The major cyberattack against the United States discovered in December, which is now identified with SolarWinds, the Texan company that was the main entry point for hackers, is becoming increasingly serious and widespread as security experts and the American government agencies continue with the investigations and assess the damage: it could take months to understand how deep the attack went, and it could take years to put all computer systems back in safety, with large economic losses and political damage. In the United States, we are also beginning to talk about the responsibilities: not only those of the attack, which according to experts was ordered by Russian intelligence, but also of those who should have prevented it and did not.
Based on the information gathered and on the background, cybersecurity experts agree to attribute the responsibility for the attack to the SVR, the Russian International Intelligence Service, one of the agencies born from the Soviet-era KGB. The main target of the attack is the United States, where many government agencies and hundreds of private companies have been hit, but hundreds of companies around the world are also involved. Furthermore, the attack was so complex and extensive that it is not yet clear what the purpose of the Russian hackers was, what and how much material was stolen, and how long and what measures will be needed to eliminate the hackers from the affected networks. It was an attack on the «supply chain»: it means that instead of directly targeting a target, the hackers acted from afar, targeting its suppliers. The most famous of these suppliers is SolarWinds, a Texan IT company that produces Orion, a software for managing corporate networks. The hackers gained access to the Orion update system, and when SolarWinds released an Orion update in March 2020, they used it to install a backdoor into SolarWinds customers' internal networks. Backdoors, literally “back doors”, are programs that allow you to enter a computer system without its owner noticing it, and possibly to take control of it.
Orion is a very popular software. SolarWinds has eliminated the page in which it listed all its customers, but obviously on the internet it is still available: the company claims to have 300,000 customers, including all five sectors of the American Armed Forces (it would be six but the last, the Space Force, recently added), the Pentagon, NASA, the NSA, various US ministries and the US presidency office. Additionally, SolarWinds' private customers include 425 of the Fortune 500 companies (the list of the 500 largest companies in the United States, compiled by Fortune magazine), the ten largest American telephone companies, hundreds of universities and hospitals across the country. world and many others.
Not all of these customers downloaded the update that contained the backdoor. According to SolarWinds, “less than 18,000” did it. However, this means that more than 17,000 companies and government bodies had a backdoor inside their IT systems that could be used at any time.
We don't know for sure how many of these 17,000+ systems Russian hackers actually entered. In December, Microsoft said it had identified at least 40 companies and government entities who had actually infiltrated (it later said that hackers had also entered its systems). The New York Times, in an article released on January 2 and full of new details, wrote that according to a more recent analysis, 250 targets could be violated. Experts, however, believe that SolarWinds is only one of the suppliers used by hackers , and therefore the victims could be more. Among these there are various American departments, including the Pentagon, the Department of the Treasury, Commerce, State, Energy (within the latter, the offices that manage the nuclear arsenal have also been compromised).
Once inside the computer systems of dozens of targets, what did the hackers do? According to cybersecurity expert Bruce Schneier, they followed the “standard manual” for such an attack: they moved to find other vulnerabilities and expand their presence within the network, and most of all they almost certainly created a ” persistent access “. It means that they have inserted other backdoors so that even if the original SolarWinds one is closed, hackers will still be able to access. This is a big problem because the only way to have any hope of eliminating hackers from your corporate network is to “raze it and rebuild it.” It is a long and expensive process, and even then you are not absolutely sure that you have chased all the intruders. “The attack is much, much more serious than I initially feared,” Mark Warner, an American Senator member of the Intelligence Committee, and one of the most experienced local politicians on the subject, told the New York Times.
The hackers also stole documents. For now there is no evidence that they had access to “classified” material, that is secret and of strategic importance, but American government sources heard by the New York Times fear unclassified but still very important material, such as “Black Start”, the detailed US plan to restore power supplies in the event of a catastrophic and widespread blackout. The hackers also gained access to many email accounts of high-ranking US officials, for example the Treasury Department.
– Read also: More is known about the cyber attack against the US government
The attack was so large and widespread that it is still not known exactly what its strategic objectives were: whether to steal documents and other material or to insert backdoors into the most important American networks, which would constitute a lasting and difficult threat to eliminate, which one expert compared it to a “gun aimed at the head”.
The SolarWinds Problems
All experts agree that the hacker attack was sophisticated, very accurate and in some ways unprecedented (there have been relatively few supply-chain attacks so far, and none as extensive). However, the hackers exploited some obvious vulnerabilities that, if fixed, would likely have made the attack much more difficult. One of these is SolarWinds, which despite being a major supplier to many strategic companies and entities had loose security practices. Reuters reported in December that the company's update server password was “solarwinds123”. This may not have been the way the hackers got in, but as the New York Times wrote, for Kevin Thompson, the company's CEO since 2009 (he resigned after the attack), security didn't. was the priority.
Thompson, who by training is an accountant and not a computer scientist, has achieved enormous success for SolarWinds, tripling its profits from 2010 to 2019. But to do so, he has cut the budget of sectors considered unproductive, including security. In addition, it has outsourced much of its programming work outside the United States, opening offices in Eastern European countries such as Poland, the Czech Republic and Belarus, where the presence of Russian intelligence is very strong. In 2017, Ian Thornton-Trump, a cybersecurity consultant hired by the company, said that without major countermeasures a possible hacking attack on SolarWinds would be “catastrophic.” The recommendations were ignored, and Thornton-Trump resigned shortly thereafter.
Matt Stoller, a member of the Open Markets Institute and a monopoly expert, wrote in his newsletter that SolarWinds' problems stem in part from being a private equity firm, i.e. a financial company ( in this case managed by a Puerto Rican billionaire) which aims to maximize profit and has no real interest in the economic sector in which it operates.
– Read also: The man who guessed Trump's Twitter account password got acquitted
The shortcomings of the American administration
Several articles that have dealt with the issue also noted that there have been many problems within the American administration, a starting with the fact that the attack was not identified by government experts but by FireEye, a private cybersecurity company. One of the problems concerns the American strategy as a whole, which, as Bruce Schneier noted, favors the attack on defense, even in the distribution of funds. Among the most cited aspects is, for example, the failure of Einstein, a cyber attack prevention system developed by the United States that was supposed to prevent intrusions. Also, according to the New York Times, this year's focus on election security may have distracted from other threats.
CNN wrote that the Trump administration has been rather inefficient in handling the crisis. The reasons are partly structural: the Cybersecurity and Infrastructure Security Agency (CISA), which should take care of the matter, has only been in existence for two years and does not have the necessary experience. The most serious reasons, however, are political: in December Donald Trump fired Christopher Krebs, the director of CISA, because this did not go along with his accusations of electoral fraud. Furthermore, Trump has tried to downplay the scale of the attack, privately calling it a hoax and trying to deny that Russia is responsible. Also according to CNN, within many government agencies the primary concern of politically appointed officials would be to reduce the image damage to the president as much as possible.
This inefficiency could also reflect on Joe Biden's presidency. The president-elect's team denounced that the outgoing administration is obstructing the transition process, denying important documents and information, including those relating to the hacker attack.
Russia's strategy
Dick Durbin, a Democratic Party senator, said in mid-December that the SolarWinds cyberattack “is virtually a declaration of war by the Russia against the United States ». Durbin is the only senator to have made such a statement, but there is much discussion among those involved in security in the United States about how to judge this attack. For some, like Schneier, it is common espionage. Brad Smith, the president of Microsoft, wrote instead that this “is not” the usual spying “”, because it has not limited itself to stealing secret material but has created huge technological vulnerabilities around the world.
The Wall Street Journal explained that for Russia, whose economy is smaller than Italy's, hacker and espionage attacks such as the recently discovered one are a way to balance the vast disparity of resources that separates it from the United States. . According to experts heard by the American newspaper, Russian operations have evolved over the years both in terms of technical prowess and in terms of ambition, and have been used in all the main places of interest in the country, from Estonia in 2007. to Ukraine in more recent years.
These attacks have also made the United States increasingly difficult, because it seems that all the deterrents employed so far, starting with economic sanctions, have had little effect. Russia denied any responsibility in the attack. Dmitri Peskov, the spokesman for Russian President Vladimir Putin, said recently that “the allegations against Russia are completely unfounded and appear to be a continuation of blind Russophobia”.