction important?

  • Dmitri Alperovitch:

    It is really important because the GRU, of course, has been responsible for a number of very destructive attacks, including the most destructive attack in history known as NotPetya that compromised companies like FedEx and Merck and Maersk in 2017.

    And the fact of the matter is that SVR is not known to do destructive operations. They do traditional espionage. They steal data for the purposes of informing their decision-makers in Russia. So, while this is really bad, we have to be thankful that this wasn't a destructive attack.

  • Nick Schifrin:

    Just because we know how they got in, does that make it easy to get them out?

  • Dmitri Alperovitch:

    Yes. Luckily, we know the intrusion vectors, so now the indicators are out there.

    CISA, the Cybersecurity Agency in the federal government, has directed all U.S. agencies to shut down SolarWinds if they have this particular version that's been compromised until a patch is out. So, every organization out there should be following that advice, whether you're in the government or not, and using the indicators to determine if they have actually been hit by those hackers.

  • Nick Schifrin:

    Dmitri Alperovitch, thank you very much.

  • Dmitri Alperovitch:

    Thank you.

Listen to this Segment