Cleaning up cyber hack may cost as much as $100 billion
WASHINGTON — American businesses and government agencies could be spending upward of $100 billion over many months to contain and fix the damage from the Russian hack against the Solarwinds software used by so many Fortune 500 companies and U.S. government departments.
“Unlike good wine, this case continues to get worse with age,” said Frank Cilluffo, director of Auburn University’s Mccrary Institute for Cyber and Critical Infrastructure Security. “For a lot of folks, the more they dig, the worse the picture looks.”
Not only were at least four government departments targeted by the Kremlin hack — Commerce, Treasury, Homeland Security and Justice — but also thousands of top global corporations who were customers of Solarwinds, Cilluffo said. While government agencies appeared to be primary targets, “it doesn’t mean the private sector isn’t affected as well,” he said.
The Solarwinds attack exposed 18,000 clients of the software management company after they downloaded and installed a tainted software update that was infected with malware. The breach occurred sometime between March and June of 2020 and wasn’t discovered until cybersecurity research firm Fireeye, which was attacked separately, revealed the Solarwinds breach in early December.
After weeks of suggestions from former U.S. officials that the hack was the work of Russian intelligence services, the FBI, the Office of the Director of National Intelligence, and the Cybersecurity and Infrastructure Agency in a joint statement confirmed that it was indeed Moscow that was behind the attack.
The agencies said that the hack appeared to be “an intelligence gathering effort.” A much smaller number than the original 18,000 Solarwinds clients “has been compromised by follow-on activity on their systems,” the statement said.
Fewer than 10 U.S. agencies were potentially compromised by follow-on activity and the FBI and the intelligence agencies are “working to identify the nongovernment entities who also may be impacted,” the statement said.
While the initial intent of the attackers may primarily have been espionage, they could change their motive, Cilluffo said. If the attackers are not fully eliminated from government and private company networks, they could choose to use their presence for more destructive purposes, Cilluffo said.
Finding and eliminating the adversaries’ presence on networks is likely to be a costly affair, one expert said.
“The reality is everybody is spending resources right now” on trying to figure out how far the hackers penetrated computer networks and how to get rid of them, said Jake Williams, a former National Security Agency hacker who is now the founder of Rendition Infosec LLC, a cybersecurity firm.
“The true cost could be hundreds of billions of dollars,” Williams said, when one considers the incident response cost for each breach multiplied by the 18,000 entities that fell victim.
Government agencies and private companies also have to figure out if the network breach led to any loss of data and whether they have to alert Congress and customers as required by law, Williams said.
Many private companies are discussing internally whether they should go public about being breached if there’s no evidence of any data being manipulated or stolen, Williams said. “There’s a lot of hand-wringing going on in the background, and companies don’t know what the next step is.”
Austin, Texas-based Solarwinds developed and supplied network management software that top
U.S. government agencies and Fortune 500 companies used to monitor their own networks. On its now deleted customer list page, Solarwinds claimed that its clients included 425 of the Fortune 500 companies including Microsoft, Lockheed Martin and Ford Motor Co., as well as all “five branches of the U.S. military,” the Pentagon, Justice Department, State Department, and the “Office of the President of the United States.”
Large companies with enough resources are rebuilding their computer systems to ensure that any undetected presence of the attackers does not create future problems, but not every company has the wherewithal to do that, Williams said.
The challenges of detecting and removing the hackers’ presence is complicated by how long the attackers managed to remain undetected, said Steve Grobman, the chief technology officer at Mcafee, a cybersecurity company.
Since the attack went undetected for months, it could have created “lots of opportunities (for the adversary) to go in many different directions,” Grobman said.
“It’s like knowing a burglar has been in your house, but you don’t really know what they took, so you have to go into every room, and inventory everything of value everywhere before you have confidence of knowing what the impact was,” Grobman said. “It’s far worse in the digital environment because there are so many places for an adversary to hide.”