How the 'Russian' hack that breached US government unfolded

How ‘cyber equivalent of Pearl Harbor’ unfolded at the ‘perfect time for a perfect storm’: Feds may NEVER know true scale of 9-month-long Russian hack that breached US nuclear agencies, Pentagon government departments and Fortune 500 companies, experts say

  • Federal authorities are expressing increased alarm over the suspected Russian hack that breached, among others, US nuclear agencies 
  • It is one of the biggest hacks ever uncovered and has sent security teams around the world scrambling to investigate the scope and contain the damage
  • As the investigation continues a week after the hack was first publicly revealed, a timeline is beginning to emerge 
  • The hack involved a common software product made by Texas-based SolarWinds Corp, which is used by hundreds of thousands of organizations 
  • It is not yet clear how hackers managed to infiltrate SolarWinds and go undetected for nine months
  • The true scale of who has been affected and what information has been stolen may never be known, officials and experts say 
  • So how did the hack actually occur, how bad is it and who is to blame? 

The list of victims from the devastating and long-undetected hack on US government agencies and companies continues to grow ever since the sprawling cyber-espionage campaign was disclosed – but experts say the true impact may never actually be known.

Federal authorities are expressing increased alarm over the suspected Russian hack that breached, among others, US nuclear agencies – with the nation’s cyber security agency already warning of a ‘grave threat’ to government and private networks as a result. 

The attack – described by a Congressman as the cyber equivalent of Pearl Harbor – is one of the biggest hacks ever uncovered and has sent security teams around the world scrambling to investigate the scope and contain the damage. 

As the investigation continues a week after the hack was first publicly revealed, a timeline is beginning to emerge regarding how it was first discovered and exactly who has been affected. 

The true scale of who has been affected and what information has been stolen may never be known, officials and experts say.

The hack involved a common software product made by Texas-based SolarWinds Corp, which is used by hundreds of thousands of organizations, ranging from government agencies to Microsoft and Fortune 500 companies. 

Before this week, few people were aware that SolarWinds provided vital computer network monitoring services to the major corporations and government agencies worldwide.

Now, the revelation that elite cyber spies have spent months secretly exploiting SolarWinds’ software to peer into computer networks has put many of its highest-profile customers on high alert. 

The list of victims from the devastating and long-undetected hack on US government agencies and companies continues to grow ever since the sprawling cyber-espionage campaign was disclosed earlier this week. This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US

GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR

Pentagon

Treasury

FBI 

Department of State 

Department of Homeland Security 

Commerce Department

National Institutes of Health

Department of Energy

National Nuclear Security Administration 

Los Alamos National Laboratory 

Federal Energy Regulatory Commission

Office of Secure Transportation 

It is raising questions about when the company first found out about its security vulnerabilities and whether insiders knew given some of its biggest investors sold off stock just days prior. 

Cyber security experts across both government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. 

The malicious updates – sent between March and June, when America was hunkering down amid COVID-19 and during the election campaign – was ‘perfect timing for a perfect storm,’ according to Kim Peretti, who co-chairs Atlanta-based law firm Alston & Bird’s cyber security preparedness and response team. 

Peretti says the length of the compromise and the sophistication of the hackers means much of the data theft will likely go undetected for a long time. 

‘We may not know the true impact for many months, if not more – if not ever,’ she said. 

So how did the hack actually occur, how bad is it and who is to blame? Here’s what is known so far:  

How hackers managed to install a secret backdoor in software used by hundreds of thousands of government departments and companies

The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion.

The popular software tool helps organizations monitor the performance of their computer networks and servers.

Hackers managed to install a secret network backdoor – which authorities are calling SUNBURST – into Orion’s software updates.

Its centralized monitoring looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a ‘God-view’ of those networks. 

It is not yet clear how hackers managed to infiltrate SolarWinds and go undetected for nine months.  

During this time-frame, as many as 18,000 SolarWinds customers – including federal agencies and major companies – downloaded the compromised updates that contained the back door. 

The software update became an instrument for hackers to steal information undetected for nine months. 

Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down, the Cyber security and Infrastructure Security Agency (CISA) has since revealed.  

The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult. 

CISA said that once inside a network, the hackers focused on gathering information and frequently targeted the emails of IT and security staff to monitor any countermeasures. 

The hackers are feared to have had access to government emails as far back as June.  

SolarWinds: The Texas company at the center of the biggest attack in American history

Before this week, few people were aware of SolarWinds, the Austin-based software company providing vital computer network monitoring services to major corporations and government agencies worldwide. 

But the revelation that elite cyber spies have spent months secretly exploiting SolarWinds’ software to peer into computer networks has put many of its highest-profile customers in national governments and Fortune 500 companies on high alert. 

It’s also raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock.  

The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion. The Austin-based software company provides vital computer network monitoring services to major corporations and government agencies worldwide

A SolarWinds SEC filing from December 7 – just days prior to the hack emerging -revealed that the company’s board had appointed a replacement CEO. SolarWinds’ longtime CEO, Kevin Thompson, (above) had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions 

SolarWinds timeline: Company stocks and when they discovered attack 

March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’

SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have

November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares

December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds

December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given 

December 8: FireEye announces hackers broke into its servers

December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021 

December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company  

December 13: The infiltration of Orion becomes public

The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’

The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted

A SolarWinds SEC filing from December 7 – just days prior to the hack emerging -revealed that the company’s board had appointed a replacement CEO.  

SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. 

The SolarWinds board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on December 7, according to the financial filing. 

It was also on December 7 that the company’s two biggest investors, Silver Lake and Thoma Bravo, which control a majority stake in the publicly traded company, sold more than $280 million in stock to a Canadian public pension fund. 

The two private equity firms in a joint statement said they ‘were not aware of this potential cyber attack’ at the time they sold the stock.   

Global alarm bells ring: How the hack was first discovered by a California cyber-security firm FireEye

The breach of SolarWinds’ software was first discovered by one of its customers: The prominent cyber security firm FireEye.

The California-based cyber security firm, which is also a government contractor,  noticed a suspicious log-in on its network around December 8. 

FireEye says the attackers stole some of its ‘red team’ software, which mimics cyber-attacks to test the security of its clients’ computers. 

Two lawmakers, who were briefed on the hack this week, told Politico that FireEye representatives said that one of their employees had apparently been duped into revealing their two-factor authentication security details.

Company officials have denied the account given by congressional staffers and said none of its employees were tricked.

FireEye said they caught the breach when hackers tried to register a new device on its systems, which tipped the company off to the wider cyber-attack. 

Following an investigation, FireEye say they determined that SolarWinds’ Orion software had been hacked.    

‘We initially detected the incident because we saw a suspicious authentication to our VPN solution,’ a spokesperson has since said.  

‘The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.’  

They insist that the SolarWinds breach was the source of the attack against FireEye. 

Once it determined that there was a wider cyber-attack, a FireEye executive alerted SolarWinds on December 12 of the compromise. 

After learning of the SolarWinds breach, the National Security Council held an emergency meeting at the White House on December 12.  

The Cyber security and Infrastructure Security Agency and the FBI were brought in to investigate after some government agencies were confirmed to have been hacked. 

At this time, people with knowledge of the meeting reported that hackers believed to be working for Russia had been monitoring internal email traffic at the US Treasury and Commerce departments.

Sources told Reuters that they feared the hacks uncovered so far may have been be the tip of the iceberg.  

SolarWinds began alerting about 33,000 of its customers on December 13 that an ‘outside nation state’ – widely suspected to be Russia – had injected malicious code into some updated versions of its premier product, Orion.

The company said in a statement that updates to its monitoring software released between March and June of this year may have been subverted by what it described as a ‘highly-sophisticated, targeted and manual supply chain attack by a nation state’. 

The Cyber security and Infrastructure Security Agency issued an emergency directive ordering federal agencies to ‘disconnect or power down’ the SolarWinds Orion software due to the breach. 


The Pentagon (left) and the FBI (right) were targets. Both have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.

Hacked: The Los Alamos National Laboratory in New Mexico conducts the government’s most sensitive and advanced nuclear research

Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached

From US nuclear agencies and the FBI to Fortune 500: Who is known to have been targeted by hackers so far 

The list of victims continues to grow from the cyber attack that is being described as the biggest hack in American history.

The two US agencies responsible for maintaining America’s nuclear weapons stockpile – Energy Department and the National Nuclear Security Administration – have already said they were compromised in the attack.  

The attack also breached the Pentagon, FBI, Treasury and State Departments.  

The DOE and the NNSA have warned Congress that their breached networks may include the Los Alamos National Laboratory, which conducts the government’s most sensitive and advanced nuclear research, Politico reported.

The US has an estimated 5,800 nuclear warheads, some of which are on missiles and bombs ready for launch from submarines, airplanes and land-based missiles, while others are held in storage. Most however are in storage, retired, or being decommissioned. 

Their status is one of the government’s most closely-guarded secrets, as are efforts to create new weapons, which are part of the Los Alamos National Laboratory’s work.

Another attack was found in a field office of the Energy Department in Richland, Washington state, which Politico reported could have been an effort to gather information on how to disrupt the national electricity grid.

The sprawling attack also compromised broad swathes of the private sector, including Microsoft and likely most of the Fortune 500. 

The true scale of who has been affected and what information has been stolen may never be known, officials and experts say. 

Microsoft has revealed it has already identified at least 40 government agencies and companies targeted in the hack. 

The software titan said that 80 percent of the victims it has uncovered so far are in the United States and warns that number will rise ‘substantially’ as the scope of the sprawling attack continues to unfold. 

A heat map of infections released by Microsoft, which has helped respond to the breach, shows that those infiltrated by the hackers are spread out across the US with agencies, companies and think tanks in New York, Washington DC and Texas among the hardest hit.

Microsoft, who confirmed that the UK, Israel, Canada and the United Arab Emirates were also in the cross hairs, has not revealed the names of those infiltrated by the hackers but said nearly half were tech companies.  

Republican Senator Mitt Romney blamed Russia and slammed what he called ‘inexcusable silence’ from Trump and the White House

‘It’s still early days, but we have already identified 40 victims – more than anyone else has stated so far – and believe that number should rise substantially,’ Microsoft president Brad Smith told the New York Times. ‘There are more nongovernmental victims than there are governmental victims, with a big focus on IT companies, especially in the security industry.’  

Microsoft identified that 44 percent of the victims it has discovered were in the information technology sector and 18 percent were government agencies – predominantly defense and national security organisations.

Another 18 percent were think-tanks and NGOs, while 9 percent were government contractors. The remaining 11 percent was listed simply as ‘other’. 

Microsoft revealed on Thursday it found malicious software in its systems related to the hack. Microsoft is a user of Orion, the widely deployed networking management software from SolarWinds Corp, which Russian hackers infected with malware.

One of the people familiar with the hacking spree said the hackers made use of Microsoft cloud offerings while avoiding Microsoft’s corporate infrastructure. Microsoft did not immediately respond to questions about the technique.

In a statement to DailyMail.com, a Microsoft spokesperson confirmed that the company had detected and removed malicious code from the SolarWinds attack within the company, but denied that any of its products were affected.

Microsoft is one of the world’s largest technology companies, with clients across the public and private sector, and last year was awarded the $10 billion JEDI contract to run the Department of Defense’s cloud computing system. 

‘We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,’ the spokesperson said. 

The hackers also accessed the systems of a US internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to a Reuters analysis of publicly-available web records.  

The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organisations.

A spokesman for Cox Communications said the company was working ‘around the clock’ with the help of outside security experts to investigate any consequences of the SolarWinds compromise. ‘The security of the services we provide is a top priority,’ he said.

In emailed comments sent to Reuters, Pima County Chief Information Officer Dan Hunt said his team had followed US government advice to immediately take SolarWinds software offline after the hack was discovered. He said investigators had not found any evidence of a further breach. 


President-elect Joe Biden also vowed a tough response, saying in a statement: ‘Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults’. President Trump, however, has remained silent

Russia’s president Vladimir Putin’s government has said it is not behind the massive hack – but experts said its precision, cunning and expertise points directly to the Kremlin

Investigation continues: What the cyber security agency is saying now and is SolarWinds the only software compromised

The Cyber security and Infrastructure Security Agency, which warned the sophisticated attack was hard to detect and will be difficult to undo, has said the attackers might have installed additional ways of maintaining access.

The agency said that the intrusion, which it dubbed SUNBURST, posed a ‘grave risk’ to ‘critical infrastructure’ in both the public and private sector, and at all levels of government.

Both Microsoft and the Department of Homeland Security, which said the hackers used multiple methods of entry, are continuing to investigate.

Another major tech supplier was also compromised by the same attackers and used to get into high-value final targets, according to two people briefed on the matter. 

The DHS said in a bulletin on Thursday the hackers had used other techniques besides corrupting updates of network management software by SolarWinds.

CISA urged investigators not to assume their organizations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they gained access too.

CISA said it was continuing to analyze the other avenues used by the attackers.

The Department of Justice, FBI and Defense Department, among others, have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.

They are assuming that the non-classified networks have been accessed, the people said.

CISA and private companies including FireEye Inc, which was the first to discover and reveal it had been hacked, have released a series of clues for organizations to look for to see if they have been hit.

But the attackers are very careful and have deleted logs, or electronic footprints or which files they have accessed, security experts said. That makes it hard to know what has been taken.

Some major companies have said they have ‘no evidence’ that they were penetrated, but in some cases that may only be because the evidence was removed.

In most networks, the attackers would also have been able to create false data, but so far it appears they were interested only in obtaining real data, people tracking the probes said.  

Who is responsible? Officials blame Russia for historic hack

SolarWinds said it was advised that an ‘outside nation state’ infiltrated its systems with malware. 

Neither the US government nor the affected companies have publicly said which nation state they think is responsible. 

Officials, however, widely suspect the attack was carried out by Russian hackers. 

Trump, whose administration has been criticized for eliminating a White House cyber security adviser and downplaying Russian interference in the 2016 presidential election, has made no public statements about the breach.

Republican Senator Mitt Romney has publicly blamed Russia and on Friday slammed what he called ‘inexcusable silence’ from Trump and the White House. 

Romney likened the cyber attack to a situation in which ‘Russian bombers have been repeatedly flying undetected over our entire country’. 

President-elect Joe Biden, who inherits a thorny U.S.-Russia relationship, spoke forcefully about the hack, declaring that he and Vice President-elect Kamala Harris ‘will make dealing with this breach a top priority from the moment we take office.’

‘We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,’ he said. ‘We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.’

‘There’s a lot we don’t yet know, but what we do know is a matter of great concern.’ 

Source: Read Full Article