U.S. officials are deeply concerned about a massive and ongoing cyberattack targeting large companies and U.S. agencies, including the Treasury and Commerce Department. The Cybersecurity and Infrastructure Security Agency (CISA) called the attack a.
Cybersecurity experts believe that in March a well-organized group of hackers exploited a loophole in products developed by SolarWinds, an IT firm that provides technology software for government agencies and hundreds of large companies, including Microsoft which helped investigate and report the attack. By hacking SolarWinds, the attacker was able to access sensitive information and monitor the communications of dozens of companies and agencies that use the company's software, including the departments of Treasury, Commerce and Energy, as well as the Los Alamos National Laboratory, which .
Details about the hack are still emerging, but officials call it an "attack" because it was an overt action likely perpetrated by a nation-state. Experts like Nick Merrill, director of the Daylight cybersecurity lab at UC Berkeley, say the breach is more akin to "cyber-espionage" because the attackers monitored the communications of corporate and government officials for months.
While it's unknown if nuclear protocols were compromised, Merrill says this was a "sophisticated cyberattack," and "it is certainly possible that the attackers exploited other vulnerabilities that we do not yet know about."
Who was behind it?
In early December the same "highly sophisticated threat actor" is alleged to have purloined digital tools developed by the cyber-defense firm FireEye. FireEye detected the breach and alerted authorities, which helped lead to the discovery of intrusions into other companies and agencies.
Experts believe the attacks are related and perpetrated by a group known as "Cozy Bear," the code name used for the SVR, a wing of Russian intelligence linked to several including the and the Olympics in 2018.
Although President Trump downplayed the hack and suggested China could be responsible, Secretary of State Mike Pompeo said it's .
"This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity," Pompeo said in an interview on the Mark Levin talk radio program.
On Monday, Attorney General William Barr agreed with Pompeo, stating that it "certainly appears to be the Russians."
Dmitry Peskov, a Kremlin spokesperson, denied Russian involvement in the hack. "Russia is not involved in such attacks, namely this one. We state this officially and firmly," he said, calling the accusations "absolutely baseless" and likely a result of "blind Russophobia."
How did they do it?
Digital forensic experts suspect the hackers compromised a tool called Orion, which centralizes network monitoring, and a service called NetLogon, which verifies login requests. They also breached Microsoft Office 365, a service used by a number of government agencies. Over 18,000 companies and agencies are confirmed to be impacted, and the number might be as high as 33,000.
The attack method was novel, says Bryson Bort, a former Army signals intelligence officer and advisor to the Army Cyber Institute, because it apparently didn't rely on traditional hacking methods like phishing — using a deceptive email or link to gain access — or a zero-day exploit, which takes advantage of a previously unknown software vulnerability to surreptitiously access private networks.
Instead, says Bort, hackers co-opted the software update process by inserting malicious code into the Solar Winds software before clients downloaded the latest version. "Then they spread out and used all kinds of different software to establish persistence" on the network. He added that even after the hack is investigated, there is "still the possibility [the attackers] remain cloaked on various systems for years."
Congressman Jim Himes, a Democrat who serves on the House Intelligence Committee, told CBSN, "It was a very cleverly designed hack because it used U.S. IP addresses, it used a U.S. company, Solar Winds, and therefore the usual people who sort of stand on the wall and look outward for attacks that come from abroad were fooled by there."
Neil Walsh, who runs cybersecurity for the United Nations Office on Drugs and Crime, says that subterfuge is common in cyberattacks and proper attribution could be murky for a long time.
"Attacks of this scale take time to understand, mitigate and attribute," Walsh explained. "Imagine that a burglar wanted to break into your home to steal your banking details. Instead of bashing the door down, over a period of months, they design and test a skeleton key for the lock on your house. Then they enter your house and work out that they can see everything. Then they make an invisibility cloak and wrap themselves in it."
How much damage was done?
The fallout could be equally difficult to predict, but experts fear the damage will be severe and far-reaching. "The scale," said Himes, "is massive."
In 2017 a group called EternalBlue, resulted in a virulent and potent strain of ransomware called NotPetya. Attackers used it to and government offices in Europe and , causing more than $10 billion in damage. At the time, it was considered in history., who were also linked to Russian intelligence, from the U.S. National Security Agency. Those cyber tools, known as
This attack is different, says Joel Benavides, the head of Global Legal at Redis Labs, but the repercussions could be broad. For example, these hackers were able to snoop on sensitive communications — including of top Treasury officials — exfiltrate data from restricted government databases, and swipe corporate intellectual property at an unprecedented scale.
"The tremendous economic, societal and military impact cannot be overemphasized," Benavides said. "Remediation costs, regulatory fines, and potential loss of trade secrets and industrial know-how will run into the billions of dollars."
Himes said, "We know that this hack managed to penetrate all sorts of networks. We just don't know things like did it get into particularly sensitive networks — that would be government national security networks, financial entities might have your account information that could be sent somewhere else where it could be misused."
The long term impact, Benavides added, might be that the attack "exposes weaknesses in our governmental cybersecurity infrastructure while driving further suspicion and eroding the public's trust of the very institutions that are meant to keep us all safe."