The US government issued a emergency warning on what appears to be one of the most sophisticated cyber espionage campaigns of recent years.
Hackers working for a nation state managed to infiltrate software used by key government agencies and the world’s largest corporations as the West was on lockdown earlier this year.
Here’s everything we know so far.
Hundreds of thousands of organizations around the world rely on software called Orion to manage their computer networks.
The software, from computer company SolarWinds, is described as a “single window” that can monitor everything in a system.
The hackers were able to insert malicious code into software updates SolarWinds provided to its customers, which then allowed them to open a backdoor allowing them to spy on their targets at will.
The updates were released between March and June of this year, SolarWinds said, citing the possibility that hackers have been inside some systems for nine months.
The attack was unrelated to an hour Google services outage Monday.
Who was hacked?
The scope of the attack is potentially enormous. SolarWinds said on its website that it has 275,000 customers worldwide.
But the company said on Monday he estimated that “less than 18,000” of his customers had downloaded the compromised updates.
FireEye, a cybersecurity company that revealed last week that it was the victim of the hacking campaign, said he had found other victims in “government, consultancy, technology, telecommunications and mining” entities around the world.
No large company has disclosed that it has been hacked.
In the United States, the Commerce Department said one of its offices was violated. It was also reported that the Treasury Department had been targeted, but declined to comment.
UK and European cybersecurity agencies have yet to comment on the extent of their exposure.
What is SolarWinds and what does it do?
SolarWinds is a 20-year-old tech company based in Austin, Texas, with revenues expected to exceed $ 1 billion this year.
According to its website, SolarWinds customers include Microsoft, McDonald’s, Lockheed Martin and Yahoo, as well as many government and military departments in the United States and abroad.
Some of America’s most sensitive intelligence targets are among its clients: the five branches of the US military; the Pentagon, the State Department; the NSA; the Ministry of Justice; and the office of the President of the United States, according to the company’s website.
SolarWinds shares fell 15% early in Monday after news of the hack broke.
Who were the hackers and what were they looking for?
Western security experts were quick to point the finger at Russia, although there was no official confirmation.
FireEye said, “The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
A person familiar with the investigation said that U.S. security sources believed the SVR, Russia’s foreign intelligence service, was behind the hack.
Robert Hannigan, former chief executive of UK signals intelligence agency GCHQ, said it was still too early to say who was in charge, Russian agencies are used to using software updates to launch attacks , as these attackers did via Orion. This is how a cyber unit operated by the Russian military intelligence service GRU set up the NotPetya virus in Ukrainian accounting software in 2017.
Officials suggested the attack had all the hallmarks of a spy operation, designed to target central government, defense, military and intelligence institutions.
Russia has denied any involvement, with Dmitry Peskov, President Vladimir Putin’s spokesman, calling the accusations “baseless”.
What do we still don’t know?
One of the key questions, according to Western security officials, is how the hackers managed to penetrate SolarWinds.
Possibilities include a company insider who helped hackers gain access to its customers, or cybersecurity weaknesses that meant its systems could be targeted remotely.
The other question is how many governments and businesses may have been compromised.
Those using Orion may have been accessed directly, but cybersecurity experts point out that organizations that shared data with the targets could also have been compromised. This means that the potential repercussions could extend far beyond Orion’s original customer base.
Additional reporting by Tim Bradshaw in London