A massive computer breach allowed hackers to spend months exploring numerous U.S. government networks and private companies’ systems around the world. Industry experts say a country mounted the complex hack — and government officials say Russia is responsible.
The hackers attached their malware to a software update from SolarWinds, a company based in Austin, Texas. Many federal agencies and thousands of companies worldwide use SolarWinds’ Orion software to monitor their computer networks.
SolarWinds says that nearly 18,000 of its customers — in the government and the private sector — received the tainted software update from March to June of this year.
Here’s what we know about the attack:
Who is responsible?
Russia’s foreign intelligence service, the SVR, is believed to have carried out the hack, according to cybersecurity experts who cite the extremely sophisticated nature of the attack. Russia has denied involvement.
President Trump has been silent about the hack and his administration has not attributed blame. However, U.S. intelligence agencies have started briefing members of Congress, and several lawmakers have said the information they’ve seen points toward Russia.
Included are members of the Senate Armed Services Committee, where Chairman James Inhofe, a Republican from Oklahoma, and the top Democrat on the panel, Jack Reed of Rhode Island, issued a joint statement Thursday saying “the cyber intrusion appears to be ongoing and has the hallmarks of a Russian intelligence operation.”
After several days of saying relatively little, the U.S. Cybersecurity and Infrastructure Security Agency on Thursday delivered an ominous warning, saying the hack “poses a grave risk” to federal, state and local governments as well as private companies and organizations.
In addition, CISA said that removing the malware will be “highly complex and challenging for organizations.”
The episode is the latest in what has become a long list of suspected Russian electronic incursions into other nations under President Vladimir Putin. Multiple countries have previously accused Russia of using hackers, bots and other means in attempts to influence elections in the U.S. and elsewhere.
U.S. national security agencies made major efforts to prevent Russia from interfering in the 2020 election. But those same agencies seem to have been blindsided by the hackers who have had months to dig around inside U.S. government systems.
“It’s as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months,” said Glenn Gerstell, who was the National Security Agency’s general counsel from 2015 to 2020.
Who was affected?
So far, the list of affected U.S. government entities reportedly includes the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service and the National Institutes of Health.
The Department of Energy acknowledged its computer systems had been compromised, though it said malware was “isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration.”
SolarWinds has some 300,000 customers, but it said “fewer than 18,000” installed the version of its Orion products that appears to have been compromised.
The victims include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East, according to the security firm FireEye, which helped raise the alarm about the breach.
After studying the malware, FireEye said it believes the breaches were carefully targeted: “These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”
Microsoft, which is helping investigate the hack, says it identified 40 government agencies, companies and think tanks that have been infiltrated. While more than 30 victims are in the U.S., organizations were also hit in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them,” Microsoft’s President Brad Smith wrote.
“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” he added.
How did the hack work?
Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts said the malicious code gave hackers a “backdoor” — a foothold in their targets’ computer networks — which they then used to gain elevated credentials.
SolarWinds traced the “supply chain” attack to updates for its Orion network products between March and June.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” FireEye said.
The malware was engineered to be stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it said the credentials it used to move within the system were “always different from those used for remote access.”
After gaining access, Microsoft said, the intruder also made changes to ensure long-term access, by adding new credentials and using administrator privileges to grant itself more permissions.
FireEye is calling the “Trojanized” SolarWinds software Sunburst. It named another piece of malware – which it said had never been seen before — TEARDROP.
What are investigators doing now?
SolarWinds said it is cooperating with the FBI, the U.S. intelligence community and other investigating agencies to learn more about the malware and its effects. The company and security firms also said any affected agencies or customers should update to the latest software to lessen their exposure to the vulnerability.
Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. That access can help reveal the scope of the hack, he said.
What’s next for the agencies and companies that were hacked?
Kevin Mandia, CEO of FireEye, told NPR that as companies and agencies learn they’ve been compromised, there’s much to do: They must investigate the scale and scope of the attack, and eradicate the attackers from their network if they’re still active. Even if they’re not still active, he predicts months of remediation ahead.
For the U.S. government, Mandia says, there are bigger questions to be addressed — including a doctrine on what the U.S. expects nations’ rules of engagement to be, and what the response will be to those who violate that doctrine.
This story was first published Dec. 15 and has been updated.