December 24, 2020
By Raphael Satter
WASHINGTON (Reuters) – Cybersecurity expert Steven Adair and his team were in the final stages of removing the hackers from a think tank network earlier this year when a suspicious pattern in the log data caught their attention.
Not only had the spies managed to break in again – a common occurrence in the cyber incident response world – but they had passed right through to the customer’s email system and rolled past the newly revamped password protections as if they didn’t exist.
“Wow,” Adair recalled thinking in a recent interview. “These guys are smarter than the average bear.”
It wasn’t until last week that Adair’s company – the Reston, Virginia-based Volexity – realized that the bears it had grappled with were the same group of sophisticated hackers who had compromised Texas-based software company SolarWinds.
Using a subverted version of the company’s software as a makeshift skeleton key, the hackers sneaked into a swath of U.S. government networks, including the Treasury, Homeland Security, Commerce, Energy, State, and other agencies.
When news of the hack got out, Adair immediately thought back to the think tank, where his team traced one of the break-in attempts to a SolarWinds server, but never found the evidence they needed to pinpoint the precise entry point. or notify the company. Digital indicators published by cybersecurity firm FireEye on Dec. 13 confirmed that the think tank and SolarWinds had been hit by the same actor.
Senior US officials and lawmakers have claimed Russia is to blame for the hacking attack, an indictment the Kremlin denies.
Adair – who helped protect NASA from hacking threats for about five years before eventually founding Volexity – said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was correct. On the other hand, they were on the brink of a much bigger story.
Much of the U.S. cybersecurity industry is now in the same place where Volexity was earlier this year, trying to discover where the hackers were and eliminate the various secret entry points that the hackers likely planted on their victims’ networks. Adair’s colleague Sean Koessel said the company handled about 10 calls a day from companies who feared they were being targeted or concerned that the spies were in their networks.
His advice to all the others hunting the hackers: “Leave no stone unturned.”
Koessel said the attempt to uproot the think tank hackers – whom he refused to identify – spanned the end of 2019 to mid-2020 and led to two new break-ins. Performing the same task across the US government is likely to be many times more difficult.
“I could easily see that it would take half a year or more to find out – if not years for some of these organizations,” said Koessel.
Pano Yannakogeorgos, an associate professor at New York University who served as the founding dean of the Air Force Cyber College, also predicted a longer timeline, saying some networks would have to be ripped up and wholly replaced.
In any case, he predicted a high price tag, as caffeinated experts were brought in to search digital logs for traces of compromise.
“There is a lot of time, money, talent and Mountain Dew involved,” he said.
(Reporting by Raphael Satter; edited by Andrea Ricci)