As early as March, Russian hackers apparently compromised otherwise trivial software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, attackers could distribute their malware to a wide variety of clients undetected. Such “supply chain” attacks have already been used in government espionage and destructive hacking, including by Russia. But the SolarWinds incident underscores the incredibly high stakes involved in these incidents and the few steps that have been taken to prevent them.
“I compare it to other types of disaster recovery and contingency planning in the public and private sector,” says Matt Ashburn, head of national security engagement at web security firm Authentic8, formerly responsible for information security at the National Security Council. . “Your goal is to maintain operations in the event of an unexpected event. Yet when the pandemic started this year, no one seemed ready to deal with it, everyone was scrambling. And supply chain attacks are similar – everyone knows this and is aware of the risk, we know that our most advanced adversaries engage in this type of activity. But there was not this concerted focus. ”
The recriminations came shortly after the attacks came to light, with U.S. Senators Ron Wyden (D-Oregon) and Sherrod Brown (D-Ohio) directing pointed questions to Treasury Secretary Steve Mnuchin in Congress about preparedness and response of this department. “As we learned from the NotPetya attacks, software supply chain attacks of this nature can have devastating and far-reaching effects,” said Senator Mark Warner (D-Virginia), Deputy Minister on Monday. -President of the Senate Intelligence Committee, in a separate press release. “We need to make it clear that there will be consequences for any wider impact on private networks, critical infrastructure or other sensitive areas. ”
The United States has invested heavily in threat detection; a multibillion-dollar system known as Einstein patrols federal government networks looking for malware and signs of attack. But as a report from the Government Accountability Office 2018 detailed, Einstein is good at identifying known threats. It’s like a bouncer who keeps everyone on their list, but turns a blind eye to names they don’t recognize.
This made Einstein inadequate in the face of a sophisticated attack like Russia’s. The hackers used their SolarWinds Orion backdoor to gain access to the target networks. They then sat quietly for up to two weeks before moving very carefully and intentionally through victim networks to gain deeper control and exfiltrate the data. Even in this potentially more visible phase of the attacks, they worked diligently to cover up their actions.
“That’s a calculation for sure,” says Jake Williams, former NSA hacker and founder of security firm Rendition Infosec. “It’s inherently so difficult to solve, because supply chain attacks are ridiculously difficult to detect. It is as if the attacker is teleporting from nowhere. ”
On Tuesday, GAO released another report, the one it released to government in October: “Federal agencies must take urgent action to manage supply chain risks.” By then, the Russian assault had been active for months. The agency found that none of the 23 agencies it examined had implemented the seven core cyber defense best practices that it had identified. A majority of agencies had not implemented any at all.
The supply chain problem – and Russia’s hacking frenzy – is not unique to the US government. SolarWinds said as many as 18,000 customers were vulnerable to hackers, who managed to infiltrate even top-tier cybersecurity firm FireEye.