Russia’s suspected hacking operation targeted 5 US agencies and 18,000 entities

Around the world, public and private agencies and companies have been rushed to determine whether they have been affected by what could amount to one of the most extensive hacking campaigns of the past decades.

The fallout continues less than 48 hours after the U.S. government issued an emergency alert on Sunday, requiring government users to disconnect from the breached SolarWinds network management software.

“In short, SolarWinds’ Orion product provides centralized monitoring across an organization’s entire IT stack. That means the attackers who could compromise this platform had extremely high levels of access to all of these client systems,” said David Kennedy, CEO of TrustedSec. told Fox News.

Kennedy, a former National Security Agency and Marine Corps hacker, also noted that “since this type of attack is so covert and the attackers have used legitimate software to discover their own malicious code, it can be very difficult for businesses. to determine if they were part of this attack. “


As it stands now, the United States Department of State, the Department of Homeland Security (DHS) and elements of the Department of Defense have reported that they have been compromised. Those government departments concur with previous assessments confirming that the Treasury and Trade Ministries had been violated in what investigators say is a large-scale Russian intelligence operation.

However, SolarWinds’ customer base spans some 300,000 organizations – including other highly sensitive federal agencies ranging from the Department of Justice and the Centers for Disease Control – as well as thousands of private companies.

According to the New York Times, almost all Fortune 500 companies would use SolarWinds products to scan their networks, including major defense contractors such as Boeing.

The tech company said in its security advisory on Tuesday that no more than 18,000 customers had downloaded the malicious software, essentially allowing hackers to infiltrate systems undetected for up to nine months. In the regulatory disclosure, SolarWinds suspected malicious code had been inserted into updates to its Orion network management software distributed between March and June this year.

“We have learned that this incident was likely the result of a highly sophisticated, targeted and manual attack on the supply chain by an outside nation-state,” the company said. “But we have not independently verified the identity of the attacker.”

However, detectives and cyber specialists are already pointing the finger at Moscow, which has denied any involvement.

Nevertheless, preliminary assessments of the breaches suspect that the refinement of the attacks lends itself to the work of the Russian Foreign Intelligence Service (SVR – the espionage wing that succeeded the former Soviet Union’s secret police, the KGB). The belief that the SVR is behind the attacks stems from the fact that the hackers are very judicious in collecting data from certain targets.

“Given the list of organizations using SolarWind’s Orion platform, the potential impact could expose highly sensitive information and jeopardize national security,” said Randy Watkins, CRITICALSTART’s Chief Technology Officer. “Since the attacks are related to a nation-state, widely believed to be Russia, the intent of the attack could be anything from policy leverage and military strategy to theft of weapon system designs.”

This file photo shows an LED-lit wireless router in Philadelphia.  (AP Photo / Matt Rourke, File)

This file photo shows an LED-lit wireless router in Philadelphia. (AP Photo / Matt Rourke, File)


Former hacker Kennedy also claimed that the most likely purpose of this attack was to steal military secrets and technology and keep an eye on the US government.

However, a foreign adversary like Russia would also benefit from access to the US financial system and corporate intellectual property, so the damage could be enormous, he said. “We will not know the full harm of this breach until several months and possibly years.”

And while the size of the aperture has yet to be determined, U.S. security officials are also struggling to assess the damage.

Vahid Behzadan, an assistant professor of engineering at the University of New Haven, noted that – based on the targeted organizations and agencies – “the attack appears to be primarily an espionage operation, with the goal of exfiltrating as much sensitive information and tools as possible. . “

“Due to the extensive list of targets, it is difficult to say whether this was an attempted mass data collection or whether the attack targeted specific information sources and masked this intention with secondary breaches,” he continued.


The National Security Council (NSC) – also a SolarWinds user – held a second emergency meeting of its Cyber ​​Response Group on Monday to discuss what happened and is reportedly calling a subordinate body. Several lawmakers have called for action to determine the extent of the attacks and what resources agencies need now to protect their networks.

“This breach should shake up every business about the serious dangers of supply chain attacks,” Kennedy added. “These types of attacks are extremely covert and difficult to detect, and they are also difficult to manage because the end user has no control over the security of the product they are using.”