Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Over the course of a few months, as US officials remained unaware of the breach, hackers identified a handful of key cyber security officials and analysts who would be among the first to respond once the hack was detected, so-called ‘threat hunters,’ and attempted to access their email accounts, according to two sources familiar with the matter.

While it is unclear if any of those accounts were compromised, sources say the fact that the hackers knew which working-level cybersecurity analysts at the Department of Homeland Security to go after suggests they were able to develop a much deeper understanding of US cyberdefenses than was previously known.

“It appears as if the Russian SolarWinds hackers possess granular information on personnel and who among them is likely to be involved in investigating the SolarWinds hack,” said Cedric Leighton, a former NSA official and CNN military analyst. “This could mean that networks have been penetrated to a degree we’ve not known before. If that’s true, we need a complete housecleaning of all our defensive cyberoperations.”

The assessment that hackers deliberately targeted DHS threat hunters, which has not been previously reported, underscores how the SolarWinds attack was among the most sophisticated cyberoperations ever conducted against the US, according to current and former officials.

By keeping tabs on these cyber first responders, sources and experts tell CNN the hackers could have been able to monitor in real-time as US officials began to discover the attack, allowing them to tailor their actions accordingly and remain hidden for as long as possible.

Biden says Putin 'will pay a price' for Russian efforts to undermine the 2020 US election

“What this does is it shows a level of sophistication in terms of targeting those who are working actively to prevent the attacks from either occurring or expanding. And so that is different than what you’re seeing in past cyberattacks,” former acting DHS acting undersecretary Chris Cummiskey told CNN.

“The level of sophistication is problematic because they’re actually going after people that they see as more valuable, so it shows a sense of prioritization,” he added.

While emails belonging to the senior-most cyber officials, including Chris Krebs, the former director of the Cybersecurity…