- Spread via an IT management vendor called SolarWinds, signs of a highly sophisticated cyberattack have popped up in multiple government agencies.
- Experts say the "supply-chain" attack was hugely expensive and sophisticated to execute, pointing to a nation-state attacker.
- Yet the attack does not amount to "cyberwar," and should not provoke an escalated response – and we do not know it came from Russia, experts warn.
- The biggest issue is the cost and effort thousands of businesses will have to go through to address a crafty attack that hid for months. Even Microsoft says that it was affected by the breach.
- Here's everything we know — and don't know — about the sweeping hack.
- Visit Business Insider's homepage for more stories.
The sweeping SolarWinds cyberattacks hitting the US government and other organizations have dominated headlines this week with alarming new discoveries every day.
Spread via an IT management vendor called SolarWinds, which monitors networks and servers to prevent outages and update software, signs of the highly sophisticated attack have popped up in the US Commerce, Treasury, and Energy departments among other government agencies, and thousands of businesses. The attackers had access to the system for months before the SolarWinds issue was first spotted.
We turned to the companies involved, former federal cybersecurity officials, and other experts to explain the big issues.
Why is this such a big deal?
The SolarWinds hack is what's known as a "supply chain attack," meaning that the bad guys subverted a product — in this case, the SolarWinds Orion software — that went on to get installed on its customers' own servers. More specifically, the hackers included a backdoor in an Orion software update, such that whenever an IT department went to install the latest version, they were also unknowingly placing sophisticated malware in their own systems.
SolarWinds is nearly ubiquitous in enterprise software, with more than 300,000 customers, including 425 of the Fortune 500. The company says up to 18,000 of those customers were hit by the intrusion, but experts say the attackers have exploited the attack strategically. Rather than breaching data from each and every vulnerable system, which would have left an unmistakable trail, the attackers have picked their targets carefully to stay under the radar.
The attacks will touch Americans in multiple ways: Taxpayers will pay the cost of eradicating the malware from US agencies. Businesses will feel the pinch of costly security processes and upgrades at a time when many are struggling. And the violation of thousands of networks will hang over the heads of a cybersecutity industry pushed to the brink by attacks on remote workers during COVID-19, ransomware attacks, and election security.
"Supply chain attacks can be devastating," says Chris Kubic, former chief security officer of the National Security Agency, where he spent three decades. "We may never know how many businesses are affected by this one."
"It's scary how widespread this is," says Frank Downs, a former NSA analyst and now director of incident response at the firm BlueVoyant. "It's the biggest hack to hit the US in at least five years, and that's because it is so widespread and insidious."
The attacker entered malware in the SolarWinds computer code, which was then introduced to the computer systems of clients through automated updates.
"The reason everyone is so upset is that the price to the private sector is going to be huge," says Bryson Bort, CEO of Scythe, a special advisor to the Cybersecurity and Infrastructure Security Agency this year, and is a senior fellow at the National Security Institute. "The malware is in the system that managed their networks, and everyone had it."
What is the latest?
On Thursday, the Department of Energy acknowledged it was among the federal agencies hit. Politico reported the hack hit a nuclear weapons agency, but the DOE told Business Insider that has not been confirmed yet.
"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration," Shaylyn Hynes, a DOE spokeswoman said.
CISA released an alert that said there were other entry points – places where the hackers got into organizations – besides the SolarWinds IT software, but did not elaborate where. The Wall Street Journal reported that senators are demanding the Internal Revenue Service address reports that IRS files have been hacked. The incoming Biden administration vowed a strong cyberdefense.
Microsoft found that the hack started with "an intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials," in other words, once in an organization's system, the attackers can gain entry to more critical areas because the system believes the activity is part of the software update.
"An intruder using administrative permissions" can then "impersonate any of the organization's existing users and accounts, including highly privileged accounts," the company said.
The company says it found signs of the SolarWinds attack in its systems, but that customer data was not touched, and no malware was spread through its own supply-chain.
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," a Microsoft spokesman said Thursday. "We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
What makes the attack so sophisticated?
Its ability to hide so well for so long. Cloudflare data shows the malware actually spread across networks in March – nine months before it was discovered – setting up domains from which to exfiltrate data.
"This supply chain attack was designed in a very professional way," says Costin Raiu, head of Kaspersky's Global Research and Analysis team in a new blog post published Friday. The main attribute of the attack was "a clear focus on staying undetected for as long as possible." Raiu says the "the malware lies dormant for a long period, up to two weeks, which prevents an easy detection."
"It is extra insidious," says Downs. "I was shocked to see the intruders managed to bypass two-factor authentication," he says, noting a researcher's observation that the malware went around the security check that requires a user to enter check in with their phone while logging in. Down also was impressed that the attack used steganography, the highly skilled hiding of code in images and other files."
The cybersecurity company FireEye first discovered the attack – in its own systems, no less, – and has helped to lead its response.
"FireEye has uncovered a widespread campaign that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world," the company wrote on Sunday. It was previously believed that FireEye was hacked independently and its own cybersecurity tools were stolen.
Some news outlets reported that a FireEye employee was tricked into giving hackers log-in credentials, but a FireEye spokesperson told Business Insider that "the SolarWinds compromise was the original vector for the attack against FireEye. The cause of FireEye's security incident was not a result of an employee being duped or tricked."
Do we know who did it?
Early reports suggested a link between the attackers and the Russian government. However, neither CISA nor Biden nor SolarWinds nor any other government source mentioned the Russians in their reports. At the same time, many cybersecurity experts say the "tradecraft" – the sophistication of the attack – points to a nation-state attacker.
"While security professionals and other experts have attributed the attack to an outside nation-state, we have not independently verified the identity of the attacker," SolarWinds wrote in a blog post Thursday.
This narrows the field considerably, and many in the industry agree that only the Russians could have managed such a widespread, well-planned, and stealthy attack.
"CISA will never come right out and say it was the Russians," says Bort. "But classified intelligence and forensic evidence is pointing that direction in many ways."
"I wouldn't say the Russians are the only nation-state that could have pulled this off, but it could definitely be them," says Downs, the former NSA analyst.
"The attack was so good at hiding its tracks that we may never know for sure, but it certainly could be the Russians," says Kubic, the longtime NSA official.
If it is the Russians, would this make it cyberwar?
Not necessarily. One of the devastating things about this attack is that it falls inside the realm of intelligence-gathering that happens routinely. This attack was just much more effective than most, and swept up businesses in its scope.
"We do it, they do it, it happens every day," says Bort, the former CISA advisor. "This is just a very expensive operation."
"The was definitely nation-state espionage. We do it, too. This just bled over so badly to the private sector," says Mike Hamilton, former chief information security officer of the City of Seattle, who advised the Department of Homeland Security in that role.
The distinction, the experts suggest, is that the attackers — whoever they are — had months to use their access to wreak havoc and cause genuine real-world harm, and didn't.
"They're not hitting power grids or hospitals," says Downs, the former NSA analyst. "They're getting intelligence."
What should the US response be?
Not to hack into power grids or hospitals in Russia, the experts say.
Biden said Thursday that "My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office." But experts said a strong statement may not result in a large public action.
"Everything has to be proportionate," Bort says. "This is well within the range of intelligence operations. "We're trying to do the exact same thing to them right now."
"I would not recommend escalating this," says Downs. "The best intelligence operations are the ones you never know about."
"A coordinated international response with allies and the private sector would probably be the most effective way," says Kubic, the former NSA 30-year veteran.
"Some kind of price has to be paid," says Hamilton, the former Seattle CISO. "You could turn the lights out in St. Petersburg, but that's probably not the best way."
Who's leading the USA's response to the hack?
The response is being led by Cybersecurity and Infrastructure Security Agency (CISA), the same agency that protected the election. The agency recently lost its leader Christopher Krebs, who was fired via a tweet from President Donald Trump after he issued a public statement affirming that the election was secure from hackers. The agency also lost Matthew Masterson, a senior election security official, last month.
Officials, including Chris Krebs, who led election cybersecurity and was fired by President Trump, say the agency needs more support. "CISA needs more support from the US government to continue the work we set in motion," Krebs said in a message to Business Insider echoed by many others.
"Chris Krebs and the staff at CISA have done a very good job, and many feel that way across the Department of Defense and other agencies. They have to have a strong leader again," says Kubic, the former NSA 30-year veteran.
Why will this attack be so hard on businesses, if they weren't the target?
Because it will be so hard to root out. Investigators suspect the intrusion reached some 18,000 enterprises, and while some were of much greater interest to the attackers, all will now need to sort through any possible signs of being hacked.
"Just because businesses were hit doesn't mean that access has been or will be exploited – but every one of them will now need to do threat-hunting, actively searching for signs of intrusion, and there is no easy way to do that. There is no tool that will do that for you," says Bort, the CISA advisor.
"There's going to be a lot of manual effort, no matter how you do it," says Downs, the former NSA analyst and incident-response expert. "Thousands of companies are going to have to rebuild systems."
Cloudflare data shows the SolarWinds cyberattack hit networks hardest in March
What is SolarWinds doing about this?
"Each of our 3,200 team members is united in our efforts to meet this challenge," the company wrote in a Friday blog post. "We have reached out and spoken to thousands of customers and partners in the past few days," the company wrote, and "we also have had numerous conversations with security professionals." Insiders at the company say it also worked with Microsoft on a "kill switch to stop the spread and de-activate the original malware – but not necessarily to stop any activity that spread from there.
Source: Read Full Article