The US government is recovering from multiple data breaches at major federal agencies, the result of a worldwide hacking campaign with possible ties to Russia. Researchers are still trying to figure out how much of the government may have been affected and how badly it may have been compromised.
But what little we know has cybersecurity experts extremely concerned – with some describing the attack as a literal wake-up call.
“I woke up in the middle of the night last night just sick to my stomach,” said Theresa Payton, who served as White House information director under President George W. Bush. “On a scale of 1 to 10, I’m on a 9, and that’s not what I know, that’s why we don’t know yet.”
On Sunday night, the Commerce Department acknowledged that it had been hit by a data breach after Reuters first reported that sophisticated hackers compromised the agency through a third-party software provider known as SolarWinds. While SolarWinds is not a household name, it works with many companies and organizations that are.
Since then, more details have emerged suggesting a much broader pattern of engagement. As many as 18,000 SolarWinds customers, out of a total of 300,000, may have been running software containing the vulnerability that allowed hackers to penetrate the Commerce Department, the company revealed in an investor presentation this week.
Here’s why the cyber attacks revealed this week keep experts awake at night, based on who was attacked, the attackers ‘ suspicious identities and their playbook, according to analysts contacted by CNN Business and published security reports.
All federal agencies on alert
One reason the attack is so troubling is because of who may have been a victim of the spying campaign.
At least two US agencies have publicly confirmed that they were compromised: the Department of Commerce and the Department of Agriculture. The Department of Homeland Security’s cyber arm was also compromised, CNN previously reported.
But the range of potential victims is much, much larger, raising the worrying possibility that the U.S. military, the White House or public health agencies responding to the pandemic have also been targeted by foreign espionage. The Department of Justice, the National Security Agency, and even the U.S. Postal Service have been cited by security experts as potentially vulnerable.
All federal civilian agencies have been told to review their systems in an emergency directive by DHS officials. It is only the fifth such directive issued by the cybersecurity and Infrastructure Security Agency since it was created in 2015.
It’s not just the US government in the crosshairs: elite cybersecurity firm FireEye, which in turn fell victim to the attack, said companies across the wider economy were also vulnerable to espionage. The software vulnerability that allowed spying has been found in the technology and telecommunications industry, as well as consulting firms and energy companies, according to FireEye.
Security experts say this is simply the beginning. In the coming days, we may know that many more companies and agencies have been compromised than we initially suspected. And we still do not know what information may have been lost or stolen.
Extraordinarily skilled attackers
Another reason to worry is that the attackers seem to have been extraordinarily skilled and purposeful.
“The campaign demonstrates top-notch operational tradecraft and consistent resources with state-sponsored threat actors,” FireEye said, adding that the violations appear to date as far back as the spring. “Each of the attacks requires meticulous planning and manual interaction.”
Attributing any cyberattack is difficult under the best of circumstances and even more difficult when a sophisticated actor works to cover his tracks, as these did. But US officials have tentatively said that the culprit may have ties to Russia.
That agents of a foreign government may have been responsible for the violations is a worrying sign not only of the capabilities of the attackers, but also of their motives. These were not opportunistic cybercriminals indiscriminately investigating any targets they could find in the hope of extorting their victims for a quick payday. These were highly motivated attackers who selected each of their victims for a specific purpose that remains unknown.
“If you compromise someone’s network for 6 months, there are many opportunities,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a group of security experts. “It’s an incredible blow for the Russians, really impressive.”
An unusual and creative trick
A third reason for concern is the unusual and creative way in which the attackers carried out their operation: disguising the initial attack within legitimate software updates issued by SolarWinds.
“SolarWinds is one of the most widely used and effective tools for network monitoring, including in federal networks and large corporations,” said Jamie Barnett, a retired Navy admiral and senior vice president at cybersecurity firm RigNet. “It takes a statewide cyber attack to get into SolarWinds updates and patches.”
By leveraging otherwise reliable software updates, the attackers cleverly leveraged the normal and recommended best practices of keeping software up to date. Thousands of companies and government agencies could have been exposed simply for doing the right thing.
That’s what’s scary: it’s unclear what could have been done differently in this case, because the same process intended to reassure users that “this software can be trusted” was compromised.
Once inside a target, attackers waited patiently until they collected enough data on authorized users to impersonate them, allowing hackers to move through a victim’s network undetected for months, according to an analysis by cybersecurity firm CrowdStrike.
The degree of access the hackers enjoyed, as well as the amount of time they were able to gather information, may end up making this “a much worse cyber attack than the Office of Personnel Management breach” revealed by the U.S. government in 2015, Barnett said. That breach, attributed to hackers linked to China, resulted in large troves of personal data being stolen from millions of federal employees and security clearance applicants.
The increasing frequency and intensity of state-sponsored hacking has some cybersecurity leaders reiterating calls for a global treaty on cyber warfare.
“We need a set of binding rules,” Microsoft President Brad Smith said at an event held Tuesday by the Ronald Reagan Foundation and Institute. “And we need a commitment from the world’s democracies to hold authoritarian regimes accountable, to keep their hands off civilians in this peacetime when it comes to cyberspace.”
Other experts are increasingly questioning the dependence of many companies on only a handful of third-party providers, and saying that perhaps society makes it a little ‘ too easy for data to be accessed or shared, especially during a pandemic when working remotely is normal for countless individuals.
“It raises the question:’ in cybersecurity, do we have a situation ‘too big to fail’? And it happened right under our noses, as we told everyone to spend more, on the tool, on obtaining products?”Payton said.