Quiet, isn’t it? We learned a couple of months ago that the Russians are embedded in almost every network that matters in our country, and nobody is talking about it. My guess is that tens of thousands of IT and security experts are crying themselves to sleep every night, but maybe there’s nothing to be gained by keeping it in the news for the rest of us. Cybersecurity has been terrifying everyone who pays attention to it for years; we have no way to judge how much this attack escalates the tension.
I’m just going to sketch the little bits that are public about three questions, to give you something to read with a flashlight after the Russians turn the lights out.
- Who got hacked?
- Who’s doing the hacking?
- What are they doing to our nice networks?
Who got hacked?
The broad answer is, just about every large company and government agency in the country. They’re all Solarwinds customers that got Russian malware delivered to their networks.
But maybe that overstates it. The Solarwinds payload itself only created an entry point in the target networks. The Russians could then use that back door to run commands on the networks – extract user credentials, install other malware, turn out the lights, etc. That back door was open for six months but it’s closed now.
During those six months, there were constraints on the Russians. They don’t have infinite amounts of manpower and they couldn’t do anything using cookie cutter hacking tools that might attract attention. It’s very likely that the nastiest of the nasty follow-up work was limited to high-value targets.
The problem is, we don’t know how many targets were considered “high-value,” and the companies and agencies aren’t talking because it’s embarrassing and scary.
So when you see long lists of government agencies that were hacked, it’s tough to know if they got the Solarwinds malware but then were left alone, or if they are thoroughly compromised and every conversation has three Russians in the room.
A sampling of the government agencies we know about: Treasury, Commerce, and Energy departments; Department of Homeland Security and State Department; the Justice Department; and the National Institute of Health. The federal court system is compromised and sensitive documents now have to be filed on paper. The National Nuclear Security Administration, which maintains our nuclear stockpile, was compromised. At least some Pentagon networks were hacked.
Private companies are reluctant to speak out about Russians in their networks, especially since the Russians apparently focused on security companies. Soon after the discovery, the New York Times reported:
Microsoft said Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.
“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry.”
Who got hacked? Everybody.
Who’s doing the hacking?
This was carried out by an elite Russian intelligence agency, S.V.R. It’s not like the Russians signed their code or dropped a business card, but we’ve been dealing with the S.V.R. for a long time and this has their fingerprints, according to cybersecurity experts.
Public and private government statements have been unambiguous. Soon after discovery, officials with access to classified intelligence about the breach, including members of Congress, Attorney General Barr, and Secretary of State Michael Pompeo all attributed the attack to Russia.
The Russian hack was discovered in December. Additional unrelated attacks have been discovered since then, including a Chinese attack on a completely separate Solarwinds vulnerability. A few days ago security researchers reported on more than a thousand high-profile academics, activists and business leaders who had been spied on by the Iranian government. Hackers tried to poison the water supply for a Florida city yesterday.
But the Russian attack through Solarwinds – that was the big one, the Category 6 hurricane, the earthquake that measures 10 on the Richter scale.
What are they doing to our nice networks?
The Russians have gained persistent access to high-value targets. We don’t know if there are 50, 500, or 5000 networks that the Russians can monitor and – perhaps – control.
Thomas Bossert, homeland security adviser to President Trump and deputy homeland security adviser to President George W. Bush, describes our exposure this way:
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.
The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.
Microsoft security researchers have published some of their early conclusions about the tricks and techniques used by the Russians. Here’s a summary of the Microsoft findings. There are some additional technical details in this Microsoft report.
This is more or less the overview as I understand it.
- Once they used the Solarwinds malware to gain entry to a network, the Russians covered their tracks. The Russians actually removed the hacked code from the Solarwinds update system within three months.
- Once they were in, they slowly and quietly injected additional back doors into the networks. They selected their high-value targets and prepared custom penetration kits and command-and-control infrastructure. Assume that those are as scary as they sound.
- The hackers obtained credentials for network administrators and leveraged them to get the credentials of employees.
- They devoted much attention to compromising each company’s Azure Active Directory, both for long-term access and to get into the mailboxes of valuable employees.
- They read mail, lots and lots of mail.
- The Russians downloaded files. FireEye, for example, said the Russians had downloaded some of the tools it uses to test customers’ security. One of the constraints on the Russians, though, is that they couldn’t download so much data that it would set off alarms. Networks monitor the volume of traffic in and out and a sudden increase would draw attention.
- They got into some Microsoft source code, but Microsoft swears it wasn’t the good stuff.
We don’t know if the Russians were simply doing espionage on a grand scale, or planting code for something more sinister in the future.
We will likely never be completely sure they are out of our networks.
Let me give you one last peek over the edge of the abyss. Don’t think about it too long, it’s too overwhelming. This is one final quote from David Sanger in the New York Times:
American officials said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout.
The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent.
My god, this is depressing. Take a breather, go watch the best card trick you’ve ever seen, and try not to think about it.