“This is classic espionage,” said Thomas Rid, a political science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. “It’s done in a highly sophisticated way. … But this is a stealthy operation.”
The impact may ultimately prove to be profound. SolarWinds, the maker of widely used network-management software that the Russians manipulated to enable their intrusions, reported in a federal filing Monday that “fewer than 18,000” of its customers may have been impacted. That’s a small slice of the company’s more than 300,000 customers worldwide, including the Pentagon and the White House, but still represents a large number of important networks worldwide. (Russia has denied any role in the attacks.)
FireEye, in a blog post explaining the nature of the attack on Sunday, described the victims as including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”
In the U.S. government, the known targets included the Treasury, Commerce and Homeland Security departments, and the impact is likely to be far broader, given the wide use of network tools by SolarWinds, which is based in Austin.
But the potentially good news is that quiet attackers tend to prioritize surreptitious entrances and exits, while avoiding wholesale ransacking of computer systems that could tip off defenders. Quiet hackers typically are more focused on covering their tracks than simply backing up a digital truck and taking everything they can.
The potential bad news, however, is that quiet attacks can be effective at gathering highly specific, sensitive information over the course of months or even years. While the details of what was taken and from whom are not yet public — the agencies and companies themselves may not even know for a while — the Russian operation dates at least as far back as March and was described as active as recently as Sunday.
That nine-month stretch included, to name just a few of the most important events that would have created copious computer files interesting to spies: the worst of the coronavirus pandemic, the historically fast development of vaccines using novel technology and, of course, the U.S. presidential and congressional elections.
“It’s not about quantity, it’s about quality” of targets, said John Hultquist, manager of analysis at FireEye.
“SolarWinds was clearly a door that they could walk through,” he added. “We’re shutting this door. But they’re still in these organizations. There are a lot of information security teams right now who are probably going to be working on this problem through Christmas.”
But as Rid pointed out, this so far appears to be classic digital spying of the sort that major nations, including the United States, engage in every day to gain geopolitical edges of various sorts. And it has been vastly less noisy and disruptive, so far, than a range of Russian efforts in 2016. That year, Russian hackers penetrated U.S. state election systems, infiltrated American social media conversations with hundreds of fictitious accounts and stole sensitive emails from Democrats and dumped them online at key moments in a hotly contested presidential campaign.
The 2016 effort, spearheaded by the Russia military’s intelligence unit, the GRU, and the semi-independent Internet Research Agency, left copious evidence behind that government and corporate investigators found. The 2020 effort, by contrast, appears to be the work of Russia’s SVR foreign intelligence service, which specializes in digital spying but has little known record for pushing online disinformation campaigns.
The recent hack was, by all accounts, targeted and careful, emerging only after FireEye — one of the nation’s leading cybersecurity firms — was itself targeted by the hackers, who stole potent cyberattack tools that FireEye used for research purposes.
“We won’t know the full list of victimized organizations for a long while. Solar Winds’ customers are scrambling to examine their logs and respond to the incident,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “Understanding what was taken and what the hackers left behind will take even longer. This task will be complicated by the fact that the hackers reportedly took great care to disguise their activity as legitimate.”
The hackers used multistep techniques that apparently started with the hack of somebody at SolarWinds. That allowed the Russians to manipulate software updates for systems reliant on the company’s Orion software, a popular monitoring tool that creates profound access across a computer network.
Software patches, which carry digital signatures verifying their authenticity, are an ideal target for hackers but controversial because they can undermine faith in the updating process itself — a key to good cybersecurity hygiene for computers and systems worldwide.
The altered patches — which FireEye’s blog said turned them into “trojans,” a term derived from the Trojan horse that the Greeks used to trick unsuspecting residents of Troy into bringing into their fortified city, allowing it to be sacked — were delivered to Orion customers between March and May.
Investigators called these “trojanized” versions of the patch “Sunburst.” They stayed dormant for up to two weeks before beginning to quietly execute commands within computer networks and also establishing contact with an outside “command and control” domain. The malware disguised its transmissions to look like ordinary systems communications while actually being controlled by the hackers.
But these initial steps didn’t necessarily trigger a hack in every system that received the trojanized software patches, according to the detailed FireEye blog. Rather it describes a scenario in which the malware delivered through the SolarWinds patches created a “back door” that the Russians could open when they decided to.
The hackers later entered targeted networks while maintaining a “light malware footprint” that involved creating and deleting files as they went along. They also stole and used authentic credentials and passwords from users of the hacked systems to further disguise their efforts while prowling through computer networks, according to FireEye.
Investigators found at least one tool that was apparently custom built, which it dubbed “Teardrop.” The hackers also took multiple subsequent steps to gradually unlock the secrets held in computer networks. To make it even harder, the hackers used IP addresses from the countries where the targeted systems resided, avoiding telltale communications with computers, for example, obviously located in Moscow.
The FireEye blog described ways that network administrators might have detected — and might now still find — evidence of the Russian hacks. But it also made clear: This was online spying that put a premium on outwitting its targets for as long as possible.