Written by Shannon Vavra
Apr 13, 2021 | CYBERSCOOP
The intelligence community made its most direct public attribution yet that Russia was behind weaving malicious code into a SolarWinds software update to facilitate a sweeping espionage operation, impacting hundreds of companies and U.S. federal agencies.
The intelligence community said Russia was behind the software supply chain hack in the intelligence community’s Annual Threat Assessment, which the Office of the Director of National Intelligence released Tuesday.
“A Russian software supply chain operation against a US-based IT firm exposed approximately 18,000 customers worldwide, including enterprise networks across US Federal, state, and local governments,” the assessment notes, without naming SolarWinds.
The publication of the threat assessment coincides with President Joe Biden’s call with Russian President Vladimir Putin Tuesday, during which Biden “made clear that the United States will act firmly in defense of its national interests in response to Russia’s actions, such as cyber intrusions and election interference,” according to the White House readout of the call. The readout does not specify whether Biden specifically discussed SolarWinds with his Russian counterpart.
The threat assessment, which touches on a whole swath of intelligence concerns beyond the SolarWinds attack — from COVID-19, disease outbreaks and ecological degradation to espionage, influence and other cyber-operations — notes that America’s adversaries are working to enhance their cyber and military capabilities in a manner that is “weakening our conventional deterrence” and “worsening the longstanding threat from weapons of mass destruction.” The assessment primarily covers Russian, Chinese, Iranian and North Korean threats, although it analyzes non-state actors as well.
Russia and China both possess the capability to run cyberattacks that encompass potentially damaging and destructive operations, the report warns.
While China can launch cyberattacks that “can cause localized, temporary disruptions to critical infrastructure within the United States,” Russia has demonstrated it can cause damage to infrastructure during a crisis, the intelligence assessment concludes. In particular Moscow has been targeting critical infrastructure “including underwater cables and industrial control systems” in the U.S. and in allied countries, the report notes.
North Korea also “probably” has the “expertise to cause temporary, limited disruptions of some critical infrastructure networks,” the analysis states.
Russia presents “one of the most serious intelligence threats to the United States,” the analysis notes, adding that the U.S. intelligence community assesses the Russian government will continue to deploy cyber-operations, influence operations and intelligence services as part of a broader strategy meant to “divide Western countries and weaken Western alliances” and “advance its agenda and undermine the United States.”
Iran, too, is becoming “increasingly active in using cyberspace to enable influence operations,” the report reads.
Part of those efforts includes operations meant to sway American voters and decision-making, the analysis notes. The assessment echoes an earlier U.S. intelligence report issued just last month that detailed Russia’s and Iran’s efforts to influence U.S. decision-making and voters.
The earlier assessment concluded that Moscow’s influence efforts were aimed at denigrating Biden’s candidacy, supporting then-President Trump and undermining confidence in the electoral process. Part of Russia’s influence operations included human conduits, including a Russian agent, Andriy Derkach, who sought to wage a covert influence operation aimed at swaying public opinion in the U.S.
Iran’s influence operations were aimed at undermining Trump’s reelection and confident in the electoral process, the earlier assessment noted. Last year Iran sought to influence the U.S. presidential election by sending threatening emails to voters, according to previous U.S. intelligence announcements.
That effort was likely just the beginning for Iranian influence operations targeting U.S. elections, the U.S. intelligence community assessment issued Tuesday notes.
“We expect Tehran to focus on online covert influence, such as spreading disinformation about fake threats or compromised election infrastructure and recirculating anti-US content,” the assessment reads.
Clamoring for control
According to the earlier U.S. intelligence memo, Chinese authorities considered conducting influence operations targeting the U.S. elections, but opted against doing so. Nonetheless, Chinese government influence represents a “growing threat,” according to the Annual Threat Assessment.
“China’s cyber-espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations,” the report notes.
Some of China’s government surveillance operations have been focused on tamping down on dissent or views Beijing sees as a threat to the government, according to the analysis, “particularly among ethnic minorities, such as the Uyghurs.”
Chinese hackers with ties to the government have been running surveillance operations targeting Uyghurs for years, security researchers have found. Just last month Facebook revealed Chinese-based hackers used front companies as part of a broader effort to hack and surveil Uyghurs.
While Facebook did not attribute the activity to the Chinese government, a FireEye analysis has suggested the operation was run in support of the Chinese government.
The threat assessment notes that Russia has also continued to rely on cyber-operations to stamp out what it perceives as threats to Moscow.
“In 2019, Russia attempted to hack journalists and organizations that were investigating Russian Government activity and in at least one instance leaked their information,” the analysis states. “Russia almost certainly considers cyber attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts.”
The hacking group known as Fancy Bear or APT28, which has links to Russia’s General Staff Main Intelligence Directorate (GRU), has previously targeted journalists, according to an Associated Press report from 2017.
North Korean ICBMs may be on the horizon
In an effort to deter foreign intervention in North Korean affairs, North Korean leader Kim Jong-un “may take a number of aggressive and potentially destabilizing actions to reshape the regional security environment and drive wedges between the United States and its allies — up to and including the resumption of nuclear weapons and intercontinental ballistic missile (ICBM) testing,” the U.S. intelligence community assesses.
North Korean hackers have long hacked financial institutions, such as cryptocurrency exchanges, in order to back the country’s nuclear weapons program, according to the United Nations.
The U.S. intelligence community report notes only that “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges … probably to fund government priorities, such as its nuclear and missile programs.”
“Kim … aims to achieve his goals of gaining prestige, security, and acceptance as a nuclear power through … cyber capabilities,” the report states.
The report comes one day before intelligence leaders will gather to brief the Senate Intelligence Committee on global threats to the nation. The briefing, which is slated to include the Director of National Intelligence Avril Haines, National Security Agency Director Gen. Paul Nakasone, CIA Director William Burns, DIA Director Scott Berrier and FBI Director Chris Wray, will be the first worldwide threats briefing in over two years.
Under President Trump, ODNI officials pushed for the testimony to move behind closed doors to avoid intelligence leaders contradicting Trump.