Thousands of companies and governments are rushing to find out if they have been affected by Russian hackers who have allegedly infiltrated several US government agencies. The initial breach, reported on December 13, included the departments of the Treasury, Commerce and Homeland Security. But the stealth techniques used by hackers mean it could take months to identify all of their victims and remove any spyware they installed.
To complete the breach, the hackers first broke into the systems of SolarWinds, an American software company. There, they inserted a backdoor into Orion, one of the company’s products, which organizations use to view and manage large internal networks of computers. For several weeks starting in March, any customer who updated to the latest version of Orion – digitally signed by SolarWinds, and therefore seemingly legitimate – unwittingly downloaded the compromised software, allowing hackers to gain access to their systems.
SolarWinds has approximately 300,000 customers worldwide, including most Fortune 500 companies and many governments. In a new deposit with the Securities and Exchange Commission, the firm said that “less than” 18,000 organizations had already downloaded the hijacked update. (SolarWinds said it’s not yet clear how many of these systems were hacked.) Standard cybersecurity practice is to keep your software up to date – so most SolarWinds customers, ironically, were protected because they had ignored this advice.
The hackers were “extremely smart and strategic,” said Greg Touhill, a former federal information security official. Even once they had gained access through Orion’s backdoor, known as the Sunburst, they were moving slowly and deliberately. Instead of infiltrating many systems at once, which could easily have raised suspicion, they focused on a small set of selected targets, according to one. report from the security company FireEye.
Sunburst was silent for a full two weeks before waking up and starting to communicate with hackers, according to the report. The malware disguises its network traffic as an “Orion Improvement Program” and stores the data in legitimate files in order to blend it better. It also scans the infected machine for security and anti-virus tools in order to avoid them.
To further cover their tracks, hackers were careful to use computers and networks to communicate with the backdoor of a given target only once – the equivalent of using a burner phone for an illicit conversation. . They made limited use of malware because it is relatively easy to spot; instead, once they had initial access through the backdoor, they tended to go the quieter route of using real stolen credentials to gain remote access to a victim’s machines. . And the malware they deployed doesn’t reuse the code, which made spying harder to detect as security programs look for code that manifested in previous hacks.
Signs of the intrusion campaign date back to March, according to security reports from Microsoft and FireEye, which revealed a violation from its own networks last week. This means that any organization that suspects it could have been a target must now sift through at least 10 months of system logs for suspicious activity – a task beyond the capacity of many security teams.
To help organizations determine if their systems have been hacked, FireEye and Microsoft have published a long list of “indicators of compromise” – forensic data that could show evidence of malicious activity. Indicators include the presence of the SUNBURST backdoor itself, as well as some of the IP addresses identifying the computers and networks used by hackers to communicate with it. If a team finds any of these IP addresses in their network logs, that’s a good sign of bad news. But since hackers have only used each address once, their absence is no guarantee of security. Finding out that they reside on a network also doesn’t mean that it is easy to successfully evict them, as they can scour the network for new hiding places.
The suspected hackers come from SVR of Russia, the country’s main foreign intelligence agency. Known alternately as Cozy Bear and APT29, they have a long list of violations on their CVs, including the 2016 Democratic National Committee hack. Russia denies any involvement.
“It gave them the ability to make a backdoor to major networks,” says Touhill, who is now president of Appgate Federal Group, a secure infrastructure company. “They have the ability to sit there, absorb all the traffic, analyze it. We have to be very careful about what else these actors are looking for? Where can they be? Where else can they hide? If they have access to it, they do not give it up easily. “