Capitol attack's cybersecurity fallout: Stolen laptops, lost data and possible espionage

The January 6 attack on Election Day certification proceedings in the US Capitol Building has deep cybersecurity ramifications.
Written by David Gewirtz, Senior Contributing Editor

FBI is seeking certain people of interest. See notice at the end of this article.

When hostile actors penetrated the Capitol Building on January 6, they gained access to individual chambers and offices and remained  at large within the Capitol complex for well over two hours.

We have reports that items were stolen. One report comes from acting US Attorney for DC, Michael Sherwin, who stated "items, electronic items were stolen from senators' offices, documents and ... we have to identify what was done to mitigate that."  My local Senator, Jeff Merkley (D-Ore.), reported that at least one laptop had been stolen

Also: Best VPNs

Amid stolen laptops, lost data and potential espionage, the cybersecurity consequences of this attack will take months to sort out. Here's a look at the cybersecurity issues.  

National security issues

While surveillance undoubtedly tracked many of the hundreds who made it inside the building, we cannot assume we know the exact second-by-second movements of everyone who gained entrance. That means there is absolutely no knowing what actions were taken against digital gear inside the building.

Passwords, documents, access codes, and confidential or secret information may have been stolen. We also need to assume that some computers may have been compromised, with malware loaded onto them. Since malware is key to any systemic penetration, we must assume that bad actors have gained some persistent, hidden, ongoing access to Capitol Building systems.

In all likelihood, only a small number of machines were probably compromised. But given the sensitive nature of information stored on digital gear inside the Capitol, and given that it may be impossible to quickly ascertain which devices were compromised, federal IT personnel must assume that ALL the digital devices at the Capitol have been compromised.

The situation is actually worse than it may appear at first. According to a USA Today timeline, Congress reconvened at 8pm on January 6. It's likely that staff computer use began mere minutes after Congress reconvened. Obviously, there was no way to completely lift and replace thousands of machines instantly. Therefore, from that moment until now, members and their staff have been using digital devices that may have been compromised. That means that all communications, files, and network connections from and to those devices may have also been compromised.

Physical access raises the stakes

If the Capitol's computers were penetrated by a traditional malware-driven hack followed by a breach over the Internet, mitigation could have been moderately straightforward, if not inconvenient and painful. Systems could have been scanned for malware, and -- in the most sensitive cases -- hard drives could have been zeroed or replaced.

But there were hundreds of unauthorized people in the building, people who were photographed having gained access to the desks and private offices of members. These people could have gone anywhere within the building.

We also have to assume that there were some foreign actors who entered the building by blending into the crowd. Yes, I know this sounds paranoid, but hear me out. We know that Russia and other nations have been conducting cyberattacks against America for some time.

We also know that the final congressional certification of ballots for the 2020 presidential election was Constitutionally mandated for January 6 -- and because of the heated rhetoric, it was all but a certainty that there would be crowds and unrest.

It is therefore highly likely that enemy (or frenemy) actors were likewise aware of the potential for unrest around the Capitol Building. While the specific details of exactly what would unfold in what order on January 6 was impossible to predict, there's good reason to expect that international handlers would find it prudent to keep small squads of agents on standby. That way, if the opportunity presented itself, they could surreptitiously insert those agents into the situation.

Therefore, we have to assume that some of the people who penetrated Capitol Hill were probably foreign actors. And from that observation, we have to expect one or more of those foreign actors who made it inside took some physical action against machines normally out of reach.

Physical access is more than stealing computers

Once an enemy agent gains physical access, a lot can happen. And by a lot, I mean stealth attacks that will require the Capitol's IT teams to use a scorched Earth remediation effort. First, let's be aware that malware often doesn't show itself until a set period of time or trigger happens. So machines that seem perfectly fine may well be Trojan horses.

It is possible that machines were opened and thumb drives or even extra drives were placed inside machines, which were then sealed back up. With a power screwdriver, it's possible to open up the skins of a tower PC, shove a USB stick into an open internal port, and seal the thing back up in a minute or two. These might never be detected.

When Stuxnet destabilized the Natanz centrifuges in IRan, the worm was delivered via USB drives smuggled into the facility. In the case of Capitol security, hundreds of people were inside the Capitol building. An effective attack would simply be to leave random, generic USB drives in various drawers and on various desks. Without a doubt, someone would see the drive, assume it was one of their own, and plug it in. Malware delivered.

There are other physical attacks possible. We've talked previously about a USB charger with a wireless keylogger. We've written about the Power Pwn, a device that looks like a power strip but which hides wireless network hacking tools. We've discussed how a man-in-the-middle attack was launched against EU offices, siphoning Wi-Fi traffic to an illegal listener.

With hundreds of people inside the Capitol Building, devices like these could have been left in place. It could take weeks or months to discover them, especially if they were left as if they were clutter, to be used by random staffers when they need a spare piece of hardware.

What must be done

There are some IT best practices that can reduce the risk. Network micro-segmentation can prevent malware from crossing between zones, for example. But no network-based security practice can completely mitigate a physical attack.

The Capitol Building must be completely scrubbed. All machines must be scanned. Any desktop PC that is not hermetically sealed must be opened and the internals carefully inspected. USB drive slots must be locked, so Capitol Hill staffers can't plug in random USB drives. The building must be repeatedly scanned on a room-by-room, floor-by-floor basis for radiant signal broadcast.

Congressional staffers must be educated about what to look for, about best practices, and about taking extra care even if it takes extra time.

Every single digital device within the Capitol grounds must be considered suspect. It's essential that a strong security standing be maintained even after active machines have been tested and scanned, because we need to be on the lookout for delayed threats and attacks that are hiding, waiting for their opportunity to trigger access.

Espionage Act violations

Finally, everyone who participated in the attack, particularly those who penetrated the building, must be prosecuted to the fullest extent of the law and possibly even charged with Espionage Act violations. While some of the participants may have been characterized as "patriots" or angry "fine people," the fact is that their actions may have provided cover for acts of espionage by our nation's enemies.

I can hear what you're saying. "But David, isn't it being a little paranoid to think other countries would take advantage of our own internal disputes?" Okay, fine. Nobody would say that. Instead, there'd be a lot of fist waving and yelling at me. But for our purposes, let's go with the civil version.

And no, it's not a little paranoid. Russia did meddle with the 2016 election. It's part of basic tradecraft to incite anger and disagreements among a target's population. We know Russian meddling has contributed to the anger and rage we're all feeling -- although our own politicians certainly leveraged off of it for their own selfish interests.

The Capitol Building attack was absolutely rage and anger based. Given that sowing unrest is a major part of Russia's playbook, it's entirely likely that they were very aware of the significance of the January 6 date and were quite prepared to capitalize on it to the fullest extent. And all that brings us to espionage -- conducted by foreign actors, but very likely aided and abetted by duped or complicit Americans strung out on a rage high.

Those who stormed Capitol Hill may have violated 18 U.S. Code § 792 - Harboring or concealing persons. This code is simple, stating, "Whoever harbors or conceals any person who he knows, or has reasonable grounds to believe or suspect, has committed, or is about to commit, an offense." If a case can be made that any of the attackers might merely suspect an external agent would breach the building with them, they're in violation of this statute.

They may have also violated 18 U.S. Code § 793 - Gathering, transmitting or losing defense information. This is one of the big ones, opening with "Whoever, for the purpose of obtaining information respecting the national defense with intent or reason to believe that the information is to be used to the injury of the United States, or to the advantage of any foreign nation..." Stopping or overturning an election can definitely be considered "to the injury of the United States," and again, if any of this information is disclosed to a foreign power -- even via a photo on Twitter, it's a serious violation.

It goes on to list a vast array of government resources that, if breached, would be in violation, including "...building, office, research laboratory or station or other place connected with the national defense owned or constructed, or in progress of construction by the United States or under the control of the United States, or of any of its officers, departments, or agencies..." Clearly, the Capitol Building falls under this, especially since congressional committees do deal with highly classified information.

People who commit crimes under these codes "shall be fined under this title or imprisoned not more than ten years, or both."

It's with 18 U.S. Code § 794 - Gathering or delivering defense information to aid foreign governments that things start to get serious. The statute begins with "Whoever, with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation," and, again, blocking the Constitutionally-mandated certification of an election is injurious to the United States.

But here's where it gets dicey for those who broke in on January 6. The statute continues:

...communicates, delivers, or transmits, or attempts to communicate, deliver, or transmit, to any foreign government, or to any faction or party or military or naval force within a foreign country, whether recognized or unrecognized by the United States, or to any representative, officer, agent, employee, subject, or citizen thereof, either directly or indirectly, any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, note, instrument, appliance, or information relating to the national defense...

This statute is very broad, essentially saying that even if delivery is made to someone not officially recognized as a foreign national, or even delivery is made indirectly (say via a friend, an eBay auction, pictures on Instagram, etc.), it's in violation. So those pictures we saw of desks with documents, screens with email, etc? If any one item in any of those pictures was confidential or classified, and could be seen by a foreign agent, this clause is triggered.

The punishment? Well, let's let the statute speak for itself: "shall be punished by death or by imprisonment for any term of years or for life." Ouch!

Let's be clear here. Most of the attackers were Americans. And as despicable as their actions were -- and breaking into and interrupting a Constitutional practice is despicable, regardless of which side of the aisle you're on -- most of them most likely thought they were acting on behalf of the US, not with intent to injure it.

The law often takes into account intent. But when it comes to espionage, the law has a very large hammer. The United States does not take kindly to espionage. With thousands of people in the crowd outside the building and hundreds who broke in, there was no way for those committing the crime to know who their fellow mob members might be at the time. Providing cover for enemy agents, even if it could be argued it was done through naivety or stupidity, is still providing cover for enemy agents. 

This is going to play out for months or years, both in our courts and within the United States Intelligence Community. If any secured information resulting from this breach winds up in any foreign hands, the stakes will go up immeasurably and those good ol' boys from middle America wearing dad jeans and baseball caps or goat horns, face paint, and fur bikinis may well find themselves subject to the full might and wrath of the United States Government -- the very government they tried to overthrow.

You can help

InfraGard posted a recent alert that I'm now sharing with you. The Federal Bureau of Investigation's Washington Field Office is seeking the public's assistance in identifying individuals who made unlawful entry into the US Capitol Building on January 6, 2021, in Washington, D.C.

In addition, the FBI is offering a reward of up to $50,000 for information leading to the location, arrest, and conviction of the person(s) responsible for the placement of suspected pipe bombs in Washington, D.C. on January 6, 2021. 

At approximately 1:00 p.m. EST on January 6, 2021, multiple law enforcement agencies received reports of a suspected pipe bomb with wires at the headquarters of the Republican National Committee (RNC) located at 310 First Street Southeast in Washington, D.C.

At approximately 1:15 p.m. EST, a second suspected pipe bomb with similar descriptors was reported at the headquarters of the Democratic National Committee (DNC) at 430 South Capitol Street Southeast #3 in Washington, D.C.

Anyone with information regarding these individuals, or anyone who witnessed any unlawful violent actions at the Capitol or near the area, is asked to contact the FBI's Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324) to verbally report tips. You may also submit any information, photos, or videos that could be relevant online at fbi.gov/USCapitol. You may also contact your local FBI office or the nearest American Embassy or Consulate.

Disclosure: David Gewirtz is a member of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards