A massive cyber‑espionage effort, believed to be led by the Russian government, has targeted both private companies and federal agencies, including the Treasury, the Department of Commerce, the Department of Homeland Security, the State Department, and the National Institutes of Health (NIH). Although Russia has denied any involvement, cyber‑security experts believe that the Russian foreign intelligence service, the SVR, is behind the attack.
How Did the Attack Happen?
A joint statement released by a group of federal agencies, including the FBI and the National Security Agency, confirmed that the attack was connected to APT29 or Cozy Bear, a group of state‑sponsored hackers working with the SVR. The hackers infiltrated systems in the private and public sectors by adding malware to a legitimate software update from SolarWinds. By piggybacking onto a software patch, the hackers created a back door into the software. That way, they could enter other organizations’ systems whenever they wanted, essentially able to pick and choose their targets.
Many government agencies and thousands of companies around the world use SolarWinds’s Orion software to monitor their networks. In December 2020, SolarWinds reported that approximately 18,000 clients were affected by the breach. They also said that the breach was due to a “highly‑sophisticated, targeted … attack by a nation state.” They also said that the breach was due to a “highly‑sophisticated, targeted … attack by a nation state.” The company was able to trace the attack to updates to Orion between March and June of the same year. This announcement came within a day of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issuing an emergency directive ordering all federal agencies to immediately disconnect affected Orion products from their networks.
Why Is This Breach a Big Deal?
Because of how stealthy the breach was, the attackers were able to spy on government agencies and other companies for at least nine months. The hackers took advantage of the widespread trust associated with SolarWinds and their products in order to carry out their attack.
By attacking the SolarWinds supply chain directly, rather than targeting individual federal agencies or companies, the hackers were able to infiltrate thousands of systems through one compromised software update. This type of breach also indicates that the attackers were going after high‑profile targets, focusing on quality over quantity.
Microsoft and cyber‑security firm FireEye, which were both affected by the malware, have been investigating the cyber attack. Although Microsoft did not find evidence that the malware accessed their services or customer data, FireEye discovered that the proprietary hacking tools it uses to test clients’ cyber security were stolen. They even noted that the attack used some of the best operational security they have ever seen in a cyber attack, “focusing on evasion and leveraging inherent trust.”
Although data breaches have been in the news cycle many times, this cyber attack is even more impressive (if you can call it that) because it combines sophisticated hacking with the classic stealth of political espionage. By using SolarWinds as a vector of attack, the hackers were able to breach organizations in government, consulting, technology, and telecommunications in North America, Europe, Asia, and the Middle East.
Through its investigation, Microsoft found that the hackers’ approach allowed them to “impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” Russian foreign intelligence has also been linked to attempts to steal coronavirus vaccine research from the United States last summer.
Have We Seen an Attack from Russia Like This Before?
In 2014 and 2015, the same group of hackers targeted thousands of organizations and infiltrated the unclassified email systems of the White House, the Pentagon’s Joint Chiefs of Staff, and the State Department in an attack that was much more aggressive than past attempts.
At the time, however, the Obama administration considered the breach to be “traditional espionage,” which focuses more on information collection in order to understand political motivations. Because the United States also participates in this type of espionage, the White House did not implement sanctions against Russia and instead focused on improving cyber‑security defenses.
The Russian military intelligence unit, the GRU, led the attack that targeted the US presidential election in 2016 by compromising state election systems, spreading fake news on social media, and breaching private email servers. However, this operation was focused on spreading misinformation online and intervening with American politics.
What Happens Next?
Since they disclosed the breach, SolarWinds has been cooperating with the FBI and other intelligence agencies to investigate the malware and its effects further.
While stealthy cyber attacks like this don’t focus on stealing tons of data at once, the risk is that this type of breach can remain hidden for months, or even years, and collect data over a period of time. This specific breach lasted for over nine months and covered the rapid development of COVID‑19 vaccines using new technology and the presidential and congressional elections in the United States.
Because this operation is most likely another case of traditional espionage that all major nations engage in, it hasn’t been very disruptive, especially compared to the other major Russian attack in 2016. However, this data breach serves as an excellent reminder to practice good cyber‑security hygiene. To protect yourself and your organization from being compromised, I recommend that you:
- Regularly update your software on all your devices.
- Install a virtual private network (VPN) to secure your data and protect your identity while browsing the Internet.
- Use different and unique passwords for all your accounts.
- Set up multifactor authentication on all accounts.
- Educate yourself about phishing scams.
- Collaborate with your IT team to develop up‑to‑date security training for your employees.