This week, several major U.S. government agencies, including the departments of Homeland Security, Commerce, Treasury, and State, discovered that their digital systems had been breached by Russian hackers in months-long espionage operation. The scale and depth of the attacks will take months, if not more, to fully understand. But it is already clear that they represent a moment of calculation, both for the federal government and for the IT industry that supplies them.
As early as March, Russian hackers apparently compromised otherwise trivial software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, attackers could distribute their malware to a wide variety of clients undetected. Such “supply chain” attacks have already been used in government espionage and destructive hacking, including by Russia. But the SolarWinds incident underscores the incredibly high stakes of these incidents and the few steps that have been taken to prevent them.
“I compare this to other types of disaster recovery and contingency planning in government and the private sector,” says Matt Ashburn, head of the national security mission at web security firm Authentic8, formerly responsible for information security at the National Security Council. . “Your goal is to maintain operations in the event of an unexpected event. Yet when the pandemic started this year, no one seemed ready to deal with it, everyone was scrambling. And supply chain attacks are similar – everyone knows this and is aware of the risk, we know that our most advanced adversaries engage in this type of activity. But there was not this concerted concentration. “
The recriminations came shortly after the attacks were revealed, with US Senators Ron Wyden (D-Oregon) and Sherrod Brown (D-Ohio). lead pointed questions to Secretary of the Treasury Steve Mnuchin in Congress on the readiness and response of this department. “As we learned from the NotPetya attacks, software supply chain attacks of this nature can have devastating and far-reaching effects,” said Senator Mark Warner (D-Virginia), vice -President of the Senate Intelligence Committee, in a separate press release. “We must make it clear that there will be consequences for any wider impact on private networks, critical infrastructure or other sensitive sectors.”
The United States has invested heavily in threat detection; a multi-billion dollar system known as the Einstein patrols federal government networks for malware and attack clues. But as a report from the Government Accountability Office 2018 detailed, Einstein is good at identifying known threats. It’s like a bouncer who keeps everyone on their list, but turns a blind eye to names they don’t recognize.
This made Einstein inadequate in the face of a sophisticated attack like Russia’s. The hackers used their SolarWinds Orion backdoor to gain access to the target networks. They then sat quietly for up to two weeks before moving very carefully and intentionally through victim networks to gain further scrutiny and exfiltrate the data. Even in this potentially more visible phase of the attacks, they worked diligently to cover up their actions.
“That’s a calculation for sure,” says Jake Williams, former NSA hacker and founder of security firm Rendition Infosec. “This is inherently so difficult to solve, because supply chain attacks are ridiculously difficult to detect. It’s like the attacker is teleporting from nowhere.”
Tuesday, GAO published publicly another report, released to government in October: “Federal agencies must take urgent action to manage supply chain risks.” By then, the Russian assault had been active for months. The agency found that none of the 23 agencies it examined had implemented the seven core cyber defense best practices that it had identified. The majority of agencies had not implemented any at all.
The supply chain problem – and Russia’s hacking frenzy – is not unique to the US government. SolarWinds said up to 18,000 customers were vulnerable to hackers, who managed to infiltrate even top-tier cybersecurity firm FireEye.