`THIS IS GOING TO BE A LONG RIDE'
U.S. government cyber attack poses `grave risk'
U.S. cyber officials warned that the massive espionage campaign unearthed this week posed a “grave risk” to the government, critical infrastructure and the private sector.
Microsoft also admitted late in the week that it had been hacked, making it the second tech company, after Fireeye, to be caught up in what is quickly turning into the most sweeping cybersecurity crisis on record.
Microsoft notified more than 40 customers whose networks were further infiltrated by the hackers. Around 30 of those customers were in the U.S., it said, with the rest in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates.
Some 18,000 businesses and government agencies — including the U.S. departments of Homeland Security, Treasury, Commerce and State — may have been exposed after downloading compromised software from Solarwinds, a Texas- based IT group, which found the breach during an investigation into a hack of its own network.
A major challenge for investigators is determining which victims were the focus of a more targeted attack.
For those that were actually hacked, figuring out what the attackers did while in their networks will be much more difficult. According to researchers and people familiar with the investigation, that access was in some cases lengthy and unfettered — as long as nine months — carried out by hackers with the ability to cleverly masquerade as IT professionals who had legitimate reason to be poking around networks linking thousands of workstations.
Cybersecurity research firm Bitsight Technologies analyzed 260,000 organizations across 24 sectors to determine the prevalence of Solarwinds's Orion software, and found that at least 14 per cent of Fortune 1,000 companies use Orion.
Moscow-based cybersecurity firm Kaspersky offers a coding script that can decrypt online web records left behind by the attackers and shows which of the thousands of back doors available the hackers chose to open, said Kaspersky researcher Igor Kuznetsov.
“Most of the time these back doors are just sleeping,” he said. “But this is when the real hack begins.”
Kaspersky records show that the backdoors at Cox Communications and the municipal governments of Austin, Tex., and Pima County, Ariz., were activated in June and July this year, the peak of the hacking activity so far identified.
“This is going to be a long ride,” said Dmitri Alperovitch, co-founder and former chief technology officer of cybersecurity company Crowdstrike Inc. and now chairman of the Silverado Policy Accelerator. “We may never know the full scope of what happened here.”
Investigators are not just looking for malware, which can be detected using automated tools in many cases, according to an intelligence community contractor working on multiple investigations related to the incident. Rather, the fear is the attackers could have made small changes to firewalls, network switches or other sensitive equipment they could use to access networks in future. Finding those changes may require manually reviewing each machine, one said, describing this manual hunt for evidence as “hell.”
The U.S. said it had seen no evidence so far that the attack had any impact on national security functions, including the National Nuclear Security Administration. But National Security Advisor Robert O'brien cut short a European trip this week to rush back to Washington to help manage the crisis.
The U. S. Cybersecurity and Infrastructure Security Agency (CISA) said the hackers had also gained access to systems using means other than the Solarwinds software.
The agency cited a report published by cyber group Volexity detailing attacks by the same hackers against an unnamed U.S. think-tank, including one that used new methods to bypass multi-factor authentication security.
Fireeye, Solarwinds and some U. S. officials have blamed “nation-state” hackers for the breach. Cyber-security experts, plus several politicians, have singled out Russian intelligence as the culprit, although Russia has strongly denied any involvement, saying in a statement on Dec. 14 that it “does not conduct offensive operations in the cyber domain.”
“Today's classified briefing on Russia's cyber attack left me deeply alarmed, in fact downright scared,” Richard Blumenthal, Democratic senator from Connecticut wrote on Twitter. “Americans deserve to know what's going on. Declassify what's known & unknown.”