How Solarwinds raid blew through US defences
Russian hackers have dealt America its worst cyberspace defeat in a decade, sending shock waves across the industry,
It was a tiny slip up from hackers that gave them away. Intruders who had been covertly investigating the IT systems of Fireeye, a Silicon Valley cyber security company, attempted to register a new computer into the network.
That pinged Fireeye’s security team, who quickly realised they had been under sustained attack by an unknown assailant.
The mis-step from the hackers, alleged to be a Russia-backed group by US officials, has revealed a sweeping, months-long campaign of cyber espionage.
The attack has quickly been labelled by those in the industry and former spooks as the most devastating defeat in cyberspace for the US in years.
The espionage has sent shock waves through the cyber security world and even led to claims from one US senator that it was “virtually a declaration of war”.
Fireeye confirmed it had come under attack on Dec 7. The hackers had snooped on its systems and made off with its “red team” hacking tools, software designed specifically to probe company defences for weaknesses. But the attack was still unravelling. During their investigation, Fireeye experts realised the malware used to infiltrate their network was just one part of a far broader campaign.
The backdoor had been implanted by hackers in software from a Texas company called Solarwinds. Its Orion software is used by tens of thousands of companies for network management and monitoring. At least 18,000 downloaded the compromised software, it said last week.
Clients of Solarwinds included banks, corporates, weapons testing facilities, the Pentagon, dozens of US government departments including its nuclear agency – and the NHS.
The virus, Solarwinds revealed in a market announcement on Dec 13, had been present for up to nine months. “It will go down as one of the most important attacks ever carried out against the US,” says one security source. The malware blamed for the attack was first inserted into Solarwinds’ Orion software in an update sent to clients in March, although the hackers are believed to have been probing Solarwinds for far longer. The Orion update contained a “trojan” named Sunburst by Fireeye researchers. After lying dormant for two weeks, undetected in its host, the trojan contacts an internet domain used by the attackers, allowing them access to the system.
So subtle was the attack that tech giants including Microsoft and Cisco have uncovered the backdoor in their systems. The Sunday Telegraph last weekend also revealed consulting giant Deloitte had unwittingly downloaded the backdoor.
The attack contains just about every buzzword normally dismissed as hype by security researchers, but in this case they are well deserved: a “highly sophisticated, nation-state, manually loaded supply-chain attack”.
“It is an overused term, but it was a very sophisticated attack,” says Alan Woodward, a cybersecurity expert and visiting professor at the University of Surrey. “People are saying how did no one notice? It was done very deliberately. Anti-virus software would ignore it and they rode in on an update.
This is someone who really wanted to get into these places.”
The Solarwinds attack has sent US government departments scrambling. Security officials ordered civil servants to “power down” software running Solarwinds Orion, neutering swathes of federal IT.
It has also led a dispute at the highest level of the US government. Over the weekend, Mike Pompeo, the US secretary of state, was contradicted by President Donald Trump. Pompeo had blamed the hack on Russia, but Trump used it to fuel his theory that the US election was rigged.
Trump tweeted: “Russia, Russia, Russia is the priority chant when anything happens … it may be China … there could also have been a hit on our ridiculous voting machines during the election, which it is now obvious that I won big.”
Whatever the origin of the attack, the disruption and political infighting is an added bonus to whatever data hackers were able to exfiltrate.
Woodward notes the hackers were able to trick multiple software systems, allowing them to crack into emails, once they were inside a US department network. “It was a series of hacks – this was something you saved for really special occasions.” The beauty of attacking Solarwinds is that its technology, which is essentially a “pane of glass” that lets companies check multiple bits of their network at once, was used so extensively.
While the US has ordered departments to immediately cut off Solarwinds technology, the UK’S response has been more circumspect. GCHQ’S National Cyber Security Centre has told departments to patch and update the affected software and it is understood officials believe only a handful of UK companies have been hit.
“One thing with the response is you don’t want to make things worse,” says Robert Pritchard, a former government cybersecurity adviser, noting that turning off all the affected software could cause more chaos behind the scenes. “People aren’t running around thinking the lights are going to be turned off.”
That, however, is not the response from the US. The extent of the surveillance of the US government has led to the hack dominating headlines over the last seven days. “The public will probably never know the extent and amount that was exfiltrated,” says Marcus Murray, a researcher at Trusec. US politicians have also ramped up the rhetoric around the attack and have called for reprisals. Dick Durbin, a Democratic senator, alleged the attack amounted to a “declaration of war”, while Richard Blumenthal demanded the US “make the attacker pay the price”.
Even Microsoft, itself affected in the hack, called for action. Brad Smith of Microsoft said it “is not espionage as usual … it is an act of recklessness” and called for “reckoning”. He added there should be new international rules for cyber space.
But this school of thought is not followed by all cyber experts, particularly in the UK.
“To put it mildly, we are very far away from an acceptance that this breach is something more than a very large scale espionage – and certainly there is no consensus that this is a breach of expected international behaviour in cyberspace,” says Ciaran Martin, the former director of the UK’S NCSC and now a professor at Oxford University’s Blavatnik school. “The question is, if we had the sort of clear rules that have been talked about, which one would have been violated?”
As the dust settles on the Solarwinds attack, many unknowns remain. It emerged this weekend that there was a second vulnerability in its software. Microsoft believes this may have been developed by a second attacker.
Cyber security engineers at thousands of companies were also left with the unenviable task of unpicking the impact of the backdoor on their own systems over Christmas to see if they were hit too.
It is thought only 200 or so companies were hit with further spyware by the hackers, said by one source to have only been a small team of researchers and coders.
Murray, of Trusec, adds the challenge of uncovering the full extent of the hack is compounded by their efforts to “cover their tracks”.
The Kremlin has repeatedly denied any involvement in the Solarwinds breach. Multiple security engineers and former security officials told The Telegraph a Russian group was likely involved. Some reports have attributed the hack to the suspected Russia-linked group Cozy Bear.
Whoever the true culprit is, the disorder caused by the attack will have played into the hands of rivals to US spy agencies around the world.
On Sunday, president Vladimir Putin – a former KGB agent – addressed Russia’s security officials in a statement praising their ongoing work. “I rate very highly difficult professional operations that have been conducted,” he said, adding, “I know what I am talking about here.”
‘Anti-virus software would ignore it and they rode in on an update. This is someone who really wanted to get into these places’
‘It is an overused term, but it was very sophisticated. It was a series of hacks – something you saved for really special occasions’