Craig Silverman, Propublica

The president ordered a board to probe a massive Russian cyberattack. It never did.

This article was originally published by ProPublica, a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

After Russian intelligence launched one of the most devastating cyber espionage attacks in history against U.S. government agencies, the Biden administration set up a new board and tasked it to figure out what happened — and tell the public.

State hackers had infiltrated SolarWinds, an American software company that serves the U.S. government and thousands of American companies. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”

The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack.

But for reasons that experts say remain unclear, that never happened.

Nor did the board probe SolarWinds for its second report.

For its third, the board investigated a separate 2023 attack, in which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of top federal officials.

A full, public accounting of what happened in the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about — but refused to address — a flaw used in the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable, a whistleblower said.

The board was created to help address the serious threat posed to the U.S. economy and national security by sophisticated hackers who consistently penetrate government and corporate systems, making off with reams of sensitive intelligence, corporate secrets or personal data.

For decades, the cybersecurity community has called for a cyber equivalent of the National Transportation Safety Board, the independent agency required by law to investigate and issue public reports on the causes and lessons learned from every major aviation accident, among other incidents. The NTSB is funded by Congress and staffed by experts who work outside of the industry and other government agencies. Its public hearings and reports spur industry change and action by regulators like the Federal Aviation Administration.

So far, the Cyber Safety Review Board has charted a different path.

The board is not independent — it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.

Silvers told ProPublica that DHS decided the board didn’t need to do its own review of SolarWinds as directed by the White House because the attack had already been “closely studied” by the public and private sectors.

“We want to focus the board on reviews where there is a lot of insight left to be gleaned, a lot of lessons learned that can be drawn out through investigation,” he said.

As a result, there has been no public examination by the government of the unaddressed security issue at Microsoft that was exploited by the Russian hackers. None of the SolarWinds reports identified or interviewed the whistleblower who exposed problems inside Microsoft.

By declining to review SolarWinds, the board failed to discover the central role that Microsoft’s weak security culture played in the attack and to spur changes that could have mitigated or prevented the 2023 Chinese hack, cybersecurity experts and elected officials told ProPublica.

“It’s possible the most recent hack could have been prevented by real oversight,” Sen. Ron Wyden, a Democratic member of the Senate Select Committee on Intelligence, said in a statement. Wyden has called for the board to review SolarWinds and for the government to improve its cybersecurity defenses.

In a statement, a spokesperson for DHS rejected the idea that a SolarWinds review could have exposed Microsoft’s failings in time to stop or mitigate the Chinese state-based attack last summer. “The two incidents were quite different in that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified in the Board’s latest report,” they said.

The board’s other members declined to comment, referred inquiries to DHS or did not respond to ProPublica.

In past statements, Microsoft did not dispute the whistleblower’s account but emphasized its commitment to security. “Protecting customers is always our highest priority,” a spokesperson previously told ProPublica. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners.”

The board’s failure to probe SolarWinds also underscores a question critics including Wyden have raised about the board since its inception: whether a board with federal officials making up its majority can hold government agencies responsible for their role in failing to prevent cyberattacks.

“I remain deeply concerned that a key reason why the Board never looked at SolarWinds — as the President directed it to do so — was because it would have required the board to examine and document serious negligence by the U.S. government,” Wyden said. Among his concerns is a government cyberdefense system that failed to detect the SolarWinds attack.

Silvers said while the board did not investigate SolarWinds, it has been given a pass by the independent Government Accountability Office, which said in an April study examining the implementation of the executive order that the board had fulfilled its mandate to conduct the review.

The GAO’s determination puzzled cybersecurity experts. “Rob Silvers has been declaring by fiat for a long time that the CSRB did its job regarding SolarWinds, but simply declaring something to be so doesn’t make it true,” said Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, who co-authored a Harvard Kennedy School report outlining how a “cyber NTSB” should operate.

Silvers said the board’s first and second reports, while not probing SolarWinds, resulted in important government changes, such as new Federal Communications Commission rules related to cellphones.

“The tangible impacts of the board’s work to date speak for itself and in bearing out the wisdom of the choices of what the board has reviewed,” he said.

“We have fully complied with the executive order”

The SolarWinds attack was a wakeup call for the federal government and the private sector. The White House’s executive order was designed to allow officials to move quickly to implement new cybersecurity practices.

But the executive order limited what the new cybersecurity board could do: The president cannot allocate funding from Congress or grant subpoena power.

When the board launched in early 2022, it bore little resemblance to the cyber board that Wheeler and her co-authors outlined in their Harvard report.

“Not a single one of our recommendations was adopted,” she said.

Housed in DHS’ Cybersecurity and Infrastructure Security Agency, the board consists of 15 unpaid volunteers — eight from government agencies and seven from the private sector. Silvers said this ensures the board has cutting-edge knowledge and the ability to follow through on its recommendations.

Although the board’s first mandate was to investigate SolarWinds, Silvers said Homeland Security Secretary Alejandro Mayorkas tasked the board instead to review a recently discovered vulnerability in Log4j, software used by millions of computers, which could allow attackers to breach systems worldwide, including some used by the U.S. government.

Silvers said it “was a perfect use case” for the board’s first review and that the White House agreed.

The board’s Log4j report, published in July 2022, found there had been no significant attacks on critical infrastructure systems due to this vulnerability. It offered 19 recommendations for companies, government bodies and open-source software developers.

Silvers continued to face questions about the decision not to probe SolarWinds but maintained that Log4j had been the more pressing topic for review.

“We have fully complied with the executive order,” Silvers told media on a call that month.

At first, a government watchdog agency disagreed.

When the GAO conducted its review of the executive order’s implementation, it found that the board had failed to fulfill its mandate. In its draft report, it recommended that Homeland Security direct the board to review SolarWinds as the president had instructed.

That didn’t sit well with DHS, which was given a chance to review and comment on the draft as part of the GAO’s standard process. DHS argued in a letter that the “intent” of a board review of SolarWinds had been met by references to the hack in the board’s Log4j report and previous research on SolarWinds by the DHS agency that administers the board.

Homeland Security also noted that the executive order had set a 90-day deadline for the board to complete the SolarWinds review, which it said was “unachievable.” Directing the board to do such a review now, it argued, would be “duplicative of prior work and an imprudent use of resources.”

“We request that GAO consider this recommendation resolved and closed, as implemented,” the letter said.

GAO agreed. Its final study said the mandate for a board review of SolarWinds had been “fully implemented.” The GAO accepted two government reports in place of one from the board: the Log4j review and a 2021 review of SolarWinds by the National Security Council, which is not public.

An aide to Wyden said the senator had not seen the NSC review. Neither has the GAO. Instead, the GAO told ProPublica that it “interviewed key contributors” to the security council’s review. The office also summarized three recommendations that the NSC deemed acceptable for public release, including a call for better information sharing among federal agencies. A spokesperson from the security council declined to comment.

The GAO said it accepted the board’s Log4j review because it included “information from the SolarWinds incident.” But aside from footnotes, the report mentions SolarWinds only once.

A board report would have been more beneficial to the cybersecurity community because it would have offered a detailed, public accounting of a major attack, said Steven Bellovin, a professor of computer science at Columbia University who has written articles and given presentations about the need for an independent cybersecurity board. “A secret report does not accomplish that,” he said.

Trey Herr, an assistant professor of foreign policy and global security at American University who co-authored reports on the CSRB and SolarWinds, also criticized the GAO’s decision. “I don’t know why GAO would suggest a private NSC review and a different CSRB work product are equivalent, given their vastly different authorities, scope, operation and expectations of transparency,” he said.

Asked to explain why it credited Homeland Security for completing a review that never occurred, Marisol Cruz-Cain, a director with GAO’s information technology and cybersecurity team, said in a statement that the office “stands by the statements and assessments.”

“GAO believes the government had taken sufficient steps to review the SolarWinds incident,” she said, including through collaboration with multiple federal agencies and the private sector and “by disseminating relevant guidance about SolarWinds.”

GAO also conducted its own study of SolarWinds, which was published in 2022. Like the other government reviews, it did not probe Microsoft’s role in the attack. A spokesperson said the GAO was focused on the impact the hack had on the federal government, so “we did not engage with Microsoft.”

'This intrusion should never have happened'

After the 2023 Chinese-led hack used Microsoft vulnerabilities to infiltrate U.S. systems, the board scrutinized the tech giant’s role in the attack.

The report was scathing. “The Board concludes that this intrusion should never have happened,” the report found, citing a “cascade of security failures at Microsoft.” The board called for an overhaul of Microsoft’s “inadequate” security culture and listed seven areas where the company failed to apply proper security practices or to detect or address flaws or risks.

Microsoft announced a series of changes and said it would implement all of the board's recommendations.

The report triggered a House Homeland Security Committee hearing with Microsoft president Smith last month. Smith said the company was making security its top priority.

He also raised concerns about the board’s conflicts of interest. While Wyden and other experts have criticized the role of federal officials, Smith complained about the board’s private-sector members, including executives from Google and other Microsoft competitors. “I think it’s a mistake to put on the board the competitors of a company that is the subject of a review,” he said. Smith warned that other companies might not be as cooperative with the board as he said Microsoft had been.

Three of the board’s private-sector members — including board Vice Chair Heather Adkins, a Google executive — recused themselves from the Microsoft report, as did two members from the Office of the National Cyber Director and one from the FBI, who were replaced by one colleague from each agency.

A DHS spokesperson declined to say why the public-sector members recused themselves but said board members are required to step aside if a review includes “examinations of their employers’ products or those of competitors” or if a board member has “financial interests relating to matters under consideration.”

Silvers said every board member, including public-sector members, goes through a “rigorous” review of conflicts of interest. He said the current model has proven effective and is less costly than standing up an independent agency.

“Creating an entirely new agency with a professional workforce would be exceedingly expensive, would take many years to do and could cannibalize the scarce cyber talent that we have in the U.S. government as it is,” he said. “In an era of scarce budgets, belt tightening, competition for talent, it’s really a terrific model.”

Still, DHS acknowledges that the board needs more resources and investigative muscle. Last year, the department released proposed legislation to make the board permanent, with dedicated funding, limited subpoena power and a full-time staff.

Silvers said the bill has the support of the Biden administration, but it has not been introduced and does not have a sponsor.

Wheeler, the cybersecurity executive, said she recognizes how challenging any reforms would be but that she and others will keep advocating for the board to become an independent government agency.

“I am frankly surprised that they got [the board] done at all,” she said. “Now I want them to make it better.”

Right-wing websites connected to former Trump lawyer are scamming loyal followers with phony celebrity pitches

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Oprah Winfrey looked upset.

The photo caught her midsentence, her left hand jabbing at the camera.

“They are twisting everything,” the TV icon was quoted as saying, under a red “BREAKING NEWS” banner.

The ad featuring the Winfrey image and quote ran on the conservative website DC Swamp Tales. It directed readers to a webpage that resembled a news article. The text spun a narrative about a television interviewer who unfairly berated Winfrey for promoting a revolutionary product that could “reverse Dementia instantly & for good.”

But there was no such dispute. Winfrey’s quote was fake, and her name and likeness were used without permission. The product, a low-dose, cannabis-derived gummy supplement, does not treat dementia, let alone reverse it.

“These ads are false. Oprah Winfrey does not have anything to do with these products,” Nicole Nichols, a spokesperson for Winfrey’s company Harpo Inc., told ProPublica.

Such scam ads have proliferated on right-wing websites worldwide in the past eight months. They use fake endorsements from celebrities including Winfrey, country music singers Dolly Parton and Reba McEntire, Twitter and Tesla owner Elon Musk, actor Ryan Reynolds, Canadian prime minister Justin Trudeau and former German chancellor Gerhard Schröder to promote dubious medicines and cryptocurrency frauds. Conservative publishers make money from each click on a deceptive ad, exploiting their like-minded readers.

The ads were placed by AdStyle, an ad network whose corporate website lists it as being registered in Delaware with an office in Boca Raton, Florida. Its website said it is “trusted by” major brands including Toyota, Ikea, EA Games and L’Oréal. But Florida and Delaware corporate registries have no record of AdStyle, which appears to be operated by a Latvian couple living in Italy. Spokespeople for Toyota and Ikea said they could not find any records of those companies working with AdStyle. EA Games and L’Oréal did not respond to queries.

“These ads are certainly terrible,” said Kirsten Grenier Burnett, a spokesperson for McEntire. Spokespeople for Trudeau, Musk, Reynolds, Shröder and Parton either did not respond or declined to comment.

This month, after reporters contacted AdStyle, the “trusted by” assertion and the brand logos were removed from the company’s website.

Since November, reporters for ProPublica, Sweden’s Expressen newspaper, the Organized Crime and Corruption Reporting Project, and Paper Trail Media in Germany have viewed hundreds of AdStyle ads across scores of right-wing websites. The vast majority of the ads were outright scams or made seemingly exaggerated claims. “This 197-Year-Old Man’s Longevity Secret Makes Your Cells 4 TIMES Younger,” one pitch proclaimed.

AdStyle ads are often displayed on a network of more than a dozen U.S. conservative outlets connected to a lawyer whose clients have included former President Donald Trump. Advertisers pay AdStyle to show their ads to web users, and the company splits the revenue with its publisher partners. Its ads are easy to spot because they carry the AdStyle logo.

The prevalence of scam ads on AdStyle and its many partnerships with right-wing sites around the world exemplify how conservative publishers, politicians and operatives profit from fleecing their fellow right-wingers — and how some players take the strategy global. Even the editorially conservative National Review has acknowledged “the right’s grifter problem.”

Deceptive ads abound on Trump’s Truth Social network, while his former campaign chair Steve Bannon and other supporters face federal charge s for running an alleged fraudulent donation scheme to build a privately funded border wall. (Bannon has pleaded not guilty to money laundering, fraud and conspiracy charges. Two other people have pleaded guilty.)

A recent New York Times investigation revealed how a group of conservative operatives had raised close to $100 million using robocalls that asked for money to help veterans and first responders. Only 1% of the money went to those causes. And this month ProPublica reported on an IRS whistleblower complaint alleging that leaders of 2020 election denialist nonprofit True the Vote had used donations for personal gain. True the Vote said the complaint was without merit.

Digital advertising has made it easy and lucrative to target people on the internet with scam ads and donation pitches. Besides AdStyle, other networks and social media platforms have carried scam ads. Earlier this month, Harpo filed two federal lawsuits against people and companies it said used Winfrey’s name and trademarks without permission to market weight loss and CBD gummies. Both cases are pending. Harpo did not sue AdStyle. Asked why, Winfrey’s company declined to comment.

It’s unclear who ultimately owns AdStyle and how much money it and its publisher partners earn from the scam ads. Ad networks like AdStyle act as a middleman by connecting advertisers with publishers. An advertiser signs up with a network, uploads the ads it wants to run, identifies the kind of people it wants to reach, and sets the price range it’s willing to pay each time someone views or clicks on an ad.

Meanwhile, the network signs deals with publishers to place ads on their websites in exchange for a share of the revenue. It’s unclear how AdStyle splits revenue with publishers, but ad networks typically take between 20% and 50% of the revenue generated.

In the U.S., AdStyle primarily works with right-wing sites operated by two companies, Saber Communications and Digital Communications LLC, located a few doors down from each other in Fredericksburg, Virginia.

The companies are owned by Andrew Coelho and Michael Rothfeld, political marketers with ties to former U.S. representative and presidential candidate Ron Paul and his son, Kentucky Sen. Rand Paul. Federal Election Commission records show Saber provided digital marketing services to Rand Paul and PACs that support him. Ron Paul’s 2012 presidential campaign paid Saber close to $8 million.

With names like Liberal Hack Watch, DC Dirt Sheet and DC Swamp Tales, most sites in the Saber/Digital Media Communications network publish content with a pro-Trump bent. Four other sites produce Christian content or travel and lifestyle advice for conservatives.

Through their websites, Rothfeld and Coelho collect the email addresses of American conservatives and target them with paid political and marketing messages.

“I am a professional junk mailer,” Rothfeld said in a 2012 talk to the Young Americans for Liberty National Convention, according to BuzzFeed News. “I am a professional telemarketer. I’m a professional spammer — like, a hundred million pieces of, emails a month. And I’m a professional negative campaigner. And I’m damn proud of all four.”

Until 2020, Digital Communications listed David Warrington as its registered agent. The Virginia-based Warrington was also the agent for at least seven now-defunct LLCs connected to websites in the Rothberg/Coelho network.

Warrington represented Trump in his dealings with the Jan. 6 congressional committee. His clients have also included Jessie Benton, a Texas political consultant convicted of illegally funneling money to Trump’s campaign on behalf of Roman Vasilenko, who has been described as a “Russian naval officer turned multilevel marketer.” Vasilenko, who was not charged, did not respond to requests for comment through his social media accounts.

Warrington said he represents Rothfeld, Coelho and their companies. He provided a statement from Saber about the AdStyle ads on its sites.

AdStyle is “by far our least active ad service, delivering less than 3% of total banner impressions on the sites we manage,” the statement said. “For the sites that still host their ads in low-priority positions, their ads currently generate an average of $11 per month per site.” He declined to comment further.

Rand Paul and the Trump campaign did not respond to requests for comment, nor did Ron Paul when he was contacted through his institute and social media accounts.

In Sweden, AdStyle works with Samnytt, one of the country’s leading far-right sites. In 2021, its publisher and political editor, Mats Dagerlind, was convicted in a Stockholm court of gross defamation against a Syrian-Swedish journalist for calling him a “jihadist undercover.” Dagerlind was fined about $2,800 plus court costs and given a suspended sentence. The site’s CEO is Kent Ekeroth, a politician affiliated with the Sweden Democrats, a nationalist party that pursues anti-immigration policies.

In a statement to the Expressen newspaper, Dagerlind said the site does not control the content of ads placed by AdStyle. “Due to political persecution from the establishment in Sweden, Samnytt has been blocked from using the more established ad exchanges,” he said. (Google Ads, for example, do not appear on Samnytt.)

In Germany, AdStyle places ads on far-right sites such as Journalistenwatch, which a previous ProPublica investigation identified as a source of false information.

“We don’t care because we think our readership is smart enough to not be scammed,” said Conny Axel Meier, a member of Journalistenwatch’s board and editorial team. “I don’t really care what advertising is going on. After all, we work with a lot of advertising partners. We don’t control the advertising, we don’t care, we can’t check them all.” He plans to continue working with AdStyle “as long as I don’t get a letter from a public prosecutor’s office,” he added.

The celebrities featured in the scam ads on these and other sites change depending on the location of the person viewing the ad. In Germany, scam ads featured Shröder and former tennis star Boris Becker. In Sweden, they used Stefan Persson, the majority owner of fast fashion retailer H&M and the country’s richest person. In each case, the ads placed by AdStyle sent readers to websites promoting fraudulent cryptocurrency investment schemes that can cause people to lose their life savings.

“These are 100% incorrect and false claims,” said Kristina Stenvinkel, a spokesperson for Persson’s family company. “It is very regrettable that there are people who fabricate and mislead by exploiting and using public figures for their own gain.”

On its LinkedIn page, AdStyle says it was founded in 2015 by “a small group of great minds in Boca Raton.” Its website gives an address there. But building management and a lessor of office space there said AdStyle isn’t a tenant.

At least five profiles for current AdStyle employees on LinkedIn use headshots that exhibit characteristics of AI-generated images, such as mismatched earrings and unrealistic backgrounds. ProPublica could not find the employees in public records. One actual employee is Anna Bella Burjak, whose LinkedIn profile says she is the company’s director of business development.

Burjak is married to a web developer named Leonid Volinski, whose name appears in a domain registration linked to AdStyle. Originally from Latvia, the couple used to live in Israel but recently moved to a town roughly 60 miles from Venice, Italy.

When reporters visited the couple’s residence, Burjak and Volinski declined to comment. Within a day, AdStyle had removed the investment and dementia scam ads from the network, including the Winfrey ad.

“We have taken immediate action to reinforce our systems and processes, working diligently to enhance our ad approval mechanisms to better prevent the appearance of misleading or low-quality advertisements,” the company said in an unsigned email. “We are actively reviewing and refining our content moderation policies.”