The U.S. has sanctioned Russia for the sophisticated and damaging SolarWinds hack in 2020 that alarmed security firms and sent shock waves through the U.S. government and private sector. With at least 16,000 computer systems exposed, there remain many questions about what information has been stolen or reviewed by the attackers. The motive also remains a mystery: Is it espionage or something even more destructive?

1. What happened?

The hack, which was discovered in December 2020 but may have begun as early as March, is what’s known as a supply chain or third-party attack, meaning the initial target wasn’t the U.S. government but one of its software suppliers. In this case, the company was Texas-based SolarWinds Corp., which is used by many government agencies and Fortune 500 companies in managing their information technology. The hackers installed a so-called backdoor into SolarWinds’s popular Orion software. Over time, that infected software found its way onto the servers of some SolarWinds clients, allowing the hackers to return and access those computer systems. The Cybersecurity and Infrastructure Security Agency, known as CISA, said it has evidence that the hackers also used methods other than the backdoor to infiltrate networks.

2. Who was affected?

The hackers installed their malicious code in updates for SolarWinds software. SolarWinds said as many as 18,000 of its customers received the malicious update, while the U.S. put the number at 16,000 computer systems worldwide. A far smaller number were victims of follow-on attacks. At least 100 companies and nine federal agencies have been identified, the White House said in March. The list of known victims so far includes the departments of State, Treasury, Homeland Security, Commerce and Energy, including its nuclear weapons agency, and at least three states. The cybersecurity firm FireEye Inc. was a victim; an investigation into the breach there is what led to the discovery of the SolarWinds backdoor.

3. What’s the damage?

The White House has said that “the scope of this compromise is a national security and public safety concern,” and said the hack placed “an undue burden” on private-sector companies. But the full extent of the damage won’t be clear for some time. One of the major questions is whether the attackers’ goal was simple espionage -- exfiltrating or reviewing data from the organizations they hit -- or if they also plan more destructive attacks sometime in the future. Federal agencies and the FBI said on Jan. 5 that the hack seems to be “an intelligence-gathering effort.” “If it is cyberespionage, it is one of the most effective cyberespionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye. Finding the extent of the hack, repairing compromised systems and remediating the damage will be costly and time-consuming for victims, cybersecurity experts say.

4. What evidence points to Russia?

The U.S. says its intelligence community “has high confidence in its assessment” that the hack was perpetrated by Russia’s Foreign Intelligence Service, known as the SVR, and a notorious group of hackers it controls known as APT 29. The U.K. has said that it’s “highly likely” the SVR was behind that and other cyber intrusions. The U.S. also found that the SVR stole “red team tools,” which are used to mimic cyberattacks in order to improve security, from a cybersecurity company and could use them as an offensive device. The Kremlin has denied involvement.

5. What is APT 29?

Also known in the security community as Cozy Bear or the Dukes, the hacking group dates back to 2008 and has long targeted corporations and governments. The U.S., U.K. and Canada have assessed that APT 29 is “a cyberespionage group, almost certainly part of the Russian intelligence services.” It was one of two Russian hacking groups that breached the Democratic National Committee prior to the 2016 presidential race and, in July 2020, was accused by the U.S. and the U.K. of targeting organizations involved in researching a vaccine for Covid-19. The cybersecurity firm Crowdstrike began tracking the group in 2014 and said it is known for casting “a wide net” of victims and for “changing tool sets frequently.”

6. How has the U.S. retaliated?

President Joe Biden’s administration barred U.S. financial institutions from buying new Russian sovereign debt issues and listed six technology companies with links to Russia’s intelligence services under an executive order targeting “harmful foreign activities.” The White House also formally named the SVR as the perpetrator of the SolarWinds breach on April 15. At the same time, the U.S. said it’s targeting 32 companies and individuals over attempts to influence the 2020 presidential election and is expelling 10 diplomats from Washington. The Kremlin said sanctions “wouldn’t facilitate” a possible summit that Biden had offered Russian President Vladimir Putin, along with the warning that the U.S. would defend its interests. The Russian Foreign Ministry said there will be a decisive response to the moves. The existing U.S. measures are just a small part of the myriad penalties in place for other disputes.

For more articles like this, please visit us at bloomberg.com

©2021 Bloomberg L.P.