- US government agencies and private organizations have been the targets of a cyberattack that was only just uncovered this month.
- A group of hackers believed to be associated with the Russian intelligence agency SVR infiltrated a SolarWinds software update earlier this year.
- This is a huge problem for two major reasons: The attackers were able to gain access for a long period of time without being detected, and it will also take a long time for security experts to determine the extent of what’s been compromised.
- “Fragments of attacks can sit dormant for months, and years, and only revive when the author wants them to begin their job,” cybersecurity expert Sean Harris told Business Insider. “Stealth is the most worrisome aspect of these ‘attacks.'”
- Visit Business Insider’s homepage for more stories.
For months, US government agencies and private organizations have been the targets of what’s being called the most widespread cyberattack ever, and one that went largely undetected until this month. At the center of the attack is a company most people have never heard of called SolarWinds, which provides IT infrastructure management tools to hundreds of thousands of customers including government agencies, corporations, and nonprofit organizations.
A SolarWinds software update earlier this year was infiltrated by a group of hackers believed to be associated with the Russian intelligence agency SVR, in what is known as a supply chain attack. As a result, the hackers’ malware was able to infect the networks of many, if not all of, SolarWinds’ customers as they updated their SolarWinds Orion software.
“The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies,” Tom Bossert, former Homeland Security Advisor, said in an op-ed in the the New York Times on Thursday.
Not only is this attack extraordinary in its scope, it’s devastating in its impact – largely because of two things. First, the attackers were able to gain covert access for a long period of time without being detected. And second, it will be even longer before security experts will be able to determine the extent of the information that’s been compromised. That means that even though the attack may have been stopped, the damage could continue for the foreseeable future.
Two weeks ago, cybersecurity company FireEye said it’d been breached, with the attackers making off with its “red team” suite of hacking tools. Upon further investigation, the company said it found that the method of intrusion was software from SolarWinds that had been compromised with a backdoor. That sounded alarm bells across government agencies and corporations, given that SolarWinds software is widely used across both the private and public sectors.
A company spokesperson confirmed to Business Insider that during an investigation it "determined the SolarWinds compromise was the original vector for the attack against FireEye."
Last week, the Trump administration acknowledged that federal agencies including the Departments of Treasury, Homeland Security, State, and Commerce, were affected. The agencies have not said what information was compromised, or whether the attackers had gained access to classified networks.
And, on Thursday, Politico reported that the National Nuclear Security Agency, the division of the Department of Energy responsible for managing the country's nuclear weapons stockpile, was breached by the attack. The revelation came as agencies across the federal government have been combing their networks for signs of the malware.
In the case of the NNSA, a spokesperson told Politico that "the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration."
In response to the discovery of the breaches, Microsoft, which confirmed it was itself a victim of the attack, took a series of extraordinary steps to mitigate against further spread, including a successful effort to sinkhole the domain name used by the malware to "call home" for instructions. Sinkholing is a legal tool used to take control of a domain, which in this case can then be used to interrupt the malware's communication with the attackers.
In this case, when the malware, known as SUNBURST, is installed with the software update, it would sit dormant on a host computer for a week or so, and then ping the domain. It would then receive information to communicate with another domain, which would provide instructions or software that would further infect a network.
By taking control of the original domain, known as its command and control (C2), and breaking the initial chain of communication, the malware would still exist on the computer, but would be unable to receive further instructions. That effectively shuts off the likelihood that new networks will be infected.
FireEye, which worked with Microsoft and GoDaddy to sinkhole the domain and turn it into a form of killswitch that prevents the malware from receiving additional instructions, said in an emailed statement:
"This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST."
Microsoft has said that 40 of its customers were targeted directly by the attackers, 80% of which are located in the US. According to a blog post by Brad Smith, Microsoft's president and general counsel, "The initial list of victims includes not only government agencies, but security and other technology firms as well as non-governmental organizations."
While Microsoft and its partners likely now have a better idea of which networks have been affected as a result of their visibility into efforts to ping the sinkholed domain, it will still take a substantial effort to determine what information may have been compromised. Preventing the malware from calling home for new instructions doesn't change the fact that it's still on the networks, likely far from whatever access point it used to enter. Not only that, but no one knows how much damage has already been done.
"The conventional narrative, at least judging from SolarWinds' disclosure, is that attackers have been in systems for months, stealing data and spying on government workers, without officials being any the wiser," said Chris Brook in a blog post for DigitalGuardian.
Part of the problem, according to Homeland Security Advisor Bossert, is that "The Russians have had access to a considerable number of important and sensitive networks for six to nine months." That means it'll be some time before security experts are able to determine exactly how widespread the attack really was. Or, put another way, we'll likely find out that this gets worse before it gets better.
In a statement on Thursday, the Cybersecurity and Infrastructure Agency (CISA), a part of the Department of Homeland Security, echoed that sentiment, issuing an alert that confirms the attack "poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations."
The agency also said it believes "removing this threat actor from compromised environments will be highly complex and challenging for organizations." That's partially due to the fact that CISA now says that attackers likely used other methods and tactics in addition to infiltrating SolarWinds Orion.
"Unfortunately, given the breadth of SolarWinds' supply chain, the length of time those customers were unknowingly compromised, uncertainty about the attacker's motivation, and the myriad time horizons and distribution of potential attacks (e.g. data breach, ransomware, espionage), the breadth and impact is untold at this point," Erin Kenneally, director of cyber-risk analytics at Guidewire, told Business Insider.
Kenneally, who previously worked for the Cyber Security Division within DHS, also said that while efforts so far will help stem the tide of the attack, "It only means that the original infection vector has been closed down. Adversaries most likely implemented other backdoors to those compromised systems, so while this kill switch for the backdoor was a helpful effort and very good showing of collaboration, the threat is far from eliminated and mitigated."
That aligns with CISA's statement, and reflects the ongoing concern that the worst of the fallout from the attack may be just beginning. "Given that potential victims include defense contractors, telecoms, banks, and tech companies, the implications for critical infrastructure and national security, although untold at this point, could be significant," Kenneally said.
It can be difficult to imagine how attackers could have infiltrated so many companies and organizations, let alone US government agencies, without anyone knowing.
"Hackers are just as smart, if not much smarter, than the folks assigned to protect environments," Cybersecurity expert Sean Harris told Business Insider. "There's an art in patience. Fragments of attacks can sit dormant for months, and years, and only revive when the author wants them to begin their job. Stealth is the most worrisome aspect of these 'attacks.'"
That attackers, even those from a foreign intelligence agency, were able to wreak havoc and do so without much of a trace should be the greatest concern here. The attack represents "an act of recklessness that created a serious technological vulnerability for the United States and the world," said Microsoft's Smith. "In effect, this is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency,"
That's partially because they didn't attack their targets directly, but instead used a trojan horse to gain access via a trusted source. In fact, not only was it a trusted source, it was a source trusted precisely because it would prevent this very sort of breach.
"The remediation effort alone will be staggering," wrote Bossert. "It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks." That's not a small task for any organization, but the size and scope of the agencies and corporations targeted mean that it will take time to hunt for signs of the malware, determine what information may have been compromised, and mitigate against that loss.
And, of course, do all of that without significant disruption to normal operations.