US government officials are still trying to unravel the vast implications of the SolarWinds cyber attack that was uncovered earlier this month.
Believed to be the work of Russian hackers, the attack has infected multiple government agencies and some of the world’s biggest private organisations.
Tech giant Microsoft is lending expertise to try and help uncover the extent of the breach, which seemingly began back in March 2020.
Hackers managed to access highly secure networks by convincing 18,000 government and private computer users to download a software update carrying malware.
The software – called Orion and made by a company called SolarWinds – looked for outages in computer networks. By compromising it, intruders gained access to top-level, classified information, including internal emails at top government organisations.
‘As much as anything, this attack provides a moment of reckoning,’ wrote Microsoft president Brad Smith in a blog post.
‘The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,’ he wrote.
‘The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.
‘The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion.
‘While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.’
How serious is the hack and who has been affected?
Smith goes on to highlight that while the US was the primary target, the UK has also been affected by the vulnerability.
‘While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries,’ he wrote.
‘This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.’
The US government was probably the main target of the hack and is the most high-profile casualty.
While government officials haven’t yet stated which agencies are affected, the state department, Centers for Disease Control and Prevention (which helps coordinate pandemic response) and Homeland Security all use the SolarWinds software.
Charles Carmakal, an executive at FireEye – the company that discovered the hack – said he was aware of ‘dozens of incredibly high-value targets’ hackers had access to, and was helping ‘a number of organisations respond to their intrusions’.
But the potentially affected organisations could be vast, given the extensive client list that SolarWinds has.
The Austin, Texas-based company offers network-monitoring and other services to hundreds of thousands of organizations, including a swathe of Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
Myriad organisations across the world that also use SolarWinds software are now in a race against time trying to remove the malware-infected updates from their systems.
Researchers have named the hack Sunburst and say it might take years to find out the true extent of one of the biggest ever cyber-attacks.
Orion, the SolarWinds’ product which hackers gained access to, makes up close to half of the company’s total revenue.
Because of the centralised nature of the software, malicious actors that gain access have the ability to gain a ‘bird’s-eye view’ of organisation’s computer networks.
FireEye said the malware had impressive capabilities – from lying dormant for weeks, to hiding in plain cover by cloaking its activity as standard Orion procedures.
‘These types of tools are allowed deep access to systems,’ said Brandon Hoffman, chief information security officer at the California-based IT provider Netenrich.
‘The reason these systems are good targets is because they’re deeply embedded in systems operations and administration.’
Who could be behind the hack?
Many in the security world argue the attack has the signature of a Russian operation, but this has yet to be confirmed.
FireEye, which originally identified the hack, say that a Russian cyber-military team called Cosy Bear is likely to be involved.
Russian government officials responded the the accusations as ‘baseless’, in a Facebook statement.
Former FireEye cyber-attack responder Marina Krotofil told the BBC the hack may increase tensions.
‘In past years, the USA has imposed a series of sanctions on Russia, including the most recent indictment of the Russian military hackers,’ said Krotofil.
‘However, Russia explicitly demonstrates that they are not intimidated and are not going to slow down with their cyber-activities. This will further escalate relationships between the US and Russia and in the long run, and create severe political conflicts.’
SolarWinds itself has been advised an ‘outside nation-state’ had infiltrated its systems with malware.
The US government nor the affected companies have stated which nation they think is responsible.
An anonymous US official told the Associated Press on Monday that Russian hackers were suspected.
Though the Russians deny the attack, the specific method of hacking, the ‘supply-chain’ method, was similar to the way Russian hackers managed to destroy hard-drive data in Ukraine in 2016.