Sign up for our daily briefing
Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.
Stay on top of the latest market trends
Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.
Sports news worthy of your time
Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.
Tech news worthy of your time
Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.
Get the inside stories
Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Want a daily digest of the top Denver news?
Get a daily digest of the most important stories affecting your hometown with Axios Denver
Want a daily digest of the top Des Moines news?
Get a daily digest of the most important stories affecting your hometown with Axios Des Moines
Want a daily digest of the top Twin Cities news?
Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities
Want a daily digest of the top Tampa Bay news?
Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay
Want a daily digest of the top Charlotte news?
Get a daily digest of the most important stories affecting your hometown with Axios Charlotte
Illustration: Aïda Amer/Axios
President Trump's reluctance to name and shame Russia for the SolarWinds cyberattack will hamper companies and government agencies as they begin the long and daunting job of assessing and repairing the hack's damage.
Why it matters: Experts say Russia's fingerprints are all over the attack, but the president's dissent will hobble any U.S. response — at least until Jan. 20.
Catch up quick: Security officials and experts share a broad consensus that the "Cozy Bear" group, also known as APT29, overseen by Russia's SVR intelligence service, was responsible for the hack.
- The Cybersecurity and Infrastructure Security Agency (CISA) described the attackers as "a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks."
White House officials had readied a statement Friday calling Russia "the main actor" in the attack, but were ordered not to release it, the Associated Press reports.
- Around the same time, Secretary of State Mike Pompeo said in an interview that Russia is "pretty clearly" behind the attack, which hit the State Department, among many other agencies and businesses.
- Saturday, Trump tweeted that the extent of the attack was being overplayed by the media and that others could be responsible for the attack, perhaps China.
Between the lines: Some security experts fear the president's position will transform what should be a unified government response to a hostile act by a foreign power into yet another personal loyalty test.
- Last month Trump fired CISA director Christopher Krebs after Krebs affirmed that the 2020 election had been secure.
- Anything involving "Russia, Russia, Russia" (as Trump put it in his tweet) has been a sore point for the president since Russia's hacks during the 2016 election became the foundation for years of investigations into his administration's relationship with Moscow.
Yes, but: Leaders from both parties, including Sen. Mitt Romney (R-Utah), have called for holding Russia accountable and launching a significant response.
- President-elect Joe Biden said in a statement: "I will not stand idly by in the face of cyber assaults on our nation."
- Incoming White House chief of staff Ron Klain told CBS' "Face the Nation" that the new administration's response to an "attack like this" would go beyond sanctions and include steps "to degrade the capacity of foreign actors to repeat this sort of attack."
With all this going on, the administration is also pushing a plan to separate the leadership of the Cyber Command from the National Security Agency, according to a story in Defense One.
- The "dual hat" arrangement has long been under review, but the SolarWinds crisis seems a strange moment to start a big reorg in the world of cyber defense.
- The New York Times reports some observers are questioning the timing and whether the move is "retribution" against Gen. Paul Nakasone, who now runs both agencies.
Breaking: Private-sector victims of the hack include Cisco, Intel, Nvidia, Deloitte, VMware and Belkin, according to the Wall Street Journal, which identified infected systems at those firms.
- Each company told the Journal they'd found no evidence of actual harm from the intrusions.
How it worked: Microsoft, in a fascinating weekend post, provided details of how the hackers hid their break-in, using a software update for SolarWinds' Orion network management platform to gain access to thousands of institutions' systems.
- "The threat actors were savvy enough to avoid give-away terminology like 'backdoor', 'keylogger,' etc.," the Microsoft post says. Instead, they gave their tampered code an innocuous name — "OrionImprovementBusinessLayer" — that would fit right into a marketing brochure.
- The attack's crucial, door-opening exploit was a small chunk of "poisoned code" (as Microsoft dubbed it) all of five lines long, or roughly 160 characters.
- This could well be the most damage per character yet achieved in the short history of cyber warfare.