Security experts are 'freaking out' about how foreign hackers carried out the 'most pristine espionage effort' in modern history right under the US's nose

  • While US cybersecurity and intelligence officials trained their attention on securing the 2020 election, foreign hackers took the opportunity to wedge another door wide open, carrying out a devastating and unprecedented cyberattack.
  • US officials have tentatively attributed responsibility for the supply-chain attack, which targeted the software company SolarWinds, to a hacking group aligned with Russia's foreign intelligence service.
  • "This was a pristine espionage effort unlike anything we've seen in a very long time," said Karim Hijazi, a former intelligence community contractor. "Everyone in the cybersecurity community is freaking out, because we don't know where this could stop."
  • Security experts say the most alarming aspect is that officials are nowhere close to gauging the hack's full scope, who else may have been compromised, and what the attackers could have obtained.
  • "This could just be the tip of the iceberg," said Dave Aitel, the CTO of Immunity Inc. and a former NSA research scientist. "This could be an ongoing operation that never ends."
  • Visit Business Insider's homepage for more stories.

US intelligence and cybersecurity officials were unequivocal: the 2020 general election was safe and secure, and Americans could be confident in casting a ballot without worrying about the threat of foreign interference.

While public attention was trained on the election, hackers took the opportunity to wedge another door wide open, carrying out a devastating and months-long supply chain attack that could have exposed as many as 18,000 entities, and potentially more.

"The entire US government was very much focused, even hyper-focused, on securing the election," said David Kennedy, the CEO of TrustedSec and a former hacker for the National Security Agency. "So these are definitely opportunistic times for adversaries to say, 'Well, the focus right now is going to be on election systems. Let's go after things that we know are going to be beneficial for us for the next administration or for the foreseeable future that helps us from an intelligence perspective.' That's what nation states do. This is what cyber war is all about."

The hack targeted Orion, a type of network management software developed by the firm SolarWinds and distributed to thousands of clients. SolarWinds said a nation state was responsible for the hack and estimated that 18,000 Orion customers downloaded a malicious software update containing a backdoor that gave hackers access to their computer systems.

US officials have tentatively attributed the attack to Russian hackers, specifically the group Cozy Bear, which is linked to Russia's foreign intelligence arm. Former homeland security advisor Thomas Bossert also said in a New York Times op-ed that "evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world."

Russian government officials have denied responsibility, and there is some debate over whether another nation state was the culprit.

"Unlike terrorist activities where the attackers like to take credit, this was an espionage effort," said Karim Hijazi, the CEO of the cybersecurity firm Prevailion and a former intelligence community contractor. "With espionage, your main effort is to complete your objective with zero residual presence. It's not about gloating. This was a pristine espionage effort unlike anything we've seen in a very long time. That's what makes it so difficult to pin down one suspect."

'This could just be the tip of the iceberg'

At least three state governments and multiple federal agencies were hacked, including the Pentagon, intelligence agencies, the State Department, Commerce Department, Treasury Department, and the agency that manages the US's nuclear stockpile. The National Nuclear Security Administration said the attack was isolated to the business side of its network and did not affect critical infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA), the US's premier cyber arm, issued an urgent statement after news of the hack broke instructing all federal civilian agencies to uninstall SolarWinds products and inform CISA once they had, to prevent hackers from infiltrating more systems.

The most alarming aspect of the hack, however, is that officials are nowhere close to gauging its full scope. They don't know if it's still ongoing, who else may have been targeted, and what the hackers could have obtained.

"The real fear is what else may have been put into these environments subsequent to the SolarWinds hack, persistent malware that can go dormant and lay in wait until it's called upon later," Hijazi said. "And as long as it doesn't call out or do anything, no one's going to know it's there. That's the bigger scare."

Moreover, "because this was a supply chain and third party infiltration hack," meaning that the attackers breached systems through another trusted organization, "it's almost impossible to prevent," he added. "This adversary was so sophisticated and it was such a well orchestrated attempt to obfuscate their tactics and make themselves look benign, that this attack was fairly inevitable."

The cyberattack began when hackers infiltrated SolarWinds and injected malicious code into Orion by manipulating the code-signing process, which firms use to digitally sign a certificate ensuring that a product's code is authentic and has not been altered.

SolarWinds then unknowingly distributed the malware to its clients when it rolled out a series of software updates beginning in March. The attack was not detected until last week, when the cybersecurity giant FireEye learned it was hacked by a nation state "with top-tier offensive capabilities" and asked the FBI to investigate.

FireEye said hackers had stolen its offensive security tools that highlight an organization's vulnerabilities, known as red teaming tools. In the hands of a cybersecurity company, these are used to help an organization understand and address its weak points.

"But in the hands of an adversary, it's literally a can opener," Hijazi said. "These are tools they can use to get into other organizations, and we don't know if this was opportunistic on the part of the hackers or if it was their plan all along." 

In the days since the breach was discovered, national security advisor Robert O'Brien cut short an overseas trip and came back to the US to attend crisis meetings about the attack, a sign of how seriously the government is taking the matter.

The FBI, CISA, and the US intelligence community are all investigating it, and the White House and the House and Senate intelligence panels have been briefed on it. Republican and Democratic lawmakers have also requested information about if the IRS, which is housed within the Treasury Department, was infiltrated and whether personal taxpayer information was stolen.

"This could just be the tip of the iceberg," said Dave Aitel, the CTO of Immunity Inc. and a former NSA research scientist. "This could be an ongoing operation that never ends, because let's say as the attacker, you go from SolarWinds to Microsoft to Cisco to FireEye, and you make a big circle by the time your first injection point has been discovered. And there's so many huge companies running so much software, and we have no way to secure it. No one had a solution to preventing an attack like this, and here we are."

'Are you ever truly going to be able to get them out?'

Hijazi agreed, saying there could be a prolific and "dizzying chain effect" of the hack.

"This is why everyone in the cybersecurity community is freaking out, because we don't know where this could stop," he said. "If these hackers have been able to work over months, bouncing from one target to the next, that gets very serious. And the kinds of tools and access they can get in these environments can be as simple as a Trojan, or it could be complete and utter control of the administrative privileges of an organization. And no one would notice because the hackers could be acting like they're one of the employees of the company."

But Aitel was wary of drawing conclusions about the timing, scope, or motive of the hack given how little information officials have gleaned about it so far and how much is still unknown.

"Not only do we not know enough, but I don't think we have the strategic picture or analytics done to say what our next move should be from a countrywide perspective," he said. "We're also not the only country involved because our supply chains automatically reach every other country. And SolarWinds got unlucky, but they're not the only large enterprise management software out there that could get attacked like this."

Kennedy echoed that view, saying, "We still don't know the implications of what they were going after and their objectives. But believe me, the government is going to do a full investigation of what they were going after and the level of access they had and their overall motives, and there's going to be retaliation for that."

Regardless of whether there's any retaliation, Aitel said, the biggest question is whether the US will ever be able to recover from the attack.

"If you've given a top-notch hacking team access to your network for months, are you ever truly going to be able to get them out?" he said.

Source: Read Full Article