US officials are deeply concerned about a massive and ongoing cyber attack targeting large US companies and agencies, including the Treasury and Commerce Department. The Agency for Cyber Security and Infrastructure Security (CISA) called the attack an attack “Serious risk” to national security.
Cybersecurity experts believe that in March, a well-organized group of hackers exploited a loophole in products developed by SolarWinds, an IT firm that provides technology software to government agencies and hundreds of large companies, including Microsoft, that helped investigate and reporting the attack. By hacking SolarWinds, the attacker was able to access sensitive information and monitor the communications of dozens of companies and agencies using the company’s software, including the Treasury, Commerce and Energy departments, and the Los Alamos National Laboratory, which oversees nuclear weapons.
Details about the hack still appear, but officials call it an “attack” because it was an obvious action, probably committed by a nation state. Experts such as Nick Merrill, director of UC Berkeley’s Daylight cybersecurity lab, say the breach is more like “cyber espionage” because the attackers have been monitoring communications from corporate and government officials for months.
Although it is not known whether the nuclear protocols were compromised, Merrill says it was a “sophisticated cyber attack” and “it is certainly possible that the attackers exploited other vulnerabilities that we do not yet know about.”
Who was behind her?
In early December, the same “extremely sophisticated threat actor” allegedly threw digital tools developed by cyber defense company FireEye. FireEye detected the breach and alerted authorities, which helped uncover intrusions into other companies and agencies.
Experts believe the attacks are linked and committed by a group known as “Cozy Bear”, the code name used for SVR, a Russian intelligence wing linked to several recent high profile hacks including Democratic National Committee in 2016 and the 2018 Olympics.
Although President Trump downplayed the hack and suggested that China could be held responsible, Secretary of State Mike Pompeo said it is “Quite clearly” Russia is to blame.
“This was a very significant effort and I think it is appropriate that we can now say quite clearly that the Russians were the ones who engaged in this activity,” Pompeo said in an interview on the talk show Mark Levin .
On Monday, Attorney General William Barr agreed with Pompeo, saying he “certainly looks like a Russian.”
Dmitry Peskov, a Kremlin spokesman, denied Russia’s involvement in the hack. “Russia is not involved in such attacks, namely in this case. We state this officially and firmly,” he said, calling the allegations “absolutely unfounded” and probably a result of “blind Russophobia.”
How did they do it?
Digital forensic experts suspect that hackers have compromised a tool called Orion, which centralizes network monitoring, and a service called NetLogon, which checks connection requests. They also violated Microsoft Office 365, a service used by several government agencies. More than 18,000 companies and agencies are confirmed to be affected, and the number could reach 33,000.
The method of the attack was new, says Bryson Bort, a former military intelligence officer and adviser to the Army Cyber Institute, because it appears he did not rely on traditional hacking methods, such as phishing – using an email or a deceptive link to gain access – or zero-day exploitation, which takes advantage of a previously unknown software vulnerability to access private networks.
Instead, Bort says, hackers co-opted the software update process by inserting malicious code into Solar Winds software before customers downloaded the latest version. “Then they spread and used all sorts of different software to establish persistence” in the network. He added that even after investigating the hack, there is “still the possibility [the attackers] they remain wrapped around various systems for years. “
Congressman Jim Himes, a Democrat on the House Intelligence Committee, told CBSN: “It was a very clever hack because it used US IP addresses, it used an American company, Solar Winds, and therefore ordinary people who have a kind of stand on the wall and look outside, because the attacks coming from abroad have been fooled from there. ”
Neil Walsh, who heads cybersecurity for the United Nations Office on Drugs and Crime, says the subterfuge is common in cyber attacks and proper attribution could be disruptive for a long time.
“Attacks on this scale take time to understand, mitigate and attribute,” Walsh explained. “Imagine that a burglar wanted to break into your house to steal your bank details. Instead of sinking the door down for a period of months, they design and test a skeleton key for the lock on your home. Then enter your house and pretend I can see everything. Then they make a cloak of invisibility and wrap themselves in it. “
How much damage has been done?
Failure could be just as difficult to predict, but experts fear the damage will be severe and far-reaching. “The ladder,” said Himes, “is massive.”
In 2017 a group called Shadow brokers, which were also linked to the Russian secret services, hacked and publicly launched cyber weapons from the US National Security Agency. These cyber tools, known as EternalBlue, have led to a virulent and powerful strain of ransomware called NotPetya. The attackers were used to it paralyzes major companies and government offices in Europe and all over the globe, causing more than $ 10 billion in damage. At that time, it was considered the most devastating cyber attack in history.
This attack is different, says Joel Benavides, head of Global Legal at Redis Labs, but the repercussions could be wide. For example, these hackers have been able to search sensitive communications, filter data from restricted government databases, and drag corporate corporate property to an unprecedented scale.
“The huge economic, social and military impact cannot be overstated,” Benavides said. “Remediation costs, regulatory fines and the potential loss of trade secrets and industry knowledge will reach billions of dollars.”
Himes said: “We know that this hack has managed to penetrate all kinds of networks. We just don’t know how things got into particularly sensitive networks – such as government national security networks, financial institutions could have your account information that could be sent elsewhere where it could be misused. “
The long-term impact, Benavides added, could be that the attack “reveals the weaknesses of our government cybersecurity infrastructure, while leading to suspicion and eroding public confidence in institutions that are meant to keep us all safe.” “.