The Biden administration is planning a broad package of measures, including sanctions, to punish Russia over the sprawling SolarWinds espionage campaign that struck at the heart of the US government.
US officials have previously said the hack, believed to have started early last year, has directly affected at least nine federal agencies and about 100 companies. Officials have said the attack was “likely of Russian origin”, although the US intelligence community has yet to issue its final conclusion.
The administration was also planning measures to secure commercial networks and improve third-party services, according to two people briefed on the matter.
“There are Russia-specific measures being developed that will go beyond sanctions,” said one of the people briefed on the matter, adding these would be part of “a package of measures” aimed at Moscow.
The steps under consideration underscore the tougher line Joe Biden’s administration is preparing to take against Russia on a number of fronts from espionage to human rights, including the jailing of Alexei Navalny, the opposition leader who has accused Russian spies of nearly killing him with a chemical nerve agent in August.
The hackers gained access to systems by hijacking software in March last year from SolarWinds, a Texas-based information technology company, alongside several other methods.
At least 18,000 companies and agencies were potentially exposed. The hackers went on to select particular targets to pursue further, lurking in their emails and impersonating legitimate employees in order to access sensitive information in the cloud.
The commerce, energy, justice and Treasury departments are among those who have admitted their systems were breached.
Some cyber experts have cast the campaign — which is ongoing — as the sort of espionage that is common practice for most nation-states. But others have suggested it is possible that it could go further, constituting reconnaissance for future potential disruptive attacks, and urged the Biden administration to retaliate against Russia.
The potential action comes as Senate intelligence officials from both political parties have already complained about the disjointed response to the campaign to date. Both the Senate and the House are holding hearings this week on the hack.
People familiar with the government’s thinking caution the Biden administration had yet to determine the full scope of the measures it would take. US officials want to go beyond sanctions to bring criminal charges against specific Russians, according to the people briefed, but that approach will rely on the US intelligence community’s efforts to drill down into the hacks in order to attribute the actions to individuals.
Anne Neuberger, the former National Security Agency cyber security director who is leading the administration’s response to the SolarWinds breach, has said that the US intelligence community was still seeking to determine responsibility for the broad hack.
She told reporters at the White House last week that the full effort could take “months”, and the scale of potential access likely “far exceeded the number of known compromises”.
She added that the hackers had launched their attack “from inside the United States, which further made it difficult for the US government to observe their activity” because the intelligence community generally had no visibility into private sector networks.
The Washington Post first reported the administration’s intention to punish Russia.