The March 2020 SolarWinds hack, which was not discovered for months, has formally been blamed on Russian hackers by a coalition of US intelligence agencies calling itself the Cyber Unified Coordination Group. The Office of the Director of National Intelligence along with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA have determined that the breach was “likely” the work of advanced persistent threat (APT) group “Cozy Bear.”
Long a thorn in the side of the US government, Cozy Bear has been active since at least 2010 but became a household name in 2016 with the breach of the Democratic National Committee and the leak of internal emails ahead of the presidential election.
SolarWinds hack undiscovered for most of 2020, hit over 200 organizations
First appearing in federal systems in March of 2020, the SolarWinds hack was not disclosed to the public until mid-December and it is still not clear exactly how long the breach window was open. Microsoft and VMWare were also breached by the Russian hackers around this time, though the focus is on SolarWinds in this case as it contracts with a wide range of federal agencies. The attackers compromised the Orion software, used in enterprise-level IT administration to manage logins and monitor traffic across multiple locations.
Though the federal agencies were thought to first be breached sometime in March, the Russian hackers appear to have compromised SolarWinds in October of 2019. That initial SolarWinds hack appears to have been a test run, with the attackers entrenching their positions and setting up command-and-control architecture from December to February. March is the first point at which the Russian hackers began inserting backdoor-creating malware into Orion updates, which went out to a variety of government agencies. These tainted updates appear to have affected about 18,000 organizations in total, including many private businesses, but the Russian hackers were very selective in which of the installed backdoors they actively exploited and seemed to only be interested in very high-value espionage targets.
The joint statement from the intelligence agencies clarified that the SolarWinds hack is believed to be an “intelligence gathering effort” backed by the Russian Foreign Intelligence Service (SVR RF). Rosa Smothers, former CIA cyber threat analyst / technical intelligence officer and current SVP at KnowBe4, suggested that the SolarWinds software was originally compromised from the inside: “As was recently reported in the NYT, SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised. As a former CIA officer who was intrinsically involved in HUMINT-enabled cyber operations, there’s a tremendous window of opportunity — we call it ‘spot, assess, and recruit’ — in areas where there’s amplified geopolitical tension. For instance, Belarus is currently struggling against overt Russian influence.”
Russian hackers turn up the heat
Some observers have characterized the SolarWinds hack as the most damaging to the US in the history of cyber espionage given the amount of agencies it compromised and the length of time it was active before discovery. US cybersecurity experts acknowledged releasing the joint statement in part because of rumors that the SolarWinds hack had compromised voting systems, looking to quell growing unrest over the election results.
Though the software update breach does not appear to be tied to any sort of election fraud, it certainly gave the Russian hackers access to the high-value information they were seeking. The Department of Commerce reported that the email accounts of some high-ranking government officials had been compromised. The Department of Defense said that “parts of” the Pentagon were breached. The Department of Energy reported that the National Nuclear Security Administration (responsible for the nuclear arsenal) and the Sandia and Los Alamos national laboratories were breached among other agencies, though the department claims that only “business functions” were affected without any breach of national security. Some amount of email accounts at the Departments of Justice and the Treasury were thought to be breached, and the National Institutes of Health was presumably raided for Covid-19 information. The Wall Street Journal is also now reporting that the federal judiciary system was breached, and that highly sensitive court documents are being moved to a stand-alone system as a precaution.
Though it does not appear to have had any related influence, the hack comes during one of the most contentious presidential elections in American history. President Trump has persisted with claims of election fraud to the point that he was banned by nearly every major social media platform over fears of continued political violence; in the wake of the discovery of the SolarWinds hack he initially blamed China and was criticized for failing to appoint a new Department of Homeland Security cyber chief in a timely fashion.
Though up to 18,000 private companies may have had backdoors installed by the Russian hackers, the intelligence agencies declined to state how many (if any) of these were actually exploited. SolarWinds patched and upgraded its Orion update processes on December 14. Rick Holland, Chief Information Security Officer at Digital Shadows, offered the following advice to organizations potentially impacted by the SolarWinds hack: “The focus should still be on investigating your environment and looking for evidence of an intrusion. The various FireEye and Microsoft blogs remain useful resources for this. Companies should be looking at other supply chain providers that could centrally manage the environment and look for anomalous activity. Set up Google Alerts to monitor your supply chain for breach announcements. Microsoft revealed that more than 40 other organizations have also likely been compromised; SolarWinds isn’t the only target in this campaign … The best defense against nation-state adversaries is acknowledging you can’t stop them but then focusing on making their lives as difficult as possible. Make sure you have implemented your vendors’ hardening guidelines. Take a risk-based approach to vulnerability management. Don’t deploy administrative consoles on public-facing networks. Enforce multi-factor authentication to prevent account takeovers.”