KTEP - El Paso, Texas

The 'Mega-Hack' Revealed This Week Has Been Raging Since March

Dec 20, 2020
Originally published on December 20, 2020 10:23 pm

NPR's Lulu Garcia-Navarro speaks with Thomas Rid of Johns Hopkins School of Advanced International Studies about Russia's alleged hack on the U.S. government and tech companies.

Copyright 2021 NPR. To see more, visit https://www.npr.org.


Even though you can't exactly see it right this very minute, the United States is under attack. It is a megahack. That's at least how some experts are describing the massive breach of government and business computers revealed this past week. And it is very serious. Joining us now to discuss this is Thomas Rid. He is a political science professor at the Johns Hopkins School of Advanced International Studies, and he specializes in cybersecurity issues.

Welcome to the program.

THOMAS RID: Hi. Good morning, Lulu.

GARCIA-NAVARRO: Good morning. Can you give us a sense of the scope of this attack? Just how bad is it?

RID: Yeah, the attack is - actually, we shouldn't call it attack. It's an old-school espionage campaign with new tools - is widespread. So we know currently of 40 compromised high-value targets, especially government agencies, but there might be as many as 18,000 targets. It's actually really hard to get the specific number but a fair amount of targets.

GARCIA-NAVARRO: What kinds of things were the hackers seeking out?

RID: This looks to be a classic political and military espionage campaign, and it doesn't look like commercial espionage. So this is - they would be looking at just information from the Department of Defense networks, weapons systems, potentially. Scientific research at the NIH allegedly is one of the targets - so, you know, really old-school espionage in terms of the files that they went after.

GARCIA-NAVARRO: All right. Who is behind this? We have Secretary of State Mike Pompeo saying it was Russia, President Trump saying that it might not be; perhaps it was China. Experts do think it was done by a nation-state. You are an expert. What are your thoughts?

RID: It appears from the type - from the MO - from the method of operation - and from the specific tools and behaviors that we see that reportedly this is a Russian foreign intelligence agency, SVR. And this would be the counterpart - Russian counterpart to CIA. And apparently, they - you know, they were very disciplined. They prepared this well. The campaign started in mid - or approximately mid-2019. And only late in the game, they went after security companies and therefore bringing up the risk that they would be discovered by one of these security companies, which indeed happened.

GARCIA-NAVARRO: So this has been going on for a long time. You say it was Russia, but there has been a lot put in place to protect against this. So how did they manage to pull it off?

RID: This is a clever technique that they used here. It's called a supply chain compromise - in this case, a software supply chain compromise - meaning you breach and compromise one product - SolarWinds here - that is used by a lot of high-value targets. So you - by getting into one of these products, you can then get into many targets. Important here to really understand this - that this is - why not call it an attack? Well, because the U.S. intelligence community and its partners are doing comparable operations against their adversaries. This one was just particularly brazen and particularly well-executed.

GARCIA-NAVARRO: I want to press you a little bit on this because, you know, we do understand this as something called cyberwarfare. It's a term commonly used. You're sort of suggesting that this is business as usual.

RID: It's business as usual but business - more aggressive than business as usual. But it's not cyberwarfare. It's not a military operation. They didn't do this for effect. They didn't delete data. They didn't manipulate data. They didn't leak data. They only stole data. So that's why we call it intelligence collection.

GARCIA-NAVARRO: That's an important distinction. I want to ask you this in the time we have left. What can be done to prevent something like this from reoccurring, and who is to blame? I mean, this happened under the Trump administration's watch. Was something not happening that should have been?

RID: This is an advanced, sophisticated adversary, you know, really just like the NSA. And they will always or almost always get in. Important to understand here - FireEye, the security company, detected the attack on their networks, so the adversary got really brazen by going after FireEye. And it seems that they did this late in the campaign. So we can really ask the question, why did the Department of Energy, why did the Department of Defense, who were targeted earlier, not discover this breach earlier in the game?

GARCIA-NAVARRO: Still a lot to find out. That was Thomas Rid of the Johns Hopkins School of Advanced International Studies.

Thank you very much.

RID: Thank you. Transcript provided by NPR, Copyright NPR.