When it comes to cyber attacks, the U.S. government pretends to be as innocent as “Little Miss Riding Hood”
Recently victims of U.S. government cyber attacks assembled into a single large coalition of computer scientists who executed the most sophisticated cyber attack ever performed.
Officially the U.S. blames Russia for the attack.
The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal
SolarWinds was the subject of a massive cybersecurity attack that spread to the company’s clients. Major firms like Microsoft and top government agencies were attacked, and sensitive data was exposed.
SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months, Reuters first reported in December. Foreign hackers, who some top US officials believe are from Russia, were able to use the hack to spy on private companies like the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department.
On Thursday, it was reported that the US government was ready to impose sanctions on about a dozen Russian intelligence officials over their alleged role in interfering with the 2020 presidential election as well as the Solarwinds attack.
Here’s a simple explanation of how the massive breach happened, and why it matters:
An unusual hack
In early 2020, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. Solarwinds has 33,000 customers that use Orion, according to SEC documents.
Most software providers regularly send out updates to their systems, whether it’s fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March of 2020, SolarWinds unwittingly sent out software updates to its customers that included the hacked code.
The code created a backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.
SolarWinds told the SEC that up to 18,000 of its customers installed updates that left them vulnerable to hackers. Since SolarWinds has many high-profile clients, including Fortune 500 companies and multiple agencies in the US government, the breach could be massive. Microsoft president Brad Smith said in a February congressional hearing that more than 80% of the victims targeted were nongovernment organizations.
Read more: Microsoft said its software and tools were not used ‘in any way’ in the SolarWinds attacks. New findings suggest a more complicated role
US agencies — including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury — were attacked. So were private companies, like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University, the Wall Street Journal reported.
And since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not, the Wall Street Journal reported.
At the Treasury Department, hackers broke into dozens of email accounts and networks in the Departmental Offices of the Treasury, “home to the department’s highest-ranking officials,” Sen. Ron Wyden said. The IRS hasn’t found any evidence of being compromised, he added. Treasury Secretary Steven Mnuchin said on CNBC that the hackers have only accessed unclassified information, but the department is still investigating the extent of the breach.
Read more: Former US cybersecurity chief Chris Krebs says officials are still tracking ‘scope’ of the SolarWinds hack
Who did it?
Federal investigators and cybersecurity experts say that Russia’s Foreign Intelligence Service, known as the SVR, is probably responsible for the attack. Russian intelligence was also credited with breaking into the email servers in the White House, the State Department, and the Joint Chiefs of Staff in 2014 and 2015. Later, the same group attacked the Democratic National Committee and members of the Hilary Clinton presidential campaign.
Russia has denied any involvement with the breach and former President Donald Trump had suggested, without evidence, that Chinese hackers may be the culprits. But the Biden White House has said it may respond to the cyberattack in the coming weeks, which could include actions against the Russian government.
Microsoft’s Smith said during the February hearing that he believes Russia is behind the attack, and FireEye CEO Kevin Mandia said based on his company’s forensic analysis, the evidence is “most consistent with espionage and behaviors we’ve seen out of Russia.” However, the execs noted that the full extent of the attack is still unfolding.
Why it matters
Now that multiple networks have been penetrated, it’s expensive and very difficult to secure systems. Tom Bossert, President Trump’s former homeland security officer, said that it could be years before the networks are secure again. With access to government networks, hackers could, “destroy or alter data, and impersonate legitimate people,” Bossert wrote in an Op-Ed for the New York Times.
Not only is the breach one of the largest in recent memory, but it also comes as a wake-up call for federal cybersecurity efforts. The US Cyber Command, which receives billions of dollars in funding and is tasked with protecting American networks, was “blindsided” by the attack, the New York Times reported. Instead, a private cybersecurity firm called FireEye was the first to notice the breach when it noticed that its own systems were hacked.
FireEye CEO Kevin Mandia testified in February after the US Senate summoned SolarWinds as well as Microsoft, CrowdStrike to a series of hearings over the sweeping breach.
The hack could accelerate broad changes in the cybersecurity industry. Companies are turning to a new method of assuming that there are already breaches, rather than merely reacting to attacks after they are found, Business Insider previously reported. And the US government may reorganize its cybersecurity efforts by making the Cyber Command independent from National Security Agency, the Associated Press reported.
The attack may also lead to a strengthened relationship between the US government and the cybersecurity industry, with the private sector helping federal officials fight off nation-state attacks and foreign bad actors in the future, as Insider reported.
SolarWinds: Why the Sunburst hack is so serious
By Joe Tidy – Cyber reporter – 16 December 2020
We’re constantly urged to do as we’re told because these software updates improve our apps by boosting cyber-security and removing glitches.
So when, in the spring, a pop-up message hit the screens of IT staff using a popular piece of software called SolarWinds, around 18,000 workers in companies and governments diligently downloaded the update for their offices.
What they couldn’t have known was that the download was booby-trapped.
SolarWinds itself didn’t know either.
The US company had been the victim of a cyber-attack weeks previously that had seen hackers inject a tiny piece of secret code into the company’s next software update.
After staying dormant for a couple of weeks, the powerful digital helper sprang to life inside thousands of computer networks in government, technology and telecom organisations across North America, Europe, Asia and the Middle East.
The US Department of Homeland Security is reported to have been breached.
The undetected digital agent then called home over the internet letting its creator know that it was inside and that it could hold the door open for them to enter too.
For months the hackers, highly likely to be a national cyber-military team, could take their pick, spying on and stealing information, whizzing around thousands of different organisations.
US most likely target
The most high-profile victim so far, which was also probably the prime target, is the US government.
More US government agencies hacked
US treasury and commerce departments hacked
Multiple office networks are reported to have been compromised including the treasury and commerce departments and Homeland Security.
Governmental and private organisations around the world are now scrambling to disable the affected SolarWinds products from their systems.
Researchers, who have named the hack Sunburst, say it could take years to fully comprehend one of the biggest ever cyber-attacks.
Experts say the way the hackers gained entry to their victims is particularly concerning for national security.
“Governments are unequipped to compete with Silicon Valley and develop their own complex software suites in-house, thus the dependence on external supply chains which are increasingly becoming a target for hackers,” said Jackie Singh, who was a lead cyber-security expert on the Joe Biden presidential campaign and founder of Spyglass Security.
“If a group of well-funded hackers can succeed in modifying just a bit of code somewhere and getting folks to install it as part of a legitimate software suite, they are gaining insider access to organisations which may be otherwise impenetrable, such as governments.”
There is no suggestion that supply chain attacks should put the general public off from accepting software updates, as this is an extremely rare case.
State secrets compromised
However, Brian Lord, former deputy director of cyber-operations at UK intelligence agency GCHQ, agrees it is “the underlying access tactic that is the most concerning issue”.
The national intelligence side of the hack is also extremely worrying.
According to Reuters, emails sent by officials at the Department of Homeland Security – which oversees border security and defence against hacking – were monitored by the hackers.
Experts fear the attack may escalate cyber-skirmishes between the US and rivals.
Experts say the case highlights that government communications are vulnerable to the same hacks as private companies. Mr Lord, who now runs cyber-security company PGI, said: “The victims here are key to our national and personal economic well-being, and protection is essential to allow us to function safely in a digital world.
“The fact the hackers can dance unopposed simultaneously into such a breadth of huge organisations through the same means should worry us. The spectrum of mischief and damage they can cause is both significant and global.”
Security teams in all affected organisations could take months trying to figure out which emails were read, documents stolen or passwords compromised in the hack.
It’s not known yet, and we may never be told, what sort of government information was stolen but Mr Lord says the most sensitive communications should still be safe.
“I think it is fair to say that the additional layers of security around top secret and highly classified stuff will be protected by internal controls, so direct access to those is unlikely.”
The hackers probably didn’t have the time or resources to carry out major surveillance on more than a small number of their possible victims, with government departments the most likely targets.
Biggest hack for years
Prof Alan Woodward, a cyber-security researcher at the University of Surrey, says: “Post Cold War, this is one of the potentially largest penetrations of Western governments that I’m aware of.
“Just think about why countries conduct espionage. It’s to give them an advantage, and that isn’t necessarily just a military advantage, especially in peace time: use of intelligence in gaining economic advantage in all sorts of ways is a major aspect of why countries have intelligence-gathering operations.
“There is also the personal dimension. We saw that when the Office of Personnel Management was hacked in the US, the private details of many government employees were potentially accessed. These details are reserved for those who have undergone security vetting and are incredibly sensitive.”
Russia being blamed
Prof Woodward, like many in the security world, says the attack has the hallmarks of a Russian operation, although this cannot yet be confirmed.
Others, including researchers at FireEye, which discovered the hack after falling victim themselves, is pointing at a known Russian government team known as Cosy Bear.
Russia’s foreign ministry described the allegations as baseless, in a statement on Facebook.
It could be months before we see a US response, but it’s likely that if the US government does conclude it was Russia there could be geopolitical consequences.
Cyber-attack responder Marina Krotofil, who used to work for FireEye, says the hack may increase tensions.
“In past years, the USA has imposed a series of sanctions on Russia, including the most recent indictment of the Russian military hackers. However, Russia explicitly demonstrates that they are not intimidated and are not going to slow down with their cyber-activities. This will further escalate relationships between the US and Russia and in the long run, and create severe political conflicts.”
The ‘Sunburst’ hack may well represent a major salvo in the virtual skirmishes between rival nations – an escalation which could have serious consequences.