Axios Codebook

Government and private-sector investigators are racing to run forensics and damage assessments on the SolarWinds breach, but they keep turning up new unknowns, even as the strategic motivations and real impact remain obscure.

Why it matters: The more we learn about SolarWinds, the less we seem to know.

The intrigue: It’s not even clear how much of the "SolarWinds breach" is even linked to SolarWinds, acting CISA director Brandon Wales told the Wall Street Journal.

• In fact, "approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds," said the WSJ, citing Wales.
• Because of the Russians’ use of these unconnected vectors, "this campaign should not be thought of as the SolarWinds campaign," said Wales.
• Malwarebytes, a private computer security firm, has also concluded that “a number of its Microsoft cloud email accounts were compromised by the same group that targeted SolarWinds, using what Malwarebytes called ‘another intrusion vector’” from the SolarWinds backdoor, writes the Journal.

The big picture: The revelations suggest that the access gained into SolarWinds software was only one part in a broader Russian hacking campaign that hit other service providers as well. And we still don't know the hackers' initial point of entry or ultimate goal.

This massive campaign — which has potentially compromised networks tied to the Treasury, Defense, Commerce and State departments — was clearly more proactive and multifaceted than previously known.

• The hackers identified and employed multiple avenues to compromise their targets — and weren’t, it appears, exclusively using the SolarWinds backdoor as their ticket into victims’ networks.
• Indeed, SolarWinds “itself is probing whether Microsoft’s cloud was the hackers’ initial entry point into its network,” writes the Journal.
• Thus, some victims may have been independently targeted via these other Microsoft-related issues, while others were compromised via SolarWinds, which may itself have been breached via its own Microsoft cloud account.
• The Russian hackers had compromised at least one SolarWinds Microsoft 365 account as far back as December 2019, SolarWinds’ CEO told the Wall Street Journal.

Between the lines: The longer this type of campaign goes undetected, the harder it is to determine who was compromised when — and how. And when these causal chains are blurred, it's that much harder for cybersecurity experts to perform necessary damage control measures.

Context: This investigative work is hard enough in the often hazy world of counterintelligence. Investigators look to suss out:

• How did a breach happen? Was it caused by a human or some technological source, or some combination of the two?
• How long has this compromise existed?
• What was the purpose of the campaign?

It only gets tougher in the world of cyber operations because there are so many potential variables to consider.

• Private and public actors use lots of managed service providers like SolarWinds, and each one is a potential avenue for compromise.
• Cyber operators often cover their tracks as they work on achieving persistent access in a network, obscuring the means by which they first got in.
• Once operations like the SolarWinds hack are discovered, focus immediately turns to worry over what networks the hackers might still be active in and what data might still be exfiltrated. That makes lower priorities out of larger questions about how they might fit into the responsible party's larger intelligence-gathering objectives or foreign policy goals.

The bottom line: Barring some type of extremely well-placed human or other source, getting to something approximating ground truth regarding all the dimensions — technical, tactical, temporal and strategic — of SolarWinds will be very difficult for the U.S. intelligence community.

Suspected Chinese state hackers compromised the Department of Agriculture’s National Finance Center (NFC) last year using a second “software flaw” used on the SolarWinds platform, reports Reuters.

Why it matters: The Chinese-authored breach could represent a potentially catastrophic leak of sensitive personal information of U.S. government officials — information that China’s spy services will be keen to exploit for counterintelligence purposes.

• The flaw, which is unconnected to the massive Russian-authored compromise of SolarWinds, was used to penetrate the NFC, which is “responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department,” former officials told Reuters.

It’s unclear how much data was potentially accessed or exfiltrated by the Chinese hackers, but “records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information,” and the agency is responsible for maintaining payroll for over 600,000 federal employees, writes Reuters.

• The hackers “used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies,” sources told Reuters, leading investigators to attribute the breach to a Chinese state group.

Between the lines: The alleged NFC hack follows a well-established pattern for Chinese cyber operators, who have often focused on targeting large government and private-sector datasets that contain sensitive personal information.

• China’s spy agencies, often aided by China’s private technology companies, can then marry these datasets together and sift through them to identify potential U.S. intelligence officials, U.S. intelligence assets from China — or even potential recruitment targets for China’s own intelligence services.

After being compromised in the SolarWinds breach, the online filing system used by the U.S. federal courts has been forced to institute more stringent, and potentially onerous, security measures, writes AP.

Why it matters: Russian hackers may have lifted highly sensitive data, such as details related to undercover informants and wiretaps, from the judicial filing system. And the new, in-person filing requirements, while more secure, may create difficulties and delays for prosecutors and defense lawyers during the COVID era.

Details: Until recently, even the most delicate material could generally be filed electronically, if under seal, writes AP. But after the SolarWinds breach, U.S. courts are now requiring these to be filed or viewed in person.

• Adding to the SolarWinds-induced difficulties, different circuit courts have different security rules for filing sensitive documents. For example, "some courts encrypt documents filed under seal, but others do not," sources told AP.

Security experts are worried that the Russian hackers might have been able to filch documents filed under seal, which would be particularly damaging if these documents were stored online in unencrypted format.

Yes, but: While criminal, civil and bankruptcy filing systems may have been compromised, writes AP, the ultra-sensitive Foreign Intelligence Surveillance Court system does not appear to have been affected by the hack.

Finally, there might be some unintended upsides to the updated filing processes, writes AP.

• They could "make judges rethink whether a seal or paper filing is really necessary," notes the AP. "Court transparency advocates feel that judges have been on a sealing binge in recent years, keeping the public in the dark about important evidence in product liability, public corruption and other cases."

Where there's a coup, there will probably be an internet outage, Axios' Dave Lawler and Sara Fischer report.

Driving the news: Internet disruptions in Myanmar early Monday morning coincided with reports that top politicians, including the country's de facto leader Aung San Suu Kyi, were being rounded up by the military.

The big picture: At least 35 countries have restricted access to the internet or social media platforms at least once since 2019, according to NetBlocks, a group that tracks internet freedom. Authorities have used the outages to reduce or prevent unrest — or to hide it from public view.

• Blockages are particularly common around elections in Africa, most recently in Uganda.
• NetBlocks also reported disruptions in Russian cities during recent protests over the detention of Alexei Navalny. Neighboring Belarus also disrupted the internet during recent protests, as have countries from Algeria to Zimbabwe.

Between the lines: The internet was created to democratize information, but it's now one of the most powerful weapons autocrats use to silence dissenters and maintain power.

Go deeper: Dave and Sara have more here.

• SolarWinds shows the need for greater protections for cybersecurity whistleblowers. (Bloomberg Law)
• Newly declassified memos by former Secretary of Defense Donald Rumsfeld reveal his frustration around intelligence surrounding Iraq and Afghanistan. (SpyTalk)
• Sen. Ron Wyden is leading a renewed charge to have NSA release more information about an unsolved 2015 supply chain compromise. (CyberScoop)
• China is trying to collect Americans’ DNA, believe U.S. officials. (CBS News)
• Investigators have discovered a pro-Huawei online influence campaign in Belgium. (New York Times)
• Law enforcement officials in the U.S. and Europe last week announced actions aimed at crushing two international ransomware networks. (Axios)