New Delhi: The week gone by saw mounting evidence of a highly sophisticated cyberattack on several key government departments of the US, and others in at least seven more countries. The infiltration was made via a private company’s supply chain software update.
The identity of the attackers is yet unknown, but it is suspected that hackers with ties to the Russian government are behind it.
US President-elect Joe Biden “vowed to punish” those who hacked the government while tech giant Microsoft called the breach “a moment of reckoning” for the US and other democratic nations. Microsoft said tech firms must show the hackers “that serious violations have consequences”.
Here’s a look at this “ongoing” global attack, which is expected to have more victims, and why it should be taken seriously.
How the breach was discovered
The attackers infiltrated IT monitoring and management software Orion from a Texas-headquartered company, SolarWinds, using malware.
FireEye discovered SolarWinds had been attacked after it started investigating how the cybersecurity firm itself was hacked, as revealed on 8 December. The New York Times described this as the “first call for government agencies and companies around the world who have been hacked”.
FireEye found out that it was hacked as it had been using the SolarWinds software. “This campaign may have begun as early as Spring 2020 and is currently ongoing,” the company said.
Independent researcher Vinoth Kumar told CNN that a SolarWinds server had been easy to access, with a weak password ‘solarwinds123’, and was accessible since “at least June 2018”.
To carry out this attack, the hackers injected malware to victims’ computers through a software update from SolarWinds. The hackers managed to ‘trojanize’ this software, named ‘SUNBURST’ by FireEye. Any SolarWinds customer who received this update could have been compromised.
The malware is developed by customising a breach simulation tool called BEACON. This tool is usually employed to test the security of a computer system. The hackers installed the malware through a program named TEARDROP.
Who are the victims?
Several US government departments, who were clients of SolarWinds’ Orion software, have been affected — Commerce Department, Department of Homeland Security, the Pentagon, the Treasury Department, the US Postal Service and the National Institutes of Health, according to an NPR report.
Even more concerning was the US Department of Energy statement that its computers had been compromised as well. However, “at this point”, its probe shows the malware was “isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration”.
But it’s not just the US government that has been breached. Around 17,000 customers of the hacked IT firm SolarWinds’s Orion software, including private companies around the world, may have been affected.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” FireEye said in its blog.
In addition, Microsoft has detected that over 40 of its clients have been affected, its president Brad Smith said on 17 December. Around 80 per cent of these affected customers are in the US, while the rest are based in Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the United Arab Emirates.
However, Microsoft expects this list to go up — “it’s certain that the number and location of victims will keep growing”.
“We anticipate there are additional victims in other countries and verticals,” FireEye added.
Why the attack is significant
Among the “broader ramifications” of the attack, Microsoft said, is that “while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy”.
This is why the attack and its method are serious — the attackers have managed to infiltrate the software supply chain of a company.
A software supply chain is how IT firms virtually deliver updates to their software running on customer devices. Infiltrating this chain gives hackers access to devices that are going to run software updates from the compromised company.
What can the malware do?
According to FireEye, the malware allows hackers to steal data from victim computers. When FireEye was hacked, it discovered its own “sensitive tools” used to detect vulnerabilities in client computers had been stolen by the hackers.
The malware is stealthy. It can remain “dormant” for “up to two weeks” and can “blend in with legitimate SolarWinds activity”, which means it can masquerade as genuine software.
The malware also allows hackers to move to and steal information from other computers connected to the infected computer.
Who is behind the attack?
While investigation is ongoing, Russian state-backed hackers are suspected to have carried out this attack.
US Secretary of State Mike Pompeo has blamed the “worst-ever espionage” attack on the US government on the Russians.
Connecticut Democrat Senator Richard Blumenthal, according to the NPR report, said the information “clearly pointed to Cozy Bear, a hacking group” widely considered to be part of Russian foreign intelligence SVR.
However, Russia has denied involvement. “How could I prove that I’m innocent if I didn’t do it. Let’s sit together. Let’s discuss. Let’s restart our dialogue,” Russian Ambassador to the US Anatoly Antonov was quoted as saying in the report.
US response to the attack
US national security agencies, busy preventing possible Russian interference in its 2020 election, are believed to have been “blindsided” by this attack. The hackers were in the system for months before they were discovered in December.
In the aftermath, however, several steps have been taken to halt the breach.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive on 13 December asking affected agencies to “immediately disconnect” from SolarWind’s Orion products and to block data traffic to and from external devices with any version of the software.
SolarWinds has also issued a security advisory asking customers with affected software to upgrade to the latest version of Orion.
A CNN report said the US has also put into effect Presidential Policy Directive 41, “an Obama-era plan” to launch a federal government response to cyber incidents.
However, US President Donald Trump described the scale of hacking as exaggerated in a tweet. “The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control,” he said.
The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of….
— Donald J. Trump (@realDonaldTrump) December 19, 2020