Normally, we use this space to round out the greatest stories from all over the world of cybersecurity. This week, we make an exception, because there is really only one story: how Russia released the biggest spy hack ever recorded.
The hack of the Russian IT management company SolarWinds started in March and came to light only when the authors used that access to enter the cyber security company FireEye, which first revealed a breach on December 9th. Since then, a cascading number of victims have been identified, including the US departments of state, internal security, trade and treasury, and national health institutes. The nature of the attack – and the huge care provided by hackers – means that it could take months or more until the extent of the damage is known. The impact is already devastating and underscores how ill-prepared the US has been to defend against a known threat – and to respond. It is also ongoing.
And there are many more. Below we have gathered the most important SolarWinds stories so far on the internet. Click on the titles to read them and stay safe there.
Reuters has revealed several stories about the SolarWinds hack and its consequences, but this piece takes a step back to look at the company at its center. The IT management firm has hundreds of thousands of customers – including 18,000 who were vulnerable to Russia’s attack – who rely on it to monitor the network and other services. Its security practices appear to have been lacking on several fronts, including the use of the “solarwinds123” password for its update server. (Not suspected of being linked to the current attack, but … still.)
The Wall Street Journal this week he shared new details about what happened inside FireEye earlier this month as he discovered and responded to his own compromise. Tip-off: An employee has received an alert that someone has connected to the company’s VPN using their credentials on a new device. Over 100 FireEye employees were engaged in the response, which included traversing 50,000 lines of code to eliminate any anomalies.
In recent years, the United States has invested billions of dollars in Einstein, a system designed to detect digital intrusions. But because the SolarWinds hack was what is known as a “supply chain,” in which Russia compromised a reliable tool rather than using known malware to enter, Einstein failed spectacularly. The government cannot say that it has not been warned; a 2018 report by the Government Accountability Office recommended that federal defense agencies and systems consider the threat to the supply chain more seriously.
This is a good question and one that will take a long time to answer. This week, Microsoft shared at least some initial findings: more than 40 of its customers were victims of Russia’s compromise. (Microsoft itself was also hacked as part of the campaign.) Of the 40, nearly half were IT companies, while another 18% were government targets. Eighty percent were based in the United States. This does not have to be a comprehensive look at the victims; there are probably many more than what Microsoft has found so far. But it offers at least an allusion to geography and category, none of which is particularly comforting.
He doesn’t take our word for how serious all this hacking is. Read Tom Bossert New York Times op-ed, in which the former internal security adviser argues convincingly that “the magnitude of this ongoing attack is hard to overstate” and calls for a swift, decisive response in which “all elements of national power must be put on the table. “(This is also a good time to mention that President Donald Trump did not mention the SolarWinds hack at all, not even once, not even a whisper. President-elect Joe Biden issued a statement, swearing to impose” substantial costs to those responsible for such malicious attacks. “)
More wonderful stories