A cyberattack that began by targeting an IT firm used by numerous federal U.S. government agencies, Fortune 500 companies, and other high-value targets is shaping up to be a historic event.
The U.S. government is still reeling after the detection of a massive foreign intrusion into federal computer systems at agencies including — at a minimum — the Department of Homeland Security, the Treasury, and the Commerce Department; As one employee at the DHS’s Cybersecurity and Infrastructure Security Agency, the primary cybersecurity agency of the federal government, told Politico, many government agencies, “don’t know how on fire they are yet.” Another U.S. government official told the site this was “going to be one of the most consequential cyberattacks in U.S. history,” and the feds suspect “the news is going to get worse.”
The extent of the breach is still unclear — beyond that malware may have been spreading on affected systems for months. It also comes shortly after Donald Trump fired the chief of CISA, Chris Krebs, in mid-November for questioning the White House’s hoax claims of voter fraud during the 2020 elections.
This couldn’t have come at a worse time, as CISA’s resources are under strain and the government official quoted by Politico said there is “massive frustration with CISA on a sluggish response to agency breaches” and the agency appears to be “overwhelmed.” The good news, according to that source, is that investigators have yet to see “any evidence that any classified systems have been compromised.” Some members of Congress have already proposed granting additional resources to CISA, though it may come too late to aid in this situation.
Every indication so far is that the hackers involved have the backing of a nation-state, with the White House viewing the most obvious suspect as Russian intelligence agencies. Those responsible built a backdoor into Orion, an IT management software produced by SolarWinds, possibly by breaking into Microsoft email accounts and other systems, according to the Wall Street Journal. They then used it to contaminate software updates provided by the company with malware in March and June 2020. In addition to U.S. government agencies, the attackers also hit security firm FireEye; senior vice president and chief technical officer, Charles Carmakal, told Bloomberg the firm was subsequently able to trace the intrusion back to SolarWinds before it notified authorities.
SolarWinds filed documents with the Securities and Exchange Commission on Monday stating the Orion product is used by 33,000 entities, about 18,000 of which may have installed infected versions 2019.4 through 2020.2.1 from March to June 2020. Once inside the targeted systems, the hackers could then gain a foothold from which to install other malware which can’t be removed simply by disconnecting Orion. Politico reported that the attackers may also compromised Microsoft email servers used by institutions that downloaded the infected updates in order to steal authentication tokens that gave them broader access.
Two people “familiar with the wave of corporate cybersecurity investigations being launched Monday morning” told Reuters that the hackers appeared to have been selective about which compromised systems they actually broke into, indicating they had specific intelligence targets in mind when they launched the attack.
“They could have just compromised SolarWinds, but they did more,” Vincent Liu, the CEO of cybersecurity firm Bishop Fox, told the Journal. “They turned that one compromise into who knows how many other compromises that we’re going to be learning about for weeks. We may never know the full impact.”
“A supply chain attack like this is an incredibly expensive operation — the more you make use of it, the higher the likelihood you get caught or burned,” FireEye threat director John Hultquist, told the New York Times. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.”
Another U.S. official who spoke with Politico blamed Cosy Bear, a hacking group the U.S. government believes is associated with or run by Russia’s Foreign Intelligence Service. This assessment was backed by sources that spoke with the Washington Post. Cosy Bear, along with a different unit called Fancy Bear, were among the suspected Russian intelligence assets security firm CrowdStrike determined gained access to Democratic National Committee servers during the 2016 elections.
According to the Verge, SolarWinds appears to have removed a client list from its website, “including more than 425 of the companies listed on the Fortune 500 as well as the top 10 telecom operators in the United States.” SolarWinds clients also include Los Alamos National Laboratory and defence contractor Boeing, per the Times.