While President Donald Trump keeps claiming with no evidence that computers were programmed to switch votes and alter the outcome of the election, he has so far said nothing about a real hack—launched by Russia’s foreign intelligence service—that experts call one of the widest, most sophisticated, and potentially most damaging in years.
The attack penetrated at least five U.S. government agencies and 18,000 other users of the Orion network management system, manufactured by a privately traded company called SolarWinds. Those five agencies—the departments of State, Homeland Security, Commerce, and Treasury, and the National Institutes of Health—are the only ones so far identified as victims of the hack, though there may have been others. (Ironically, one mission of Homeland Security is to protect the nation from cyberattacks.)
Jake Williams, principal consultant of Rendition InfoSec and a former official in the National Security Agency’s elite hacker unit, said Monday, in a YouTube video explaining the hack, that the system is used throughout the federal government, including the Defense Department, as well as many “heavy-hitter” private corporations—300,000 customers in all. “Who uses SolarWinds?” Williams asked. “A better question is ‘Who doesn’t use SolarWinds?’ ”
One of the customers that the Russians hacked was FireEye, and here they went a hack too far. Analysts at FireEye, one of Silicon Valley’s leading cybersecurity firms, detected the intrusion, analyzed it, and—in an act of unusual transparency—publicized everything they could find out about it.
The malware turns out to have been embedded in what appeared to be a software-update message from SolarWinds, sent through SolarWinds servers with a valid digital signature. This sort of attack—which is particularly pernicious because it makes users reluctant to download legitimate software updates—is known as a “software supply-chain attack.” This means the malware came not from any product made by SolarWinds but from a feature or component made by an outside source—a code, a digital library, or any number of other common suppliers—that the company used in making the product.
Williams said software supply-chain attacks are “ridiculously hard” to detect or, once detected, to trace. Russian and Chinese intelligence have launched a few of them in recent years. “I suspect,” Williams said, “we are going to see a lot more of them.”
The reason is that, in the past few years, companies and government agencies have become a lot better at basic cybersecurity. Therefore, more sophisticated hackers are beginning to intrude in ways that are harder to notice, even through messages, such as security-upgrade notices that seem legitimate—like burglars dressed in police uniforms.
Network management systems, such as SolarWinds’ Orion, are “juicy targets for hackers,” Williams said, because once a hacker gains access to their controls, he or she can monitor everything—servers, networks, workstations, and so forth—and, in some cases, make changes to all those things as well.
The Russian hackers in this case—members of a team known as APT29 or “Cozy Bear”—were sophisticated in another way. They didn’t pounce and start accessing or exfiltrating data right after the victim downloaded the malware. Instead they waited, in some cases for weeks or months, so that if the malware was detected, it would be very hard for an analyst to examine the logs and trace where or when it was inserted.
In a statement to the Federal Communications Commission, SolarWinds said that the malware was downloaded between March and June of this year. Yet it was detected only in recent weeks—and, at first, only by FireEye. For much of this time, the government agencies didn’t notice the intrusion at all.
According to Williams, one problem may be that network management systems tend to be installed and run by operations teams, not by security teams—and, therefore, security protocols may be more casually sidestepped.
SolarWinds and several other private companies have issued instructions to their users on how to eject this malware from their systems. Now the Trump administration—if not Trump himself—is taking action as well. On Monday, federal agencies were ordered to shut down all systems running on SolarWinds Orion software. On Tuesday, the National Security Council invoked Presidential Policy Directive No. 41, which establishes a “Cyber Unified Coordination Group” to “ensure continued unity of effort across the United States Government in response to a significant cyber incident.”
The directive, signed by President Barack Obama in July 2016, was invoked “fairly routinely” in the final months of his administration, according to a former official who took part in the process. But it has not been invoked during the Trump years until now. For all of Trump’s wailing about fictitious hacks that stole the election, he has been otherwise notably uncurious about the nation’s cybersecurity. In the spring of 2018, he abolished the position of a White House coordinator for governmentwide cybersecurity tasks. (The coordinator, Rob Joyce, the former chief of the NSA’s Tailored Access Operations, its elite hacker unit, returned to the NSA.) Just last month, Trump fired Christopher Krebs, the Department of Homeland Security’s top cybersecurity official. Krebs’ offense was to proclaim that the election, which had just taken place, was the most secure in recent history—contradicting Trump’s claims, which began even before the election took place, that it was riddled with fraud.
Trump has also downplayed, and at times disputed, the intelligence community’s unanimous conclusion—affirmed by a lengthy investigation conducted by the Republican-chaired Senate Intelligence Committee—that Russia has persistently tried to hack into U.S. government agencies and critical infrastructure.
Williams said in his YouTube broadcast Monday that, by revealing the nature and extent of the SolarWinds hack, FireEye dealt a major “blow” against Russian intelligence. However, he also warned that the hackers are very adaptive—and that when one road into a network is cut off, they’ll find another way in.