- Hackers have found their way into at least a couple of the most crucial U.S. federal agencies.
- The campaign is believed to have been launched by Russian actors somewhere around this summer.
- The hackers managed to push malicious updates after their compromised SolarWinds software.
Hackers who are believed to be sponsored by the Russian state have managed to break into the U.S. Treasury and Commerce Departments, as well as the networks of various American federal agencies and large companies. The massive hack is currently under investigation from the FBI and the cybersecurity arm of the Department of Homeland Security.
From the first reports, this appears to be a large-scale and in-depth penetration. Experts in the field believe that this may as well be proven to be one of the most impactful espionage campaigns in history.
There are information leaks about the discovery of the Treasury hack being just the tip of the iceberg, which called for a National Security Council meeting at the White House over the weekend to evaluate the situation. Of course, no public statements have been made yet, and there’s no official attribution to Russian hackers or any specific group of actors yet. What is there serving as a clue is the intrusion method, which appears to involve “SolarWinds” software.
The hackers pushed malicious updates of the particular software that is used by many federal agencies in the United States, engaging in a successful “supply chain” attack. SolarWinds confirmed this possibility, even mentioning that it was probably a patch that was pushed between March and June this year - and which was laced with custom malware made by a highly-sophisticated actor.
No further comments were provided this time, but it is noteworthy that software from the particular company is used by America’s largest companies, the NSA, the U.S. Army, and even the President’s Office.
What exactly has been compromised will take months, if not even years, to determine because the penetration scope and magnitude are theoretically huge. This further complicates the electoral fraud case maintained by the Trump administration, as the hackers could have had access to America’s most critical networks well before and during the presidential elections.
Additional sources who remain anonymous claim that the hacking campaign which hit America’s federal agencies is the same that compromised FireEye last week. In that case, the firm had its offensive security tools stolen, possibly to use them as a diversion from a large-scale campaign. This argument now makes perfect sense. Also, and even though FireEye chose not to speculate on the origin of the attacks before the investigations were concluded, anonymous internal sources pointed to Russian actors.
The Russian foreign ministry was asked for a comment on Sunday, but they have not issued a statement yet. Of course, and as it is always the case, we do not expect Moscow to take responsibility for a cyber-espionage campaign of such scale - or any scale for that matter.
Brandon Hoffman, Chief Information Security Officer at Netenrich, has provided us with the following comment:
The key takeaway from this, while the damage is being examined, is to determine if your organization is at risk. For any customer of SolarWinds Orion, it is worth digging as deep as possible to understand the implications. It's not clear whether this is a flaw that SolarWinds totally understands yet. If they do, a fix needs to be issued immediately. If not, it may be worth shutting down that system until there is one. This may seem like overkill, but the risk is obvious, especially for targets considered higher priority. We still don't know enough to determine if the attackers have been completely rooted out of the breached systems or even if the full extent of their lateral movements is known.