SolarWinds attacks — a lot worse than first thought?

• More than 250 federal agencies and businesses discovered that their digital systems had been breached by hackers in a months-long espionage operation
• In reality, the magnitude of this national security breach is difficult to overstate
• Attorney General William Barr and Secretary of State Mike Pompeo have both pointed the finger at Russia

In 2014, the US government was faced with the greatest theft of sensitive personnel data in history, called the Office of Personnel Management hack. Back then, it was a big deal for national security because it gave hackers a trove of inside information. It is said that to date, neither the scope nor scale of the breach nor even its significance has been fully aired.

Five years later in October 2019 began a series of major breaches that went undetected for months. It peaked at the worst possible time when the country is at its most vulnerable — during a presidential transition and a devastating public health crisis. Trump officials publicly confirmed the attack was linked to Russia. 

Hackers piggybacked their malware to a software update from SolarWinds, a company based in Austin, Texas, whose Orion software is used by many federal agencies and thousands of companies worldwide to monitor their computer networks. 

The hack only came to light when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9 last year. SolarWinds itself admitted that nearly 18,000 of its customers — in the government and the private sector — received the tainted software update from March to June of last year. 

Key federal agencies, from the Department of Homeland Security to the agency that oversees America’s nuclear weapons arsenal, and the Treasury, as well as the National Institutes of Health, were reportedly targeted. Even leading tech and security companies including Microsoft fell victim. 

The devastating impact underscores just how ill-prepared the US was to defend against a known threat — and to respond. But it’s also ongoing. Even investigators are still trying to determine what information the hackers may have stolen, and what they could do with it. Analysts reckon that it could be months or longer before the extent of the damage is known, considering the nature of the attack — and the tremendous care taken by the hackers. 

What happened?

It is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world, as reported by the Times.

The hack began when malicious code was snuck into updates to a popular software called Orion, made by SolarWinds, which provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia, and the Middle East.

That malware gave elite hackers remote access to an organization’s networks so they could steal information. The apparent months-long timeline gave the hackers ample opportunity to extract information from targets including monitoring email and other internal communications. Microsoft called it “an attack that is remarkable for its scope, sophistication, and impact”.

The intentions behind the months-long espionage operation remain shrouded, however, the Times reported that with a new administration taking office in three weeks, analysts believe the Russians may be trying to shake Washington’s confidence in the security of its communications and demonstrate their cyber arsenal to gain leverage against President-elect Joseph R. Biden Jr. before nuclear arms talks.

Microsoft has said the hackers compromised SolarWinds’ Orion monitoring and management software, allowing them to “impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” The Times reports that Russia exploited layers of the supply chain to access the agencies’ systems.

While most affected by the attack were in the US, Microsoft said it had identified victims in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates. “It’s certain that the number and location of victims will keep growing,” it added.

Former homeland security adviser to President Trump and deputy homeland security adviser to President George W. Bush Thomas P. Bossert said “The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.”

In a December 13 statement on Facebook, the Russian embassy in the US denied responsibility for the SolarWinds hacking campaign. “Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests, and our understanding of interstate relations,” the embassy said, adding, “Russia does not conduct offensive operations in the cyber domain.”

Bloomberg reported that the scope of the damage won’t be clear for some time. The main question remains — whether the attackers’ goal was simple espionage, exfiltrating or reviewing data from the organizations they hit, or whether they also planned more destructive attacks sometime in the future.