U.S. Scrambles To Understand Major Computer Hack, But Says Little

Enlarge this image


The Department of Homeland Security is one of several federal agencies that have been part of a hack that hinged on a vulnerability in SolarWinds’ Orion network monitoring products.





Mandel Ngan/AFP via Getty Images



hide caption



toggle caption


Mandel Ngan/AFP via Getty Images




The Department of Homeland Security is one of several federal agencies that have been part of a hack that hinged on a vulnerability in SolarWinds’ Orion network monitoring products.


Mandel Ngan/AFP via Getty Images

National security agencies are still scrambling to understand the full scope of a major computer intrusion that allowed hackers to rummage through U.S. government networks for months before they were finally detected.

So far, the list of affected U.S. government entities includes the Commerce Department, Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service and the National Institutes of Health.

The highly sophisticated attack bears the hallmarks of an operation carried out by Russia’s foreign intelligence service, the SVR, according to cybersecurity experts.

But the Trump administration has not formally blamed Russia or any other country, and Russia has denied involvement.

«How could I prove that I’m innocent if I didn’t do it. Let’s sit together. Let’s discuss. Let’s restart our dialogue, Russian Ambassador Anatoly Antonov said Wednesday in a Zoom call from the Russian Embassy in Washington.

However, U.S. intelligence agencies have started briefing members of Congress, and Sen. Richard Blumenthal, a Connecticut Democrat, said the information clearly pointed to Cozy Bear, a group widely considered to be Russian foreign intelligence.

«Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on, Blumenthal said in one of several tweets related to the hack.

Blumenthal said he will be pushing to make more information public.

President Trump has yet to make any public mention of the hack, and members of his administration have said little beyond acknowledging that it happened and is being investigated.

The FBI, the Department of Homeland Security and the Office of the Director of National Intelligence announced Wednesday that they have now formed a special unified team, saying they will «coordinate a whole-of-government-response to this significant cyber incident.

The hack hinged on a vulnerability embedded in software from SolarWinds, a company based in Austin, Texas. Many federal agencies and hundreds of large companies use SolarWinds’ Orion software to monitor their computer networks.

Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an Emergency Directive on Sunday, telling federal agencies «to immediately disconnect or power down affected SolarWinds Orion products from their network.

The incident is the latest in what has become a long list of suspected Russian electronic incursions into other nations – particularly the U.S. – under President Vladimir Putin. Multiple countries have previously accused Russia of using hackers, bots and other means in attempts to influence elections in the U.S. and elsewhere.

U.S. national security agencies made major efforts to prevent Russia from interfering in the 2020 election. But those same agencies seem to have been blindsided by news that hackers — suspected to be Russia’s foreign intelligence service — have been digging around inside U.S. government systems, possibly since the spring.

«It’s as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months, said Glenn Gerstell, who was the National Security Agency’s general counsel from 2015 to 2020.

Here’s what we know about the attack:

Who was affected?

SolarWinds has some 300,000 customers, but it says «fewer than 18,000 installed the version of its Orion products earlier this year that appears to have been compromised.

The victims include government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East, according to the security firm FireEye, which helped raise the alarm about the breach.

«We believe this is nation-state activity at significant scale, aimed at both the government and private sector, Microsoft said as it shared some details about what it called «the threat activity we’ve uncovered over the past weeks.

After studying the malware, FireEye said it believes the breaches were carefully targeted: «these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.

How did the hack work?

Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts say the malicious code gave hackers a «backdoor — a foothold in their targets’ computer networks — which they then used to gain elevated credentials.

SolarWinds traced the «supply chain attack to updates for its Orion network products between March and June.

«After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services, FireEye said.

The malware was engineered to be very stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it says the credentials it used to move within the system were «always different from those used for remote access.

After gaining access, Microsoft says, the intruder also made changes to ensure long-term access, by adding new credentials and using administrator privileges to grant itself more permissions.

FireEye is calling the «trojanized SolarWinds software Sunburst. It named another piece of malware – which it says had never been seen before — TEARDROP.

What are investigators doing now?

SolarWinds says it is cooperating with the FBI, the U.S. intelligence community and other investigating agencies to learn more about the malware and its effects. The company and security firms also say any affected agencies or customers should update to the latest software, to lessen their exposure to the vulnerability.

Describing some of the detective work that’s now taking place, Gerstell said, «You’d have to go back and look at every room to see what was taken, what might have been touched. And of course, that’s just a horrifying thought.

The intruders were careful to cover their tracks, he said.

«You couldn’t tell that they came in, you couldn’t tell that they left the back door open. You couldn’t even tell necessarily when they came in, took a look around and when they left.

Microsoft has now taken control of the domain name that hackers used to communicate with systems that were compromised by the Orion update, according to security expert Brian Krebs. That access can help reveal the scope of the hack, he said.

What were the hackers after?

«This SolarWinds hack is very problematic, very troublesome, because it’s not at all clear exactly how we should respond, Gerstell said. Part of the problem, he added, is that it’s not clear what the hackers did after gaining access.

«This is not a question of someone manipulating software to open dams or turn off electric grids, Gerstell said. «It’s not even clear that this is necessarily an attack designed to steal intellectual property the way China, for example, has stolen everything from patents for solar panels to the blueprints for fighter jets.

The intrusion could simply be a case of espionage, he said, of one government trying to understand what its adversary is doing.

SolarWinds says it has been told the «incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.

This story was originally published on Dec. 15.