U.S. military and security officials are preparing to publish one of their most detailed analyses yet of the hacking tools used by suspected Russian spies in a campaign that the Biden administration has labeled a national security threat.
The “malware analysis report” from U.S. Cyber Command and the Department of Homeland Security, which CyberScoop obtained, spotlights 18 pieces of malicious code allegedly used by Russian hackers, who exploited software made by the federal contractor SolarWinds and other vendors on their way to infiltrating nine U.S. government agencies and 100 companies.
The report sheds light on a historic espionage campaign that U.S. officials have, at times, been cautious to publicly detail. It’s an analysis from U.S. government cybersecurity specialists of how the alleged Russian operatives moved from network to network, and builds on private sector reporting.
Cyber Command and DHS’s Cybersecurity and Infrastructure Security Agency said the goal of the release was “reduced exposure to malicious activity” for U.S. organizations.
The report was originally scheduled to be released at 3 pm on Wednesday afternoon, according to multiple people familiar with the matter. At that time, DHS’s U.S.-CERT sent a tweet promoting the report but later deleted it. After this story was published, CISA informed organizations that received an advanced copy of the report that its public release would be delayed. No explanation was provided.
Spokespeople for CISA and Cyber Command did not immediately respond to a request for comment Wednesday evening.
President Joe Biden has vowed a response to the hacking campaign, and ordered his intelligence agencies to review its impact on U.S. computer networks. U.S. officials have said the hacking is “likely Russian in origin.”
Moscow has denied involvement in the incident.
One of the tools analyzed in the new U.S. government report is a “backdoor,” or piece of code that allows persistent access to a network, dubbed Sunshuttle by security firm FireEye. Another is a stealthy hacking tool that Microsoft calls Sibot that masquerades as Windows software to infect targeted machines.
Another file is a so-called webshell called China Chopper, which is a popular script used by various hackers to ensure their access to a network isn’t cut off. The webshell was on the same network as one of the alleged Russian group’s vaunted and customized hacking tools, U.S. officials said.
Cyber Command regularly publicizes foreign operatives’ hacking tools to head off future intrusions.
In this case, the damage is already done, as the suspected Russian spies had access to U.S. government and corporate networks for many months. The technical analysis could help organizations find malicious artifacts in their networks and remediate them.
It’s been nearly three months since an initial, carefully worded statement linked the hacking campaign to Moscow. Acting CISA director Brandon Wales has said more detailed attribution of the spying operation is coming soon, without specifying when.
In the meantime, U.S. officials have been cautious about talking publicly about the potential impact of the spying operation, which the Associated Press has reported including snooping on former acting Homeland Security Secretary Chad Wolf’s emails.
“[W]e are able to understand with a reasonable degree of confidence what systems the adversary intruded into, with some degree of confidence what systems they may have targeted,” a senior DHS official said during a background media briefing on Tuesday. “But of course the challenge always is figuring out what the adversary intends to do with the access that they have achieved.”
Updated March 31, 8:55 p.m. EDT: This story was updated with details on the shifting timetable of the U.S. government report’s release.
Updated April 2, 3:14 p.m. EDT: The headline on this story was updated to reflect that U.S. officials have compiled a report about hacking tools used in the SolarWinds breach. The timing of that report’s distribution remains dynamic.