US officials are deeply concerned about a massive and ongoing cyber attack on large corporations and US agencies, including the Treasury and Commerce Department. The Cybersecurity and Infrastructure Security Agency (CISA) called the attack one “serious risk” to national security.
Cybersecurity experts believe a well-organized group of hackers in March exploited a loophole in products developed by SolarWinds, an IT company that provides technology software to government agencies and hundreds of large companies, including Microsoft that helped investigate and report the attack. By hacking SolarWinds, the attacker was able to access sensitive information and track the communications of dozens of companies and agencies using the company’s software, including the Finance, Commerce and Energy Departments, as well as Los Alamos National Laboratory, which supervises nuclear weapons.
Details about the hack are still emerging, but officials are calling it an “attack” because it was an overt action likely committed by a nation-state. Experts such as Nick Merrill, director of the Daylight cybersecurity lab at UC Berkeley, say the breach is more akin to “cyber espionage” because the attackers have been monitoring corporate and government officials’ communications for months.
While it is not known whether nuclear protocols have been compromised, Merrill says this was an “advanced cyber attack” and “it is certainly possible that the attackers have exploited other vulnerabilities of which we are not yet aware.”
Who was behind it?
In early December, the same “highly sophisticated threat actor” allegedly stole digital tools developed by cyber defense company FireEye. FireEye discovered the breach and alerted authorities, which helped lead to the discovery of break-ins in other companies and agencies.
Experts believe the attacks are related to and perpetrated by a group known as ‘Cozy Bear’, the code name used for the SVR, a wing of Russian intelligence assigned to several recent high-profile hacks including the Democratic National Committee in 2016 and the 2018 Olympics.
Although President Trump downplayed the hack and suggested that China could be responsible, Secretary of State Mike Pompeo said so “pretty clearly” Russia is to blame.
“This was a very significant effort, and I think we can now say quite clearly that it was the Russians who engaged in this activity,” Pompeo said in an interview on the Mark Levin talk radio program.
On Monday, Attorney General William Barr agreed with Pompeo, stating that it “certainly appears to be the Russians.”
Dmitry Peskov, a Kremlin spokesman, denied Russian involvement in the hack. “Russia is not involved in such attacks, namely this one. We declare this officially and forcefully,” he said, calling the allegations “absolutely baseless” and likely a result of “blind Russophobia”.
How did they do that?
Digital forensic experts suspect the hackers compromised a tool called Orion, which centralizes network surveillance, and a service called NetLogon, which verifies login requests. They also breached Microsoft Office 365, a service used by a number of government agencies. More than 18,000 companies and agencies are confirmed to be affected, and the number can reach 33,000.
The attack method was new, says Bryson Bort, a former Army intelligence officer and adviser to the Army Cyber Institute, because it apparently didn’t rely on traditional hacking methods like phishing – using a deceptive email or link to gain access. – or a zero-day exploit, which uses a previously unknown software vulnerability to covertly access private networks.
Instead, Bort says, hackers co-opted the software update process by inserting malicious code into the Solar Winds software before customers downloaded the latest version. “Then they spread out using all kinds of different software to establish persistence” on the network. He added that even after the hack has been investigated, there is “still the possibility [the attackers] remain hidden on various systems for years. “
Congressman Jim Himes, a Democrat who is a member of the House Intelligence Committee, told CBSN, “ It was a very cleverly designed hack because it used US IP addresses, it used a US company, Solar Winds, and therefore the common people who were more or less steadfast. on the wall and look outside for attacks coming from abroad were fooled there. ”
Neil Walsh, who manages cybersecurity for the United Nations Office on Drugs and Crime, says that evasions are common in cyber attacks and the correct attribution may be unclear for a long time.
“Attacks of this magnitude take time to understand, mitigate and allocate,” explains Walsh. “Imagine a burglar trying to break into your home to steal your bank details. Instead of smashing the door, they design and test a skeleton key for the lock of your house over a period of months. Then they go your house. inside and think they can see everything. Then they make an invisibility cloak and wrap themselves in it. “
How much damage has been done?
The consequences can be equally difficult to predict, but experts fear the damage will be severe and far-reaching. “The scale,” said Himes, “is enormous.”
In 2017, a group called Shadow brokers, who were also linked to Russian intelligence services, hacked and publicly released cyber weapons of the US National Security Agency. Those cyber tools, known as EternalBlue, resulted in a virulent and powerful type of ransomware called NotPetya. Attackers used it paralyze large companies and government offices in Europe and Worldwideand caused more than $ 10 billion in damage. At the time, it was considered the most devastating cyber attack in history.
This attack is different, says Joel Benavides, the head of Global Legal at Redis Labs, but the ramifications can be wide-ranging. For example, these hackers were able to rummage through sensitive communications, exfiltrate data from limited government databases, and wipe companies’ intellectual property on an unprecedented scale.
“The tremendous economic, social and military impact cannot be overstated,” said Benavides. “Recovery costs, regulatory fines and the potential loss of trade secrets and industrial know-how will amount to billions of dollars.”
Himes said, “We know this hack managed to penetrate all kinds of networks. We just don’t know things like it got into particularly sensitive networks – that would be government national security networks, financial entities could have your account information somewhere. otherwise sent where it can be abused. “
The long-term impact, Benavides added, could be that the attack “exposes weaknesses in our government cybersecurity infrastructure while fanning suspicion and public confidence in the institutions designed to protect us all.” affects “.