WASHINGTON (Reuters) – Cybersecurity expert Steven Adair and his team were in the final stages of removing hackers from a focus group’s network earlier this year, when a suspicious model in the diary drew their attention.
Not only did the spies manage to return – a fairly common occurrence in the world of cyber incident response – but they navigated directly to the client’s email system, bypassing the newly refreshed password protections, as if they didn’t exist. .
“Wow,” Adair remembered, thinking of a recent interview. “These guys are smarter than the average bear.”
It wasn’t until last week that Adair’s Reston, Virginia-based company Volexity realized that the bears it was fighting were the same set of advanced hackers that had compromised Texas-based software company SolarWinds.
Using a subversive version of the company’s software as an impromptu skeleton key, hackers have sneaked into parts of US government networks, including the Treasury, Homeland Security, Commerce, Energy, State and other agencies.
When the news of the hack was revealed, Adair immediately thought of the focus group, where his team tracked one of the efforts to break into a SolarWinds server, but never found the evidence they needed to reach the precise point of entry or alert the company. Digital indicators released by cybersecurity company FireEye on December 13 confirmed that the think tank and SolarWinds were hit by the same actor.
Senior US officials and lawmakers have claimed that Russia is to blame for piracy, an accusation denied by the Kremlin.
Adair – who spent about five years helping NASA defend against hacking threats before finally founding Volexity – said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was correct. On the other hand, they had been on the brink of a much bigger story.
Much of the U.S. cybersecurity industry is now in the same location as Volexity earlier this year, trying to find out where the hackers were and remove the various secret access points that hackers have planted. probably in their victims’ networks. Adair’s colleague Sean Koessel said the company sends about 10 calls a day from companies worried they might be targeted or worried that spies are on their networks.
His advice to everyone else who hunts down hackers: “Don’t leave any stone unturned.”
Koessel said the effort to uproot hackers from the think tank – which he refused to identify – lasted from late 2019 to mid-2020 and caused two renewed bursts. Performing the same task in the US government will probably be many times more difficult.
“I could easily see that it takes half a year or more to figure it out – if not in years for some of these organizations,” Koessel said.
Pano Yannakogeorgos, an associate professor at New York University who served as the founding dean of the Air Force Cyber College, also predicted an extensive timeline and said some networks would need to be extracted and replaced wholesale.
In any case, he predicted a high price, because the caffeine experts were brought to go through the digital diaries for the traces of the compromise.
“There is a lot of time, treasury, talent and Mountain Dew that are involved,” he said.
Reporting by Raphael Satter; Montage by Andrea Ricci