It was a tiny slip up from hackers that gave them away. Intruders who had been covertly probing the IT systems of FireEye, a Silicon Valley cyber security company, attempted to register a new computer into the network.
That pinged FireEye’s security team, who quickly realised they had been under sustained attack by an unknown assailant.
The misstep from the hackers, alleged to be a Russia-backed group by US officials, has revealed a sweeping, months-long campaign of cyber espionage.
The attack has quickly been labelled by those in the industry and former spooks as the most devastating defeat in cyberspace for the US in years.
The espionage has sent shock waves through the cyber security world and even led to claims from one US senator that it was “virtually a declaration of war”.
FireEye confirmed it had come under attack on December 7. The hackers had snooped on its systems and made off with its “red team” hacking tools, software designed specifically to probe company defences for weaknesses.
But the attack was still unravelling.
‘They really wanted to get in’
During their investigation, FireEye experts realised the malware used to infiltrate their network was just one part of a far broader campaign.
The backdoor had been implanted by hackers in software from a Texas company called SolarWinds. Its Orion software is used by tens of thousands of companies for network management and monitoring. At least 18,000 organisations downloaded the compromised software, it said last week.
Clients of SolarWinds included banks, corporates, weapons testing facilities, the Pentagon, dozens of US government departments including its nuclear agency — and the NHS.
The virus, SolarWinds revealed in a market announcement on Dec 13, had been present for up to nine months. “It will go down as one of the most important attacks ever carried out against the US,” says one security source.
Texas company SolarWinds was unwittingly the source of a Russian backdoor
Credit: Shutterstock
The malware blamed for the attack was first inserted into SolarWinds’ Orion software in an update sent to clients in March, although the hackers are believed to have been probing SolarWinds for far longer. The Orion update contained a “trojan” dubbed SunBurst by FireEye researchers.
After lying dormant for two weeks, undetected in its host, the trojan contacts an internet domain used by the attackers, allowing them access to the system.
So subtle was the attack that tech giants including Microsoft and Cisco have uncovered the backdoor in their systems. The Telegraph this weekend also revealed consulting giant Deloitte had unwittingly downloaded the backdoor.
The attack contains just about every buzzword normally dismissed as hype by security researchers, but in this case they are well-deserved: a “highly sophisticated, nation-state, manually-loaded supply-chain attack”.
“It is an overused term, but it was a very sophisticated attack,” says Alan Woodward, a cybersecurity expert and visiting professor at the University of Surrey. “People are saying how did no one notice? It was done very deliberately. Anti-virus software would ignore it and they rode in on an update. This is someone who really wanted to get into these places.”
The SolarWinds attack has sent US government departments scrambling. Security officials ordered civil servants to “power down” software running SolarWinds Orion, neutering swathes of federal IT.
It has also led a dispute at the highest level of the US government. Over the weekend, Mike Pompeo, the US Secretary of State, was contradicted by President Trump. Pompeo had blamed the hack on Russia, but Trump used it to fuel his theory that the US election was rigged.
The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of….
— Donald J. Trump (@realDonaldTrump) December 19, 2020
Trump tweeted: “Russia, Russia, Russia is the priority chant when anything happens… it may be China… there could also have been a hit on our ridiculous voting machines during the election, which it is now obvious that I won big.”
‘A special occasion’
Whatever the origin of the attack, the disruption and political infighting is an added bonus to whatever data hackers were able to exfiltrate.
Woodward notes the hackers were able to trick multiple software systems, allowing them to crack into emails, once they were inside a US department network. “It was a series of hacks — this was something you saved for really special occasions.”
The beauty of attacking SolarWinds is that its technology, which is essentially a “pane of glass” that lets companies check multiple bits of their network at once, was used so extensively.
While the US has ordered departments to immediately cut off SolarWinds technology, the UK’s response has been more circumspect. GCHQ’s National Cyber Security Centre has told departments to patch and update the affected software and it is understood officials believe only a handful of UK companies have been hit.
“One thing with the response is you don’t want to make things worse,” says Robert Pritchard, a former government cybersecurity adviser, noting that turning off all the affected software could cause more chaos behind the scenes. “People aren’t running around thinking the lights are going to be turned off.”
That, however, is not the response from the US. The extent of the surveillance of the US government has led to the hack dominating headlines over the last seven days. “The public will probably never know the extent and amount that was exfiltrated,” says Marcus Murray, a researcher at TruSec.
Time for a reckoning
US politicians have also ramped up the rhetoric around the attack and have called for reprisals. Dick Durbin, a Democrat Senator, alleged the attack amounted to a “declaration of war” while Richard Blumenthal demanded the US “make the attacker pay the price”.
This massive cyberattack demands a massive response. Assess the damage, clean it up, secure systems, make the attacker pay a price, & more. So far, not a word from any responsible official. Right now come clean with the American people. https://t.co/RkALdzyJ3U
— Richard Blumenthal (@SenBlumenthal) December 17, 2020
Even Microsoft, itself affected in the hack, called for action. Brad Smith of Microsoft said it “is not espionage as usual … it is an act of recklessness” and called for “reckoning”. He added there should be new international rules for cyber space.
But this school of thought is not followed by all cyber experts, particularly in the UK.
“To put it mildly, we are very far away from an acceptance that this breach is something more than a very large scale espionage — and certainly there is no consensus that this is a breach of expected international behaviour in cyberspace,” says Ciaran Martin, the former director of the UK’s NCSC and now a professor at Oxford University’s Blavatnik school. “The question is, if we had the sort of clear rules that have been talked about, which one would have been violated?”
Covering their tracks
As the dust settles on the SolarWinds attack, many unknowns remain. It emerged this weekend that there was a second vulnerability in its software. Microsoft believes this may have been developed by a second attacker.
Cyber security engineers at thousands of companies were also left with the unenviable task of unpicking the impact of the backdoor on their own systems over Christmas to see if they were hit too.
It is thought only 200 or so companies were hit with further spyware by the hackers, said by one source to have only been a small team of researchers and coders.
Murray, of TruSec, adds the challenge of uncovering the full extent of the hack is compounded by their efforts to “cover their tracks”.
The Kremlin has repeatedly denied any involvement in the SolarWinds breach. Multiple security engineers and former security officials told The Telegraph a Russian group was likely involved. Some reports have attributed the hack to the suspected Russia linked group Cozy Bear.
Whoever the true culprit is, the disorder caused by the attack will have played into the hands of rivals to US spy agencies around the world.
On Sunday, President Vladimir Putin — a former KGB agent — addressed Russia’s security officials in a statement praising their ongoing work. “I rate very highly difficult professional operations that have been conducted,” he said, adding, “I know what I am talking about here.”
Свежие комментарии