Over several months last spring, hackers reportedly tied to the Kremlin slipped through digital backdoors on government and corporate networks worldwide and installed malware that sat dormant for up to two weeks. When the planted code awoke, masquerading as familiar, friendly software, it had the power to transfer and execute files, profile and disable systems, and reboot computers.
The malware piggybacking on products made by SolarWinds Corp, a major supplier of information technology software, had such sweeping authority that it entered “God-mode” – bypassing encryptions so that it could see and control everything on a network.
To cover their tracks, the hackers replaced legitimate tools and utilities with their own and, after their time bombs were released, restored the legitimate files. By targeting SolarWinds’ supply chain, the malware deposited itself on victims’ networks whenever they updated SolarWinds software. The attacks, which also may have been coordinated through email hacks, were still ongoing when they were made public Sunday and stretched from North America and Europe to the Middle East and Asia.
A who’s who of blue-chip corporations – including America’s 10 largest telecommunications companies and top five accounting firms – are SolarWinds clients. Companies in other industries as diverse as energy, technology, health care and automobiles may have been fleeced. Within the federal government, SolarWinds says it does business with five branches of the military; the Defense, Justice and State departments; the National Security Agency; the Postal Service; the National Aeronautics and Space Administration; and the Executive Office of the President. The National Institutes of Health, along with the Commerce, State, Treasury, and Homeland Security departments, have all acknowledged falling prey to the SolarWinds hack.
One of Homeland Security’s primary duties is ensuring the nation doesn’t get blindsided by surprise attacks – digital or otherwise. That its own networks were penetrated highlights what is now an unfortunate truth of the computer age: No person or institution is invulnerable to a well-honed attack from a state sponsor such as Russia. And that’s unlikely to change.
We still know very little about how the Kremlin’s overseas intelligence service – reportedly deploying a pair of infamous Russian hacking teams known as Cozy Bear and APT29 – went about orchestrating its assault and what it managed to steal. But the information released so far suggests this is probably one of the most epic and damaging state-directed cyberattacks ever. We also haven’t learned much of anything about the hack from the US federal government or from SolarWinds itself.
The government has been largely mum, although the Cybersecurity & Infrastructure Security Agency, a federal body housed within Homeland Security that monitors digital security, issued a rare warning on Sunday and Monday noting that the attack “poses unacceptable risks to the security of federal networks”.
The National Security Council was so alarmed by what it learned over the weekend that it convened a special emergency meeting on Saturday to assess the damage, according to Reuters. Agencies across the federal government scrambled to uncover any hacks on Monday and, according to Politico, the NSC activated a crisis plan allowing it to coordinate responses and communication among affected agencies.
SolarWinds, which is based in Austin, Texas, issued an advisory Sunday saying that it had “just been made aware” of the attack. In a Securities and Exchange Commission filing on Monday, it said 33,000 of its 300,000 customers use software targeted by the hackers, and 18,000 of those clients installed updates containing malware. It said the hackers might have gained access to its products through its corporate email system. And that’s about all SolarWinds has had to say so far, perhaps because it doesn’t know much more, which probably doesn’t reassure its customers.
In contrast, FireEye Inc, a Milpitas, California, company specialising in protecting customers from hacks, has been an admirable font of transparency about the SolarWinds attack, even though it’s had to acknowledge that it, too, has been burgled. Last week, FireEye offered a relatively detailed account of how hackers infiltrated its own networks and made off with a boatload of sensitive information. On Sunday, it published a remarkably granular document outlining how SolarWinds and its customers got pickpocketed. FireEye said it discovered that SolarWinds had been infiltrated while it was conducting its own forensic review of the assault on its system.
For its part, the Kremlin says everybody is unfairly fingering it for the massive, stealthy heist. “Once again, I can reject these accusations,” a spokesman for Russian President Vladimir Putin said. “If for many months the Americans couldn’t do anything about it, then, probably, one shouldn’t unfoundedly blame the Russians for everything.”
We shouldn’t unfoundedly blame Russia, of course. Unfortunately, there’s plenty of history here.
Cozy Bear and APT29 hacked the State Department, Pentagon and White House during the Barack Obama administration, penetrated telecommunications and energy companies, infiltrated universities and broke into the Democratic National Committee’s servers during the 2016 presidential campaign. Putin, outclassed militarily by the US and China, still runs a great bang-for-his-buck digital burglary outfit, and the SolarWinds cyberattack is a reminder of how sophisticated and threatening that operation is.
It’s also a reminder of how much is at stake here. For months, copious amounts of corporate, government, scientific and personal information, some of it related to Covid-19 research, may have been siphoned out of networks around the globe without anyone knowing about it – not even the guardians whose job it is to police the brave new world of cybercrimes and cyberwarfare. – Bloomberg
(Timothy L. O'Brien is a senior columnist for Bloomberg Opinion.)