Exchange Hacks: How Will the Biden Administration Respond?As White House Readies SolarWinds Response, This New Crisis Burns
As the Biden administration makes final preparations over the next several weeks to respond to the attacks that targeted SolarWinds last year, the White House finds itself confronted by a second major cyberthreat: the hacking of Microsoft Exchange servers throughout the U.S.
The unfolding attacks against Exchange email servers, which Microsoft and other security researchers announced this month, appear to number in the thousands and involve multiple hacking groups. Security analysts warn that these cyberthreats might continue for some time, forcing organizations and their security teams to scramble to patch systems against four distinct vulnerabilities.
While the attack against SolarWinds has dominated much of the conversation around cybersecurity due to the scale of the incident and the ability of the hackers to plant a Trojanized software update that was sent to 18,000 of the company's customers, the Exchange attacks could prove even more challenging since the version of the mail server affected by the flaws is used by smaller organizations, including local government agencies both in the U.S. and worldwide (see: Hackers Exploit Exchange Flaws to Target Local Governments).
On Friday, a senior Biden administration official briefed reporters about the Exchange attacks, noting this latest incident raises significant questions about the basic security of both the hardware and software that government agencies and private firms use daily.
"Yes, they appear to be sophisticated and capable. But they took advantage of weaknesses that were in that software from its creation … insecure software and hardware is a key challenge we face," the senior administration official said, according to an official White House transcript.
And while the Biden administration is attempting to understand the scale of the Exchange attacks, it's also preparing to respond to SolarWinds. The senior official said that a review of the nine federal agencies targeted should be completed by the end of this month and that a response would come in "weeks, not months."
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, says that not only does the Biden administration have to respond to these cyber incidents, but both SolarWinds and Exchange are raising fundamental questions about how the U.S. government should view cybersecurity as a national priority.
"The attacks on Exchange should be part of the conversation, and shame on us if we're not including that as part of the calculus and deciding what's our risk. And we're going to take a look at it," Touhill, now the CEO of Appgate Federal, says. "The SolarWinds incident is, in my opinion, the tip of an iceberg, and there's a lot more under the surface that we're not seeing."
A Nuanced Approach
Several security experts expect the Biden administration to have a more nuanced approach to the Exchange hacks compared to what the White House is planning for SolarWinds.
For one, the federal government agencies investigating SolarWinds have publicly stated that a Russian-linked hacking group is likely responsible, and the attacks were probably part of a long-term cyberespionage campaign designed to gather intelligence across multiple departments (see: SolarWinds Attack: Pointing a Finger at Russia).
Both before and after he was sworn into office, Biden called for a response to the SolarWinds attacks. Although his administration has kept the details under wraps for now, the response is likely to include a mix of reprisals and executive action to change some U.S. policies regarding cybersecurity (see: White House Preparing 'Executive Action' After SolarWinds Attack).
The Exchange attacks, however, present unique problems.
For one, Microsoft has attributed the Exchange attacks to a hacking group called Hafnium, which the company claims is state-sponsored and based in China. Security firm ESET has also identified at least 10 advanced persistent threat groups that are exploiting the vulnerabilities in Exchange, and several of the groups have ties to China.
So far, the Biden administration has not officially attributed the Exchange attacks to a particular hacking group or nation-state. At the same time, officials with the U.S. Cybersecurity and Infrastructure Security Agency have noted that no federal agencies have been affected by these attacks to date.
Kelvin Coleman, the executive director of the National Cyber Security Alliance, who has held cybersecurity posts at the White House and Department of Homeland Security, says that until the administration officially attributes the attacks to a specific group or nation-state, it won't be able to form a response in the same way it has developed actions to address SolarWinds.
Also, that Microsoft attributed the Exchange attacks to a Chinese hacking group that seemed more interested in smaller organizations and agencies raises its own set of questions that the Biden administration will have to answer as it prepares a response, Coleman notes.
"So, was this a test run for a larger attack? Were the attackers subcontracted by another country, or were they simply a rogue criminal element?" Coleman asks. "The latter questions can be particularly confounding because, without proper attribution, navigating a formal government response against another nation - in other words, sanctions - can easily be turned into a shell game that can have major implications if decision-makers guess wrong."
Since taking office, the Biden administration has signaled that it plans to take a much more nuanced approach to China when it comes to national security and cybersecurity issues, as compared to former President Donald Trump and his advisors (see: Biden Assesses US Policies on China Cybersecurity Issues).
Forming a Response
Scott Shackelford, chair of Indiana University's cybersecurity program, says that during past cybersecurity events, the U.S. government has previously addressed these issues by attempting to make attacks more expensive and time-consuming for nation-state hackers. This includes investing in layered defenses and deterrence-by-denial strategies as well as going after those responsible.
Now, Shackelford believes that the Biden administration should take the opportunity given by both SolarWinds and the attacks linked to the Exchange vulnerabilities to develop new ways of thinking about responses.
"Clearly, given the SolarWinds espionage campaign and the Chinese-linked hacking group behind the Exchange attack, there is a sense of going back to the drawing board," he says. "Clearly, the Biden administration needs to do more of both techniques to better deter the likes of China, which is a complex relationship given the partnership that the U.S. needs from China on other fronts, including climate change."
One fresh tactic would be for the Biden administration to develop a national cybersecurity safety board modeled after the U.S. National Transportation Safety Board that would not only examine the causes of cyber incidents, but suggest ways to change policies based on the findings, Shackelford says.
During the Friday call with reporters, the senior administration official noted the White House is considered adopting a security scorecard and ratings system for U.S. software among other cybersecurity policy decisions.
Andreea Cotoranu, a clinical professor at the Seidenberg School of Computer Science and Information Systems at Pace University, says that no matter which way the Biden administration chooses to respond to the Exchange attacks, the White House needs to take a holistic approach and apply policies consistently irrespective of the source of the attack or the extent of the damage.
"Allegedly, both attacks have been committed by state-sponsored actors, with the goal of collecting intelligence. There has been an increase in the number of state-sponsored attacks, and the trend will continue into the future," Cotoranu says. "However, formulating a response to these kinds of attacks is challenging, and requires a holistic approach that combines technology, policy and diplomacy."
Coleman notes that both SolarWinds and the Exchange attacks have shown that the nation's critical cyber infrastructure is vulnerable at both the federal and the local level, and that should spur the Biden administration and lawmakers to come up with better approaches to these issues.
"Although the Biden White House response to China after this attack is still up in the air, it will certainly act as a call to arms for more congressional support toward cybersecurity infrastructure and policy domestically - be it financial or otherwise - as this is increasingly becoming a war of global perceptions as much as it is a war of information," Coleman says.