Public and private agencies and businesses worldwide have been left urgently trying to determine if they have been hit by what could amount to one of the most extensive hacking campaigns in recent decades.
The fallout continues less than 48 hours after the U.S. government issued an emergency warning Sunday mandating government users disconnect from the breached network-management software, SolarWinds.
“In a nutshell, SolarWinds’ Orion product provides centralized monitoring across an organization’s entire IT stack. That means the attackers who were able to compromise this platform had an extremely high level of access to all of these client systems,” David Kennedy, CEO of TrustedSec told Fox News.
A former hacker for the National Security Agency and the Marine Corps, Kennedy also noted that “since this type of attack is so stealthy, and the attackers used a legitimate piece of software to backdoor their own malicious code, it can be very difficult for companies to identify if they were part of this attack.”
As it stands now, the U.S. State Department, Department of Homeland Security (DHS), and elements of the Department of Defense have reported being compromised. Those government branches join earlier assessments confirming that the Departments of Treasury and Commerce had been breached in what investigators believe to be a mass-scale Russian intelligence operation.
However, SolarWinds’ clientele roster traverses some 300,000 organizations – including other highly-sensitive federal agencies ranging from the Department of Justice and the Centers for Disease Control – as well as thousands of private companies.
Almost all Fortune 500 companies are reported to use SolarWinds products to scan their networks, including major defense contractors such as Boeing, according to the New York Times.
The technology company said in its security advisory on Tuesday that no more than 18,000 customers had downloaded the maligned software, which essentially allowed hackers to infiltrate systems undetected for up to nine months. In its regulatory disclosure, SolarWinds surmised that malicious code was inserted into updates of its Orion network management software disseminated between March and June this year.
“We have been advised that this incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation-state,” the company stated. “But we have not independently verified the identity of the attacker.”
However, investigators and cyber experts are already pointing the finger at Moscow, which has denied any involvement.
Nonetheless, preliminary reviews of the encroachments suspect that the sophistication of the attacks lends itself to the work of Russia’s Foreign Intelligence Service (SVR – the espionage wing that succeeded the Soviet Union’s former secret police, the KGB). The belief that the SVR is behind the attacks stems from the hackers being especially judicious in drawing data from particular targets.
“Given the list of organizations using SolarWind’s Orion platform, the potential impact could expose highly sensitive information and compromise national security,” said Randy Watkins, CRITICALSTART Chief Technology Officer. “Since the attacks are associated with a nation-state, widely expected to be Russia, the intent behind the attack could be anything from policy leverage and military strategy to the theft of weapons system designs.”
Former hacker Kennedy also asserted that the most likely goal of this attack was to steal military secrets and technology and to surveil the U.S. government.
“However, a foreign adversary like Russia would also benefit from gaining access to America’s financial system and the intellectual property of major corporations, so the damage could be vast,” he said. “We won’t know the full damage from this breach for at least several months, and possibly years.”
And while the scope of the aperture is yet to be determined, U.S. security officials are also scrambling to assess the damage.
Vahid Behzadan, an assistant professor of engineering at the University of New Haven, noted that – based on the targeted organizations and agencies – “the attack seems to be mainly an espionage operation, aiming to exfiltrate as much sensitive information and tools as possible.”
“Due to the expansive list of targets, it is difficult to say whether this was an attempt at mass data collection, or whether the attack targeted specific sources of information and masked this intent with secondary breaches,” he continued.
The National Security Council (NSC) – also a SolarWinds user – on Monday conducted a second emergency meeting of its Cyber Response Group to discuss what happened and is reportedly summoning a subsidiary body. Several lawmakers have called for action to discern the breadth of the attacks and what resources agencies will now need to safeguard their networks.
“This breach should be a wake-up call for every company about the serious dangers posed by supply chain attacks,” Kennedy added. “These types of attacks are extremely stealthy and hard to detect, and they are also difficult to manage because the end-user doesn’t control the security of the product they are using.”