Russia's hacking insanity is a reckoning
Enlarge /. The attack hit several US authorities – and a full assessment of the damage may take months.
Last week, several major United States government agencies – including the Department of Homeland Security, Commerce, Treasury and State – discovered that their digital systems had been breached by Russian hackers in a month-long espionage operation. The breadth and depth of the attacks will take months if not more to be fully understood. However, it is already clear that they represent a moment of reckoning for both the federal government and the IT industry that delivers them.
As early as March, Russian hackers apparently compromised everyday software updates for a widely used network monitoring tool, SolarWinds Orion. The ability to modify and control this trusted code allowed the attackers to distribute their malware to a large number of customers without detection. Such "supply chain" attacks have been used in the past for espionage and destructive hacking by the government, including by Russia. However, the SolarWinds incident underscores the incredibly high stakes of these incidents – and how little was done to prevent them.
"I compare it to other types of disaster recovery and contingency planning in both the government and private sectors," said Matt Ashburn, director of national security at Web security firm Authentic8 who was formerly chief information security officer at the National Security Council. "Their overall goal is to keep operations going if there is an unexpected event. But when the pandemic started this year, no one seemed prepared for it, everyone was messed up. And supply chain attacks are similar – everyone knows about it and." is aware of the risk. We know our most progressive opponents are engaging in this type of activity. But there wasn't that concerted focus. "
The allegations came shortly after the attacks were exposed. US Sens. Ron Wyden, D-Ore. And Sherrod Brown, D-Ohio directed specific questions to Treasury Secretary Steve Mnuchin in Congress regarding the department's preparedness and response. "As we learned from the NotPetya attacks, such attacks can have devastating and far-reaching effects on the software supply chain," said Senator Mark Warner (D-Va.), Vice Chairman of the Senate Intelligence Committee, in a separate statement Monday. "We should make it clear that there will be consequences for further impacts on private networks, critical infrastructures or other sensitive sectors."
The United States has invested heavily in threat detection. A billion-dollar system called Einstein monitors the federal government's networks for malware and evidence of attacks. As shown in a detailed 2018 Government Accountability Office report, Einstein can effectively identify known threats. It's like a bouncer who keeps everyone on his list away but turns a blind eye to names he doesn't recognize.
That made Einstein inappropriate in the face of a cunning attack like Russia's. The hackers used their SolarWinds Orion back door to gain access to target networks. They then sat still for up to two weeks before moving very carefully and deliberately within the victim networks to gain deeper control and exfiltrate data. Even during this potentially visible phase of the attacks, they worked diligently to hide their actions.
"How the attacker teleports in from nowhere"
"This is definitely a settlement," says Jake Williams, former NSA hacker and founder of the security company Rendition Infosec. "It's inherently difficult to address because attacks in the supply chain are ridiculously difficult to detect. It's like the attacker teleporting in from nowhere."
On Tuesday, GAO publicly released another report it distributed within the government in October: "Federal agencies urgently need to take action to manage supply chain risks." By then, the Russian attack had been active for months. The agency found that none of the 23 agencies it surveyed had implemented all seven basic cyber defense best practices it identified. A majority of the agencies had none implemented at all.
The supply chain problem – and Russia's hacking spree – doesn't just affect the US government. According to SolarWinds, up to 18,000 customers have been vulnerable to hackers who managed to infiltrate even high-profile cybersecurity company FireEye.
"It has not been easy to see what happened here – this is an extremely capable, advanced actor who is taking great strides to cover his tracks and segment his operations," said John Hultquist, vice president of intelligence analysis, FireEye. "We were lucky enough to get to the bottom to be honest."
Given the potential impact of these federal violations – political, military, economic, as you put it – the Russian campaign should serve as a final wake-up call. Although it looks like the attackers only accessed unclassified systems, Rendition Infosec's Williams emphasizes that some single unclassified piece of information connects enough dots to rise to the level of classified material. And the fact that the true extent and scope of the incident is still unknown means that there is still no telling how bad the overall picture will be.
There are a few ways to improve supply chain security: the basic due diligence outlined by GAO, prioritizing audits of ubiquitous IT platforms, and more extensive network monitoring on a large scale. However, experts say that there are no easy answers to counter the threat. One possible way would be to build highly segmented networks with "zero trust" so that attackers cannot gain much even if they break into some systems. In practice, however, it has proven difficult to get large companies to commit to this model.
"You have to have a lot of trust in your software vendors, and all of them take security seriously," says Williams.
Without a fundamentally new approach to data protection, however, attackers have the upper hand. Options are available to the US – counterattacks, sanctions, or a combination thereof – but the incentives for this type of espionage are too great, the barriers to entry too low. "We can blow up their home networks or show them how angry we are and rattle sabers, and that's all right," says Jason Healey, a senior researcher at Columbia University, "but it probably won't their behavior in the long run influence." . "
"We have to find out what we can do to make the defense better than the offensive," said Healey. Until then, expect Russia's hacking rampage to be less of an exception than a blueprint.
This story originally appeared on wired.com.