The US government suffered one the largest cyber attacks in years, American officials announced on Monday.
Thought to have been carried out by Russia, the vast and complex operation apparently targeted US federal government systems – the treasury and commerce departments were some of the worst affected.
Hackers managed to access highly secure networks by convincing 18,000 government and private computer users to download a software update hidden with malware.
This gave the intruders access to top-level, classified information, including internal emails at top government organisations.
For many, talk of cyber attacks can seem abstract – how did it happen? What are the consequences? Could civilians be affected?
While the cyber-raid may be difficult to picture, the real-world outcomes could be very serious.
How did the hackers gain access?
A US company called SolarWinds, which provides services monitoring government and business networks for outages, was hacked in early March of this year.
The malware, which was installed on an update package for SolarWinds software Orion, gave hackers access to the infected machines – and the network at large.
While security researchers are still speculating on the exact method, some think it could have been as simple as guessing the password.
A security researcher told Reuters that he found SolarWinds’ update server last year was the password ‘solarwinds123’.
Though the breach happened months ago, it was not discovered until US cybersecurity company FireEye, which uses SolarWinds, found it had suffered a hack.
The long lag between infection and discovery would have given hackers plenty of time to download highly sensitive information.
How serious is the hack and who has been affected?
The US government, which was probably the main target of the hack, is the most high-profile casualty.
While government officials haven’t yet stated which agencies are affected, the state department, Centers for Disease Control and Prevention (which helps coordinate pandemic response) and Homeland Security all use the SolarWinds software.
FireEye executive Charles Carmakal said the company was aware of ‘dozens of incredibly high-value targets’ hackers had access to, and was helping ‘a number of organisations respond to their intrusions’.
But the potentially affected organisations could be vast, given the extensive client list that SolarWinds has.
The Austin, Texas-based company offers network-monitoring and other services to hundreds of thousands of organizations, including a swathe of Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
Myriad organisations across the world that also use SolarWinds software are now in a race against time trying to remove the malware-infected updates from their systems.
Researchers have named the hack Sunburst and say it might take years to find out the true extent of one of the biggest ever cyber-attacks.
Orion, the SolarWinds’ product which hackers gained access to, makes up close to half of the company’s total revenue.
Because of the centralised nature of the software, malicious actors that gain access have the ability to gain a ‘bird’s-eye view’ of organisation’s computer networks.
FireEye said the malware had impressive capabilities – from lying dormant for weeks, to hiding in plain cover by cloaking its activity as standard Orion procedures.
‘These types of tools are allowed deep access to systems,’ said Brandon Hoffman, chief information security officer at the California-based IT provider Netenrich.
‘The reason these systems are good targets is because they’re deeply embedded in systems operations and administration.’
What has the response been to the hack?
The hack took months to find, giving hackers a huge amount of time to access sensitive systems.
When it found the hack, SolarWinds sent warnings to around 33,000 of its Orion customers who might have been affected,
However, it estimated a smaller proportion of its customers, fewer than 18,000, were likely affected.
And, SolarWinds added, just because a company or agency uses the company as a vendor, doesn’t mean it was vulnerable to the hacking or hacked.
While it may be months before the US responds, likely under a Biden administration, if the US concludes Russia was behind the attack there could be retaliatory geopolitical consequences.
However, SolarWinds CEO Kevin Thompson said they has been working with FireEye, as well as the FBI, the intelligence community, and other law enforcement to find out the source of the attack.
Who could be behind the hack?
Many in the security world argue the attack has the signature of a Russian operation, but this has yet to be confirmed.
FireEye, which originally identified the hack, say that a Russian cyber-military team called Cosy Bear is likely to be involved.
Russian government officials responded the the accusations as ‘baseless’, in a Facebook statement.
Former FireEye cyber-attack responder Marina Krotofil told the BBC the hack may increase tensions.
‘In past years, the USA has imposed a series of sanctions on Russia, including the most recent indictment of the Russian military hackers,’ said Krotofil.
‘However, Russia explicitly demonstrates that they are not intimidated and are not going to slow down with their cyber-activities. This will further escalate relationships between the US and Russia and in the long run, and create severe political conflicts.’
SolarWinds itself has been advised an ‘outside nation-state’ had infiltrated its systems with malware.
The US government nor the affected companies have stated which nation they think is responsible.
An anonymous US official told the Associated Press on Monday that Russian hackers were suspected.
Though the Russians deny the attack, the specific method of hacking, the ‘supply-chain’ method, was similar to the way Russian hackers managed to destroy hard-drive data in Ukraine in 2016.
Are hacks like these important – what could it mean?
There have been previous consequences for military hacking in the past.
In 2016, the Obama administration expelled vast numbers of Russian diplomats after it was found military hackers had attempted to interfere in the election.
While espionage on its own doesn’t violate international law, retaliation can still occur in the form of sanctions and diplomatic expulsions.
SolarWinds could also face legal action from its customers, including government entities, who were affected by the breach.
The company pre-emptively filed a report with the Securities and Exchange Commission on Tuesday.
In it, the company said total revenue from affected products was about $343m, or roughly 45% of the firm’s total revenue.
SolarWinds’ stock price has fallen 25% since news of the breach first broke.