Commentary on Political Economy

Friday 18 December 2020


Hack Suggests New Scope, Sophistication for Cyberattacks

Listen to this article
13 minutes
This feature is powered by text-to-speech technology. Want to see it on more articles?
Give your feedback below or email

The suspected Russian hack that compromised parts of the U.S. government was executed with a scope and sophistication that has surprised even veteran security experts and exposed a potentially critical vulnerability in America’s technology infrastructure, according to investigators.

As the probe continues into the massive hack—which cast a nearly invisible net across 18,000 companies and government agencies—security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years.

The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.

Inside the Hack

The hackers used what’s called a supply chain attack, exploiting SolarWinds management software updates to put malicious code on the targets’ servers.

SolarWinds makes network management software, called Orion, that’s widely used by government agencies and Fortune 500 companies. Like most software makers, they push regular updates to their customers.



Software updates

Hackers compromised SolarWinds and inserted their own malicious software in updates the company distributed between March and June of this year.




About 18,000 customers downloaded these updates, which acted like Trojan Horses, awaiting instructions from the hackers



Software updates

For some percentage of these customers, the instructions came, and the SolarWinds computer downloaded more code, giving hackers a way to sneak around the network and steal data. They were able to access emails, download software and perform reconnaissance on the network.



Source: SolarWinds

The hackers used the digital equivalent of a spy’s disguise to blend in with the flood of data flowing through government and corporate networks and remain undetected. They snatched up years-old but abandoned internet domains and repurposed them for hacking, and they named their software to mimic legitimate corporate tools. Most devastatingly, they sneaked their malicious code into the legitimate software of a trusted software maker—an Austin-based company called SolarWinds Corp. and its software called Orion.

The Cybersecurity and Infrastructure Security Agency tasked with protecting U.S. networks, in an alert Thursday, said it had evidence that the hackers have managed to break into computer networks using bugs other than the SolarWinds software. The alert labeled the hack a “grave threat” to compromised victims, which it said include multiple government agencies, critical infrastructure entities and private sector companies.

Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers. The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.

Government officials and cybersecurity experts have concluded that Russia is likely responsible for the hack, in part due to the extreme skill involved as well as other classified clues, according to people familiar with the matter. At least two senators who have received briefings in recent days have openly referred to it as a Russian operation. Moscow has denied responsibility.

Government officials and lawmakers are still working to understand the full consequences of the hack, which is viewed as a classic but highly successful attempt to spy on internal communications and steal information that could be valuable to Moscow’s intelligence agencies. It isn’t considered a destructive attack that damaged or shut down computer systems, as some major cyberattacks have done in the past

Cybersecurity company FireEye Inc. says private sector customers across the globe likely have been impacted. Investigators say that the bulk of the companies affected by the attack are based in the U.S. and Western Europe. No foreign governments have announced compromises of their own systems. A former senior British intelligence official said Western governments other than the U.S. expect to find evidence of compromises in their systems in the coming weeks.

The SolarWinds attack so eluded U.S. security measures that it was discovered not by intelligence officials but, almost accidentally, thanks to an automated security alert sent in recent weeks to an employee at FireEye, which itself had been quietly compromised.

The warning, which was also sent to the company’s security team, told the employee of FireEye that someone had used the employee’s credentials to log into the company’s virtual private network from an unrecognized device—the kind of security message that corporate workers routinely delete. Had it not triggered scrutiny from FireEye executives, the attack would likely still not be detected, officials say.

Cybersecurity company FireEye Inc., which itself had been quietly compromised, discovered the attack. PHOTO: BEN MARGOT/ASSOCIATED PRESS

The stealth of the attack has slowed efforts to determine how far-reaching the cyber intrusion has been, and new revelations have emerged daily. On Thursday, the Energy Department said its business networks had been compromised. Mission critical national security functions, including those of the National Nuclear Security Administration, haven’t been impacted, a department spokeswoman said.

While U.S. government agencies were clearly a target, Microsoft Corp. released research Thursday showing that of the more than 40 customers it had identified as victims of the SolarWinds hack, 44% were IT services companies. While 80% of the victim companies were based in the U.S., Microsoft said that targets were also hit in the U.K., Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates.

Taken together, the information investigators have uncovered indicates the suspected Russia hacking operation is more widespread than even feared just days ago, with the hallmarks of a historic espionage campaign.

Some security experts now believe there are clues to suggest preparations for the attack may date back four years.

The hackers found their way into the Department of Homeland Security, the sprawling State Department, the Treasury and Commerce departments and others, according to people familiar with the matter. As many as 18,000 companies downloaded the malicious SolarWinds update. Investigators suspect the hackers likely burrowed into dozens or perhaps hundreds using the flaw, due to the resources and time required to quietly infiltrate a network.

Hackers infiltrated the Department of Homeland Security, the State Department, the Treasury, shown above, and other government departments. PHOTO: ERIC BARADAT/AGENCE FRANCE-PRESSE/GETTY IMAGES

But because it went undetected for so long and due to the expertise of the hackers, thousands of potential victims may never be able to know for sure whether they were compromised, security experts say.

“It’s very broad in scope, and potentially very damaging to our economic security,” said J. Michael Daniel, chief executive of the Cyber Threat Alliance, an industry information-sharing group, and the former White House cybersecurity coordinator in the Obama administration. “It’s going to take a long time to figure out the full scope and extent of the damage, and it’s probably going to cost a lot of money to fix.”

It’s also a black eye for the U.S. intelligence community, which spent much of the year worrying about a hack by Russia or others targeting the U.S. presidential election and was in a celebratory mood when that didn’t occur. The actual attack ended up with a different target—government and corporate networks—and went undetected and discovered almost by luck by FireEye and not government security agencies.

The warning about the login attempt set off a red alert at the cyber vendor, which is charged with helping to protect the networks of some of the biggest companies. FireEye put more than 100 cyber sleuths on the job out of its roughly 3,400 total staff. Trained to investigate breaches at other companies, they now found themselves scouring the company’s own networks.

“It came in crisp and clean,” FireEye Chief Executive Kevin Mandia said of the apparent intrusion. “After years of responding to breaches, years of just understanding the details, something felt different about this one.”

Kevin Mandia, chief executive officer of FireEye, shown in 2017. PHOTO: ANDREW HARRER/BLOOMBERG NEWS

Charles Carmakal, senior vice president of FireEye’s incident response unit, led the company’s investigation. Early into the process, Mr. Carmakal said he realized the company was contending with one of the most advanced and disciplined hacking groups he had ever seen.

Among the worrying signs, the attacker seemed to have an understanding of the red flags that typically help companies like FireEye find intrusions, and they navigated around them: They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence.

More alarmingly, FireEye, other security companies and partners in the intelligence community and law enforcement could find no evidence linking that infrastructure to attacks on other victims. Hackers, even good ones, often reuse their cyber tools because doing so is easier, cheaper and faster.

The laser focus made the attack harder to detect, FireEye and others said. Mr. Mandia likened the activity to “a sniper round through a bulletproof vest.”

Once they noticed suspicious activity emanating from SolarWinds’ Orion product, the company’s malware analysts scoured some 50,000 lines of code in search for “a needle in a stack of needles,” Mr. Carmakal said, eventually spotting a few dozen lines of suspicious code that didn’t appear to have any reason to be there. Further analysis confirmed it as the source of the hack.

On Saturday, the company notified SolarWinds, the software vendor that had unwittingly sent out contaminated software since March, about its discovery, and updated the U.S. government. “We mobilized our incident response team and quickly shifted significant internal resources to investigate and remediate the vulnerability,” SolarWinds said Thursday.

SolarWinds said it released a quick fix that patched the security issue for customers this week. But experts have warned that merely cutting off the access point for hackers won’t guarantee their removal, especially because they would have used their time inside those networks to further conceal their activity.

While intelligence officials and security experts generally agree Russia is responsible, and some believe it is the handiwork of Moscow’s foreign intelligence service, FireEye and Microsoft, as well as some government officials, believe the attack was perpetrated by a hacking group never seen before, one whose tools and techniques had been previously unknown.

Satellite imagery of Russia’s Foreign Intelligence Service in Moscow, in 2019. PHOTO: DIGITALGLOBE/GETTY IMAGES

“We were lucky to catch them when we did,” said Glenn Gerstell, the former general counsel of the National Security Agency. Despite powerful espionage capabilities and a commitment to persistently monitoring what foreign hackers are doing overseas, legal restrictions make U.S. intelligence agencies ill-suited to follow capable adversaries who set up camp on domestic computer infrastructure, as the SolarWinds hackers did, Mr. Gerstell said.

The complexity and broad success of the SolarWinds hack represents a new frontier for cybersecurity, but the technique of using a trusted software provider as a Trojan Horse to break into one of its customers has been used before. In 2017 hackers also linked to Russia put malicious software in an obscure Ukrainian tax program leading to a world-wide outbreak of the destructive software known as NotPetya. FedEx Corp. later said that the incident cost the company $400 million. Another victim, Merck & Co. put the cleanup price tag at $670 million.

With the SolarWinds attack, stealth and not destruction was the priority. This allowed it to go undetected for so long, and it also showed how far hackers could go by gaining access to the software development tools of a medium-size company with footholds in the networks of the U.S. government and Fortune 500 companies.

How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.

Key building blocks for the SolarWinds hack were being put in place already last year when the hackers acquired internet domains that would serve as outside launching points for its attack, according to Joe Slowik, a researcher with threat intelligence company DomainTools LLC. Once installed, the malicious software connected to a server located on these domains that allowed them to launch further attacks against the SolarWinds customers and to steal data.

The cybersecurity firm Volexity Inc. has traced the actions of the SolarWinds hackers back at least four years, according to Steven Adair, the company’s president.

In July, he investigated a break in at a think tank, which he declined to name, that was using SolarWinds software. The think tank had been under attack for four years as hackers attempted to read the emails of specific employees, Mr. Adair said. The first time they gained access, they used an unknown method; the second time they took advantage of a bug in Microsoft Exchange software. When FireEye publicly released its SolarWinds findings on Sunday, Mr. Adair said he knew “within seconds” that it was related to the incident he had investigated in the summer.

FireEye has fielded calls in recent days from customers who believe they have been infiltrated by the same hackers even though they never installed SolarWinds software on their networks, according to Mr. Carmakal.

“It would be foolish for us to think that the only technique that they have to break in organizations is SolarWinds,” Mr. Carmakal said. “As we continue our investigation, we may find that there is a different avenue the attacker used to gain access to those organizations.”

No comments:

Post a Comment