President Trump Downplays Impact of SolarWinds BreachTrump's Comments Come After Secretary of State Pointed Finger at Russia
In his first remarks about the massive hacking operation that leveraged a tainted SolarWinds Orion software update, President Donald Trump on Saturday downplayed the seriousness of the incident and contradicted Secretary of State Mike Pompeo, who pointed a finger at Russia in a Friday radio interview.
In a pair of tweets on Saturday, Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role.
"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted on Saturday. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."
The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of....— Donald J. Trump (@realDonaldTrump) December 19, 2020
The tweets were Trump's first comments about the large-scale cyberattack campaign that has affected government agencies, such as the Treasury, Commerce, Homeland Security and Energy departments, as well as numerous corporations as well as security firms, including FireEye, Microsoft, Intel and Nvidia (see: Microsoft Finds Backdoor; CISA Warns of New Attack Vectors).
Pompeo's Remarks on Russia
Trump's remarks came after Secretary of State Mike Pompeo told a conservative radio host on Friday "we can say pretty clearly that it was the Russians" who were behind the hacking campaign, according to a transcript.
The massive hacking operation was built on slipping malicious backdoors into software updates for SolarWinds' Orion network management software. Once those updates were installed by organizations, the attackers had free-ranging access to networks and could install other malware and access data, such as email accounts (see: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel).
Pompeo is the first high-ranking U.S. official to publicly link Russia to the hacking of SolarWind's Orion platform. While no evidence has been publicly presented as of yet about the identities of the hackers, the Washington Post and other media outlets reported that a group that is known as APT 29, aka Cozy Bear, is suspected.
This hacking group is believed to be linked to Russia's SVR foreign intelligence service and has been blamed for high-profile intrusions, including one against the Democratic National Committee in 2016. Russia, through its Washington, D.C. embassy, has denied any involvement.
After Trump posted his tweets that seemed to contradict Pompeo's comments, Adam Schiff, the Democratic chairman of the House Intelligence Committee, pushed back against the president's remarks on Twitter.
Another day, another scandalous betrayal of our national security by this president.— Adam Schiff (@RepAdamSchiff) December 19, 2020
Another dishonest tweet that sounds like it could have been written in the Kremlin.
Another obsequious display towards Putin.
And yet another reason that Trump can’t leave office fast enough. https://t.co/ILNh3KnfbT
Republican and Democratic lawmakers on Thursday began asking several federal agencies, including the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, about the hacking campaign and started to demand more answers about the investigation and what data may have been compromised (see: SolarWinds Hack: Lawmakers Demand Answers).
The FBI, CISA and ODNI released a joint statement Wednesday acknowledging the attack and revealing that a Cyber Unified Coordination Group has been created to coordinate a response.
CISA released an update Saturday to its assessment of the attack, noting that the agency's investigators now have evidence that the hackers used other attack vectors besides the compromised SolarWinds Orion platform to gain access to various networks and plant backdoors.
"Specifically, we are investigating incidents in which activity indicating abuse of [Security Assertion Markup Language] tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the [Tactics, Techniques and Procedures]," according to the updated alert.
Security blogger Brian Krebs reported Friday that unnamed sources claimed a vulnerability in some of VMware's products could have served an additional attack vector. But a company spokesperson says that no agencies have contacted it about this possibility. Earlier this month, the National Security Agency warned that Russian-linked hackers were trying to exploit this flaw in VMware's products (see: NSA: Russian Hackers Exploiting VMware Vulnerability).
The NSA also warned this week that threat actors, once they had access to a local network, could abuse Security Assertion Markup Language tokens to gain access to cloud resources. The warning did not mention if this technique was specifically used during the SolarWinds breach (see: NSA Warns of Hacking Tactics That Target Cloud Resources).
Microsoft published an updated technical analysis Friday of both the backdoor and malicious dynamic link library used by the attackers to insert their malware into the SolarWinds Orion update that was eventually installed by about 18,000 customers of the Austin, Texas-based company.
Microsoft's team found additional malware that affects the Orion platform and was likely deployed by a separate threat group. The updated analysis notes this malicious code is not connected to the main attacks that affected government agencies and businesses.
"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," according to Microsoft. "The malware consists of a small persistence backdoor in the form of a [Dynamic Link Library] file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpubSolarWindsbin."
Microsoft also notes that this separate malicious Dynamic Link Library file did not contain a forged digital signature like the one used in the main attack. The Microsoft analysis did not say whether this secondary malware was deployed against any targets.