White House Will Release Details on Exchange AttacksAnne Neuberger Says Attacks Will Be Attributed
The White House is preparing to release additional details "in the coming weeks" about the attacks that targeted vulnerable on-premises Microsoft Exchange email servers at government agencies and other organizations earlier this year, deputy national security adviser Anne Neuberger says.
On March 4, Microsoft issued emergency patches for four vulnerabilities in certain versions of its on-premises Exchange email server that the company says were exploited by a China-based group its researchers called Hafnium. Later, several security firms found that other groups, including ransomware gangs, were also exploiting these flaws (see: Microsoft Exchange: Server Attack Attempts Skyrocket).
The Biden administration created a Unified Coordination Group to investigate the attacks shortly after they were identified, but the White House did not release details about the attacks or confirm that a Chinese group first exploited the vulnerabilities. Now, however, Neuberger says the White House will soon release details about the incident, including attribution.
"I think you saw the national security adviser Jake Sullivan say that we will attribute that activity," Neuberger said at a Tuesday event hosted by Silverado Policy Accelerator, a think tank. "And along with that, [the administration] will determine what [we] need to do as a follow-up to that. You'll be seeing further on that in the coming weeks."
The Biden administration's cautious approach to attributing the Exchange attacks is similar to the approach it took before accusing Russia's Foreign Intelligence Service, or SVR, of carrying out the supply chain attack on SolarWinds' Orion network monitoring platform that led to follow-on attacks on nine federal agencies and about 100 companies.
While the SolarWinds campaign was first uncovered in December 2020, the White House waited until April 15 to attribute the cyberespionage campaign to the SVR. It then issued economic sanctions against the Russian government as well as businesses and individuals allegedly involved (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
Cooperation With Microsoft
Neuberger, who is responsible for cyber and emerging technology at the National Security Council, noted that after the Exchange server attacks came to light, the government received a high level of cooperation from Microsoft to help mitigate these attacks.
Under the auspices of the Unified Coordination Group, Neuberger said, the White House, for the first time, allowed a private company - Microsoft - to participate in these types of government discussions over a cybersecurity incident. She also noted that the company provided a one-click mitigation tool for customers that were running on-premises versions of Exchange server to reduce the risk until they could fully implement patches.
That mitigation tool helped reduce the number of vulnerable Exchange servers from 140,000 to less than 10,000 in the span of a week, Neuberger noted. The coordination group also gained insight into the difficulties with mitigating these types of threats for many organizations.
"We learned a great deal - both in terms of building a common picture of the number of vulnerable servers, where they were and, most importantly, of the success of our joint efforts in reducing that," Neuberger said. "Based on that extensive outreach that the administration did, we learned that companies and smaller government agencies were struggling to patch because in order to do the most recent patch, you had to have [applied] every prior patch - and there were many. This speaks to the issues of software and hardware vulnerabilities."
In her presentation, Neuberger also spoke about President Joe Biden's executive order, published May 12, that requires government agencies to adopt "zero trust" architectures and multifactor authentication. The order also calls for changes in how the federal government evaluates and buys "critical software."
Neuberger pointed out that the National Institute of Standards and Technology published its definition of "critical software" on June 25 to help start the process of assessing how the federal government can help build security into the software supply chain that supports federal government agencies (see: NIST Releases 'Critical Software' Definition for US Agencies).
Even before the executive order was published, Neuberger said, many federal agencies were working on improving basic cybersecurity practices, such as keeping better logs to enable security teams to track incidents and potential threats.
"Whether SolarWinds or Microsoft Exchange, we continuously saw that agencies couldn't answer the question of 'How were you compromised and what was taken?' because they weren't necessarily logging that activity, so we really want to set logging standards across the federal government," Neuberger said. "Frankly, everything we are doing is saying, 'Let's set a benchmark for what is reasonable, aggressive, appropriate cybersecurity activity.'"
Neuberger also noted that the administration is planning to step up its efforts to battle against ransomware attacks. She anticipates aggressive action along the lines of the effort to disrupt the infrastructure of the Trickbot botnet in October 2020, which included contributions and resources from Microsoft and other companies as well as help from the FBI and U.S. Cyber Command (see: Analysis: Will Trickbot Takedown Impact Be Temporary?).
"Certainly that serves as a model where we identify actors and infrastructure that are used to conduct ransomware attacks," Neuberger said. "We want to ensure that we make it a lot harder for those actors to operate, so I think the model you saw there [in the Trickbot takedown], with the FBI and with a number of law enforcement agencies around the world, is certainly a tool in the toolbox we need to use."