In what has been described as one of the most significant hacking incidents in half a decade, security breaches likely associated with Russian intelligence allowed hackers access to U.S. government networks and email systems.
On Sunday, a Reuters report stated that sources familiar with the breaches expressed their concerns about the extent of the efforts by hackers, and what information might have been compromised.
The same day, the Trump administration also acknowledged that the breaches had occurred.
It is unclear whether highly classified material or other information might have been compromised, although several agencies related to national security are believed to have been targeted, according to the New York Times.
In response to the hack, a meeting was convened by the National Security Council which occurred at the White House on Saturday. Presently, the Federal Bureau of Investigation is looking into the matter, as well as the Cybersecurity and Infrastructure Security Agency.
Among the federal agencies known to have been impacted are the U.S. Treasury and Commerce departments, whose email systems were compromised by the hackers. However, the full extent of the damages remains unknown, and could take several weeks, or even months to full assess.
“As with any network compromise, it might take months to uncover the information needed to provide proper attribution and develop countermeasures,” says Morgan Wright, Chief Security Advisor for SentinelOne, a cybersecurity company based in Mountain View, California.
“This attack targeted more than the federal government, so the damage will be far reaching,” Wright told The Debrief.
The hackers, believed to be associated with Russia’s Foreign Intelligence Service, initially targeted SolarWinds, a network management software application company which provides its services to several U.S. federal agencies, all branches of the military, and Fortune 500 companies. Customers are believed to have been exposed following an update that occurred earlier this year.
“The problem is that it looks as if any of its customers who took this update got the Russian backdoor,” said Mike Riley, a cybersecurity reporter during a Bloomberg Quicktake segment.
“SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack,” a Security Advisory the company posted online states. “We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
“SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability,” read an update which appeared on the homepage of the SolarWinds website as of December 14.
“Instead of attacking hundreds of targets, the technique was to attack one target that serviced hundreds of customers,” Wright told The Debrief. “By piggybacking their malware on the updates from SolarWinds, this made the malware appear to be trusted because SolarWinds and their updates were trusted.”
Just before Christmas on December 23, 2015, a similar hacking operation targeted a trio of energy distribution companies in Ukraine, which compromised their information systems and caused temporary service disruption for customers. The attack was notable for having been recognized as the first successful cyberattack carried out against a power grid, resulting in more than 200,000 customers who were left without power for up to six hours.
Wright says the recent attack involving SolarWinds bears similarity to the 2015 incident.
“The BlackEnergy malware also had a first-of-a-kind tradecraft,” Wright told The Debrief in an email. This, he says, involved “operation specific malicious firmware updates that targeted the serial-to-ethernet adaptors used to open/close breakers at the energy plants.”
“This is very consistent with the current tradecraft,” Wright says.
Security experts have argued that current IT infrastructure requires significant upgrades in order to help reduce the threat of similar attacks in the future. Many experts also believe that artificial intelligence will likely play a key role with such efforts in the years to come.
“This attack reinforces the need to upgrade legacy protection schemes and techniques to modern, behavior-based types of approaches.” However, Wright notes that there is no single solution to the range of security issues that exist.
“Rather, modernization of the IT infrastructure and AI-based defense will at least level the playing field. The attackers always have the advantage, but we can change that by detecting and responding at machine speeds.”