The Road to Jan 6 Final

Did a Russian Cyberattack Affect the Election? Officials Couldn't Be Sure

In this daily series, Newsweek explores the steps that led to the January 6 Capitol Riot

On December 13, the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security issued an emergency directive requiring federal agencies to disable SolarWinds' Orion software because it posed a substantial security threat.

Such "hacking" announcements, seemingly constant, are often difficult to assess regarding severity, and they almost always provoke reporting that screams greater and greater vulnerability. But in the case of the SolarWinds cyberattack, it was "one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector," according to the Government Accountability Office.

The attack had repercussions on the focus and attitude of the national security agencies, and on the power of the deep state that so many insist doesn't exist.

SolarWinds has more than 320,000 customers in 190 countries. The infected software was widely used by federal government agencies to monitor network activity and SolarWinds later estimated that nearly 18,000 of its users received the compromised software update. The Russian government was in, spying on compromised federal agency computers from May through December, reading emails and other documents.

(Though 18,000 users received the compromised software update, over time, SolarWinds corporation tells Newsweek, the number of actual infected computers was much smaller. The Department of Homeland Security CISA later noted that, "a much smaller number [of computers] have been compromised by follow-on activity on their systems." SolarWinds later announced that "the actual number of customers who were hacked ... [were] fewer than 100.")

Beginning in September 2019, cyberattacks perpetrated by Russia's Foreign Intelligence Service breached the computing network of SolarWinds—an Austin, Texas-based network management company. The Russians managed, over five months, to inject hidden code into a file that later went out as part of SolarWinds' regular software updates for the Orion platform, their business software. The Trojan malware provided Russia with a "backdoor" to access infected computers. The Russian operators then were able to remotely exploit SolarWinds' customers.

Donald Trump 2020 Presidential Campaign Joe Biden
Did a Russian cyberattack affect the election? Officials couldn't be sure. Election personnel sort absentee ballot applications for storage at the Gwinnett County Board of Voter Registrations and Elections offices on November 7, 2020 in Lawrenceville, Georgia. Elijah Nouvelage/Getty Images

Just after the election, FireEye, a cybersecurity firm, detected an intrusion to its own systems and informed SolarWinds of the compromise of the Orion platform. SolarWinds begins notifying customers, posting on Twitter that it was asking "all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability." Microsoft also detected an intrusion into its cloud platforms, the company informing federal agencies that their systems had been breached.

On December 16, the Cyber Unified Coordination Group, responsible for coordinating government-wide responses, was activated. The Russians were probably reading the internal emails of the Departments of Defense, Homeland Security, State, Treasury, Energy, Labor, Commerce and Justice (including U.S. Attorney's offices and courts). The agencies using SolarWinds Orion software had their systems disconnected or powered down.

President Donald Trump said nothing for days. When he did speak up on December 19 he suggested that China and not Russia might have been responsible, and that "everything is well under control."

The Department of Justice later said that around three percent of its email inboxes were compromised. The New York Times reported that the most senior Treasury Department officials' emails were compromised. Breach of court systems likely put at risk "sensitive case records and information that would be of great value to Russian intelligence, including trade secrets, investigative techniques, and information on targets of surveillance operations."

The biggest worry, according to a senior intelligence official who has been involved in the damage assessment, is that Russia, through their Orion access, was able to burrow deeper into the electrical grid and even nuclear storage facilities, leaving backdoors for later use.

solarwinds russia cyberattack security breach
FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith testify during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack. Drew Angerer/Getty Images

The Russian Embassy in Washington denied any involvement, saying in a statement on December 14 that Russia "does not conduct offensive operations in the cyber domain."

In truth, Russia does. But the federal government, which spends billions annually on cybersecurity, never detected the intrusion: not on the networks, not in its intercepts, not from human agents. CISA, the agency also in charge of protecting the election infrastructure, detected nothing. The CIA and NSA detected nothing.

"Russia should be held accountable," Joe Biden's Secretary of Defense, retired Army General Lloyd Austin, said during his confirmation hearing. Members of Congress called for America to retaliate. It should be "swift and clear," senators said.

Russia, the perpetual enemy, was the primary focus of the intelligence community as December moved into January. And because of SolarWinds, Justice and the FBI became deeply involved as well. There were discussions, according to the senior intelligence official (granted anonymity in order to speak about classified issues), whether CISA and the NSA could in fact know for sure that the election systems hadn't been compromised. SolarWinds was so sophisticated that it went undetected for over a year; as a result the FBI, in particular, doubled down on its many Russia-related cases, spooked as well as to whether they weren't missing a broader penetration into the fabric of American society.

SolarWinds, as damaging as it might have been, provided the national security bureaucracy with a needed diversion and something to do at a time when the post-election chaos and the president's distraction left them powerless. Without the president, and with National Security Advisor Robert O'Brien checked out, the bureaucracy churned on SolarWinds. No one in the federal government was ever held accountable for the breach itself. By the time the Cyber Unified Coordination Group ceased their work on April 19, 2021, a new Deputy National Security Advisor for Cybersecurity had been created at the White House, another member of the bureaucracy. And more funding was secured for everyone.

solarwinds russia cyberattack security breach
A massive attack with major repercussions across the government. The SolarWinds Corp. logo is seen on a sign at the headquarters in Austin, Texas. The White House announced sanctions in response to "malicious cyber activities against the United States and its allies and partners," referring to the massive so-called SolarWinds hack of US government computer systems last year. Suzanne Cordeiro/AFP via Getty Images

Update 12/13, 5:45 pm.: This story has been updated with additional information about the number of computers affected by the compromised software update.