But what little we know has deeply worried cybersecurity experts – some are describing the attack as a literal wake-up call.
“I woke up in the middle of the night last night with just nauseating stomach,” said Theresa Payton, who served as White House Chief Information Officer under President George W. Bush. “On a scale of 1 to 10, I’m on a 9 – and it’s not because of what I know; it’s because of what we still don’t know.”
Since then, more details have emerged that point to a much broader pattern of compromise. As many as 18,000 SolarWinds customers – out of a total of 300,000 – may have used software that contained the vulnerability that allowed the hackers to penetrate the Commerce Department, the company announced this week in an investor filing.
This is why the cyber attacks revealed this week keep experts up at night – based on who was the target, the suspected identities of the attackers and their playbook, according to analysts approached by CNN Business who have security reports. published.
All federal agencies wary
One of the reasons the attack is so concerning is because of who may have been a victim of the espionage campaign.
At least three U.S. agencies have publicly confirmed they were compromised: the Department of Commerce, the Department of Homeland Security, and the Department of Agriculture.
But the number of potential victims is much, much greater, creating the troubling prospect that the US military, the White House, or the public health agencies that responded to the pandemic could also be the target of foreign espionage. The Department of Justice, the National Security Agency, and even the US Postal Service have all been cited by security experts as potentially vulnerable.
Security experts say this is just the beginning. In the coming days, we may learn that many more companies and agencies have been compromised than we initially suspected. And we still don’t know what information may have been lost or stolen.
Extremely skilled attackers
Another cause for concern is that the attackers appear to have been extraordinarily skilled and determined.
“The campaign showcases the highest level of operational craft and resources in line with state-sponsored threat actors,” FireEye said, adding that the breaches appear to date back as far as the spring. “Each of the attacks requires careful planning and manual interaction.”
Attributing a cyber attack is difficult under the best of circumstances and even more challenging when an experienced actor is working to cover their tracks, as they did. But US officials have tentatively said the perpetrator may have ties to Russia.
The fact that agents of a foreign government may have been responsible for the breaches is a worrying sign not only of the attackers’ capabilities but also of their motives. These weren’t opportunistic cyber criminals haphazardly scouring every target they could find in hopes of extorting their victims for a quick payday. These were highly motivated attackers who selected each of their victims for a specific target that remains unknown.
“If you put someone’s network at risk for six months, there’s a lot of chance,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a security think tank. “It’s a great coup for the Russians – really impressive.”
An unusual and creative hack
A third cause for concern is the unusual and creative way in which the attackers carried out their operation – by disguising the initial attack in legitimate SolarWinds software updates.
“SolarWinds is one of the most widely used and effective network monitoring tools, including between federal networks and large corporations,” said Jamie Barnett, a retired Navy Rear Admiral and senior vice president at cybersecurity firm RigNet. “It takes a state-level cyber-attack to access SolarWinds updates and patches.”
By piggybacking on otherwise trusted software updates, the attackers made smart use of common and recommended best practice to keep software up to date. Thus, thousands of companies and government agencies could have been exposed simply by doing the right thing.
That’s what’s so scary: it’s not clear what could have happened differently in this case, because the very process was designed to assure users that “this software can be trusted” was itself compromised.
With the increasing frequency and intensity of state-sponsored hacking, some cybersecurity leaders are reiterating calls for a global cyber warfare treaty.
“We need a set of binding rules,” Microsoft President Brad Smith said Tuesday at an event held by the Ronald Reagan Foundation and Institute. “And we need a commitment from the world’s democracies to hold authoritarian regimes to account so that, in this time of peace, they keep their hands off the citizens when it comes to cyberspace.”
Other experts are increasingly questioning many businesses’ reliance on just a handful of third-party vendors, saying society may be making it a little too easy to access or share data, especially during a pandemic when remote working is common for many individuals.
“It begs the question: ‘In cybersecurity, do we have a’ too big to fail ‘situation? And did it happen right under our noses, while we told everyone to spend more, buy tools, get products?” Payton said.