- Thousands of organizations may have been compromised by the SolarWinds hack. Many US government agencies already confirmed they were hit.
- Experts say it could take years to figure out the extent of the cyberattack and what data, if any, was actually stolen.
- David Kennedy, a former NSA hacker, told Business Insider that’s because when the motive of the attackers is unknown, investigators don’t know where to look to assess the damage.
- He also said some companies don’t keep security logs more than a few months, which could make it impossible to investigate breaches that happened as early as March.
- Visit Business Insider’s homepage for more stories.
Thousands of companies and government agencies may have been compromised by the SolarWinds hack.
Experts say it could take some of those groups years to figure out the extent of the cyberattack and what data, if any, was actually stolen.
Software firm SolarWinds was breached earlier this year, when hackers broke into its systems and inserted malicious code into one of its software platforms. Customers that updated the software between March and June had the malware added to their network, giving the hackers a backdoor into their system.
The breach was discovered this month, meaning the hackers, believed to be Russians, could have been spying on those customers for six to nine months.
The challenge facing those groups, which includes US government agencies and most Fortune 500 companies, is determining two key things, according to David Kennedy, the founder of cybersecurity firm TrustedSec and a former NSA hacker.
The first is whether or not they actually have the software with the malicious code. The second, and more difficult question to answer, is whether the hackers actually used that code to access, control, or steal data.
"Occupying versus active exploitation is a very different thing," Kennedy told Business Insider.
Microsoft is an example of this. The company said Thursday it was hit by the cyberattack, but that there was not evidence its products or customer data was accessed.
Kennedy said determining if the hackers had access is relatively straightforward. It hinges on identifying a connection between the victim's network and the hacker's. Figuring out what the attackers did once they had access is much more difficult.
In a New York Times op-ed, Thomas Bossert, a former homeland security adviser, said it will take years to figure out which networks were just occupied and which networks were actively controlled.
Kennedy said that's because when the motive of the attackers and what they were looking for is unknown, security teams don't know where in their networks they need to look.
"Basically you have to go through with a fine-toothed comb across your entire organization," he said.
And even then, it's not a straightforward search, but a long-term investigation that involves piecing together data that spans several months, sifting through logs, understanding communication protocols, and encryption, among other things.
In some cases, the full extent of the attack cannot even be investigated, as many companies don't keep network records for more than a few months.
On a given network, everything leads back to a central location that is monitored by a security team, Kennedy said. That massive amount of data is being logged every day. In most instances, a company will keep logs for up to three months.
Potentially compromised companies that don't have logs spanning the past nine months are in an especially uncertain situation.
"If you don't have the logs, you don't have the data," Kennedy said. "So you can't make a definite determination that something wasn't taken or used."
Some government agencies, and some companies, will keep logs for up to year, which would allow them to search as far back as the reported initial breach in March.
The State Department, the Department of Homeland Security, and the Pentagon are among the US government agencies that are said to have been compromised. In the case of determining whether those agencies were just occupied or actually manipulated, the stakes can be incredibly high.
"Did they breach complex systems and have access to nuclear secrets or top secret data?" Kennedy said. "Things to that effect will take a long time to determine."
He likened that challenge to solving a puzzle, but said it is usually very difficult to conclude with complete certainty. From a security standpoint, he said in those cases it's safest to assume if something could have been taken, that it was.