After days of mixed messages and uncertainty, the Trump administration finally admitted on Sunday that several key Federal agencies have been hacked. They were hacked by groups working on behalf of a foreign government, and it is suspected that the government behind the attacks is none other than Russia. Now, details are slowly coming to the public’s awareness. The hacks are the most extensive to be carried out in over 5 years and signal a renewal of Russian-US cyber warfare which appeared to be mostly on hiatus during the administration of outgoing President Donald Trump. So which agencies were hacked, what information was targeted, and what do we know about the group who performed the attacks?
Who Was Hacked and What Information Was Targeted?
The agents targeted customers of a network company known as SolarWinds. The company contracts with over 300,000 customers, including many of the United States most vital agencies. Because of this commonality, the hackers were able to exploit a single chain of weaknesses to target several agencies at once. So far we know that the US Departments of Treasury, Commerce, State, the National Institute of Health, Pentagon, USPS, and Homeland Security were all successfully infiltrated.
At this time, it’s not clear what data was successfully obtained. However, due to the nature of the involved agencies, the hack is raising red flags across the country as the government grapples with the fallout of such a massive breach.
How Did the Hack Occur?
The hacks played out in a way that movie script writers could envy. First, our cyber security system worked as it should have. The National Security Agency issued a rare Cybersecurity alert early in December that they had noticed a vulnerability in a certain type of software favored by federal agencies.
That’s the point at which the system began to fail, however. Due to inadequate funding and staffing cuts, many of the government’s most vital security departments have been hobbled over the past four years. Shortly after the advisory was issued, FireEye, a cybersecurity company who contracts with many of the same vital agencies as SolarWinds, announced that it had been successfully hacked. Not only that, but the hackers had managed to steal some of their security tech – the kind used to probe and test weaknesses of the security systems they implement.
From there, the rest is obvious. The hackers used the FireEye tech and infiltrated the agencies along the chains of vulnerabilities created by the SolarWinds integrated software. SolarWinds had just issued an Orion update to it’s software customers, and the hackers immediately exploited a weakness left by the upgrade.
NPR explains, “Hackers exploited the way software companies distribute updates, adding malware to the legitimate package. Security analysts said the malicious code gave hackers a ‘backdoor’ — a foothold in their targets’ computer networks — which they then used to gain elevated credentials.
SolarWinds traced the ‘supply chain’ attack to updates for its Orion network products between March and June.
‘After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,’ FireEye said.
The malware was engineered to be stealthy, operating in ways that would masquerade as normal activity, FireEye said. It added that the malicious software could also identify forensic and anti-virus tools that might threaten it. And it said the credentials it used to move within the system were ‘always different from those used for remote access.’
After gaining access, Microsoft said, the intruder also made changes to ensure long-term access, by adding new credentials and using administrator privileges to grant itself more permissions.”
What’s Happening With the Investigation?
When the hacks first became apparent, talk about them was pretty hush-hush. The media didn’t do a lot to address the story and the Trump administration didn’t even acknowledge it for days. However, after a cybersecurity briefing in the Senate, Richard Blumenthal (D-CT) tweeted about the attacks. Blumenthal wrote, “Stunning. Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on. Declassify what’s known & unknown.”
It took days for the Trump administration to even acknowledge that the hacks had occurred, and there is concern that they have failed to convey the seriousness of the breach to the American people.
It has been announced that hacker group Cozy Bear is likely the culprits who executed the hack on behalf of Russia. They have long been suspected to work on behalf of Russia’s foreign intelligence.
What is Washington Doing About It?
Right now, the US Cybersecurity and Infrastructure Agency (CISA) is briefing members of Congress on the breach. According to a statement by CISA, “…[the hack] ‘poses a grave risk’ to federal, state and local governments as well as private companies and organizations.”
The ongoing investigation continues to uncover agencies that were subject to vulnerabilities. It’s possible the data breaches date all the way back to March. Some politicians are calling for outgoing President Trump to address the attacks and condemn Russia. Many criticize the outgoing president’s warm relationship with Russian President Vladimir Putin and wonder why Trump failed to fund programs designed to protect from foreign entities – specifically, Russia.
Per NPR, “The FBI, the Department of Homeland Security and the Office of the Director of National Intelligence announced Wednesday they have formed a special unified team, saying they will ‘coordinate a whole-of-government-response to this significant cyber incident.'”
Russia, for their part, denies any involvement. According to NPR, “‘How could I prove that I’m innocent if I didn’t do it. Let’s sit together. Let’s discuss. Let’s restart our dialogue,’ Russian Ambassador Anatoly Antonov said Wednesday in a Zoom call from the Russian Embassy in Washington.”
The investigation remains ongoing and agencies have been advised to uninstall SolarWinds programs from their systems.