Written by T. Piccirilli
“All elements of national power must be placed on the table.”
-Tom Bossert, former Homeland Security adviser, New York Times op-ed
Between phishing scams targeting millions, the shut-down of a global stock market, and a series of breaches on the pharmaceutical industry 2020 has been a busy year for state-sponsored hackers. Yet in the midst of all of this, completely under our noses, Russia may have just completed the single largest espionage hack on record. Russia’s hack of the IT management company SolarWinds began as far back as March, only coming to light this December when the perpetrators used the access to break into the cybersecurity firm FireEye. Since then a windfall of victims has been identified, including the US Departments of State, Homeland Security, Commerce, and Treasury, as well as the National Institutes of Health, and a litany of global banks and businesses. To say this is a serious issue is an understatement, and we may not know the extent of the damages until months from now.
It is almost a stroke of luck FireEye was breached, as in their own scramble to see which of their defense penetration tools were stolen, they discovered the backdoored .dII file that was uploaded to the downloads section of SolarWinds site. The malicious code, once downloaded and activated, allowed hackers to execute commands, take over systems and steal data. Once it was discovered that SolarWinds files were the source of the breaches, their customers, which include 425 of the US Fortune 500, all of the top 10 US telecommunications company, every branch of the US military, the Pentagon, NASA, the NSA, NOAA and the Office of the President of the United States, began checking their own systems.
Early in the news cycle, there was optimism that the hack may not be as bad as it seemed. Security analyst Jake Williams pointed out that the Orion product, on which the malicious code was placed, was a good jump-off point for an attack, but that it is designed to be observational rather than something that could actively change configurations. A few days later, FireEye’s analysis of the code put an end to any such optimism. FireEye found that once a .dII reaches a machine it remains dormant for two weeks, before waking and executing ‘jobs’ that include the ability to transfer and execute files, profile the system, reboot the machine, and disable system services”. The trojan file is added to computers via a standard Windows Installer Patch file that once installed will be loaded by the legitimate SolarWinds executable.
FireEye states that it has “detected this activity at multiple entities worldwide”, completing the audit by saying that of SolarWinds 300,000-plus customers, no more than 18,000 installed the backdoored update. Unfortunately, that 18,000 included multiple branches of the US government.
This concludes the tip of the iceberg. Over the next few months, affected agencies will have to patch any remaining vulnerabilities, root out any persistent access, and figure out what was actually affected. The latter part is key, as that will determine the response of the US government and may prove to be one of the first key foreign policy decisions of the Biden administration. Although the Trump administration has yet to officially identify Russia as the perpetrators, the Washington Post, among others, has identified the Russian hacking group, Cozy-Bear, as the likely perpetrators. The Biden team has also not officially denounced Russia but in response issued on their transition page, President-elect Biden and Vice-president elect Harris have promised to make dealing with this breach a top priority from the moment they take office. The team has also promised to elevate cybersecurity as an imperative across the government.
In the weeks since the breach cybersecurity and foreign policy experts have begun joining forces, in order to lay out potential responses. Tom Bossert, who we led the piece with, gave perhaps the hardest line response, urging the US government to leave no response off the table, equating the hack to an act of war. In pondering why the US may not take such an aggressive response, Time’s Ian Bremmer notes that the US has never had solid responses to existing cyberattacks and that the US likely engages in similar activity, and that escalating the response may run the risk of exposure.
Regardless of what the response is, this is a critical time for US agencies as the publicity of the hack, coupled with its timing relative to a transition of power, will increase global scrutiny on the US and its agencies. Without more knowledge about what the damages of the hack are, or what the motivation behind the hack is it is impossible to know what the appropriate next steps should be, but Bossert’s urging to leave no options off the table is a philosophy that affected organizations should take to heart. This breach is at best a disaster, at worst, one of the most historically significant cyber events in our lifetimes.
Despite this, in our eyes, this breach is not surprising. The last few years have shown that state-sponsored hacking is a serious issue, both North Korea and Russia have made very public hacks with little recourse, and the corporate world continues to face the brunt of its effects. Given the extensive private-public partnerships in the US, it is no surprise that eventually the government would be affected. It is time for the US to rethink this partnership, and begin considering the cybersecurity of who they work with as an issue of national security.