U.S. Sent Teams into Foreign Networks to Hunt SolarWinds, Microsoft Hackers

The intrusions allowed CISA to build an image of an infected server—essentially a snapshot of a system that had been breached—and pass it to U.S. Cyber Command in Fort Meade, Md., and to the Cyber National Mission Force.

“The ability to gain access to an image of the compromised server was invaluable for us,” said U.S. Army Maj. Gen. William Hartman, the force’s commanding officer, speaking on the same panel.

The CNMF, a little-known mixed unit of military and civilian cybersecurity specialists that operates in foreign networks to hunt threats, reconstructed the server in a training environment and, in the days following, began to analyze how the attackers had infiltrated.

At the same time, Gen. Hartman said, intelligence indicated the same hackers had compromised networks in a partner nation. The CNMF deployed a team there immediately to hunt within those networks, he said. 

“Not only were we able to gain access to the adversary, but we were able to do so in a manner that the adversary didn’t know we were there,” he said. 

The team collected around 18 pieces of malware, which were brought back to the U.S., informing an unusually detailed memo from CISA on evicting hackers who exploited the SolarWinds breach, published in May 2021. 

The U.S. attributed the attack to the Russian government, which has denied the allegation.

The SolarWinds incident is among dozens of such engagements for the CNMF, said Gen. Hartman, speaking to reporters on the sidelines of the conference. The unit has undertaken 47 “hunt forward” operations to date, in which teams can comprise anywhere from a handful of specialists to large-scale units, including a 43-person deployment to Ukraine. 

At any point, the unit—with around 2,000 service members from various U.S. military branches, along with liaisons from civilian federal agencies such as CISA—is also engaged in support and analysis operations at federal agencies, he said.

Other engagements for the CNMF include deployments following the compromise of Microsoft Corp.’s Exchange Server email product in March 2021. In that case, government teams once again secured a copy of the malware for study and began scanning for vulnerabilities in U.S. and the networks of allies. That attack was later blamed on the Chinese government, which has denied involvement.

Election security is a significant assignment for the unit. During the 2020 U.S. presidential election, Gen. Hartman said, the CNMF conducted a reconnaissance operation in foreign networks when it discovered hackers had gained access to local infrastructure in a U.S. city. While voting itself would have been unaffected by the intrusion, Gen. Hartman said, the group could easily have launched attacks on public-facing systems such as websites, to sow doubt about the election’s legitimacy.

The unit worked with CISA to resolve the issues, he said. Mr. Goldstein of CISA said the partnership with CNMF, which includes staff working together physically on a daily basis, is imposing costs on hackers, such as blocking their tactics and degrading their attacks. 

“If they target American networks then there are going to be consequences, and those consequences are going to be bad,” he said. 

Write to James Rundle at james.rundle@wsj.com