In December 2020, a cybersecurity firm detected a cyberattack on an unprecedented scale. Malicious software had been operating undetected for months, possibly affecting as many as 18,000 organizations — including most U.S. federal government unclassified networks and more than 425 Fortune 500 companies.
More than a month after the breach was discovered, there are still a lot of things we don’t know, like how it happened, and what it’s going to take to recover. But before we get started, the reality is that there aren’t a lot of facts out there at the moment, but here’s what we do know.
There are indicators that this is not just one guy sitting in his basement. This hack is what’s known as a supply chain attack, where hackers get past their target’s security using a trusted third party’s software. Supply chain attacks take considerable resources and time to pull off, meaning they’re usually the work of hackers backed by a nation-state.
While cyberwarfare and espionage is something many countries engage in, one nation in particular has emerged as a likely suspect. The U.S. has an ongoing contentious relationship with Russia in cyberspace. Each country has access to the other’s power grid, and Russian intelligence is credited with breaking into the email servers of the White House, State Department, and Joint Chiefs of Staff in 2014 and 2015. So, when news of the latest intrusion broke, federal authorities and cybersecurity experts named Russia as the most likely culprit. Russia, for its part, denies any involvement.
You may be wondering how the hackers managed to gain access to such a wide breadth of networks, including those of the U.S. Departments of Treasury, Commerce, Energy, and State. While multiple vendors that work with the U.S. government like Microsoft were attacked, most of the affected networks we know about so far can be traced to a Texas-based company called SolarWinds. SolarWinds provides network monitoring and management tools. Its flagship software, called Orion, is used by over 33,000 companies.
SolarWinds was initially breached as far back as September 2019. It’s under the impression that hackers were able to target this trusted company and install malware into an update of the Orion software that all of their clients unsuspectedly downloaded. It’s hard to grapple with just how massive a security breach this is, partly because we still don’t know the extent to which networks are compromised.
SolarWinds identified 18,000 networks that installed the update. The breach went unnoticed for almost 9 months, giving the hackers lots of time to delete their initial entry points, create new ones, and in some cases, take full control of networks. Which networks they have access to and which ones they can fully control, we still don’t know. What they plan to use their access for is also a question mark, but they’ve penetrated some networks, so thoroughly they could potentially alter or delete data and impersonate government officials.
Ridding the affected systems of malware is not as simple as deleting Orion. Some experts are calling for entire networks to be rebuilt, which would be incredibly time-consuming and costly. That’s because the current system used by the U.S. is a multibillion-dollar detection system called Einstein that works to identify malware and potential attacks. But Einstein had a flaw as it has been reported that its systems were not equipped to effectively identify new uses of already known code. Therefore, it allowed the new malicious code to pass undetected in the system.
So, automatic defenses like Einstein will have to be updated to patch blindspots the hackers exploited, and teams of security professionals will have to supplement Einstein by scouring code themselves to root out malware automated defenses miss. It’s going to take a long time and a lot of money to evict these bad actors. With cyberwarfare and espionage paying out huge dividends compared to the cost of the operations, expect cyberattacks to be a regular part of our future moving forward.