Normally we use this space to round up the biggest stories from all reaches of the cybersecurity world. This week, we’re making an exception, because there’s really only one story: how Russia pulled off the biggest espionage hack on record.
Russia’s hack of IT management company SolarWinds began as far back as March, and it only came to light when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9. Since then, a cascading number of victims have been identified, including the US Departments of Sate, Homeland Security, Commerce, and the Treasury, as well as the National Institutes of Health. The nature of the attack—and the tremendous care taken by the hackers—means it could be months or longer before the extent of the damage is known. The impact is already devastating, though, and it underscores just how ill-prepared the US was to defend against a known threat—and to respond. It’s also ongoing.
And there’s so much more. Below we’ve rounded up the most important SolarWinds stories so far from around the internet. Click on the headlines to read them, and stay safe out there.
Reuters has broken multiple stories about the SolarWinds hack and its fallout, but this piece takes a step back to look at the company at the heart of it. The IT management firm has hundreds of thousands of customers—including 18,000 who were vulnerable to Russia’s attack—who rely on it for network monitoring and other services. Its security practices appear to have been lacking on a few fronts, including the use of the password “solarwinds123” for its update server. (That’s not suspected of being tied to the current attack, but … still.)
The Wall Street Journal this week shared new details about what happened inside FireEye earlier this month as it discovered and responded to its own compromise. The tip-off: An employee received an alert that someone had logged into the company’s VPN using their credentials from a new device. Over 100 FireEye employees engaged in the response, which included combing through 50,000 lines of code to suss out any abnormalities.
Over the past several years, the US has invested billions of dollars in Einstein, a system designed to detect digital intrusions. But because the SolarWinds hack was what’s known as a “supply chain” attack, in which Russia compromised a trusted tool rather than using known malware to break in, Einstein failed spectacularly. The government can’t say it wasn’t warned; a 2018 report from the Government Accountability Office recommended that agencies—and federal defense systems more broadly—take the supply chain threat more seriously.
It’s a good question, and one that’s going to take a long time to answer. Microsoft this week at least shared some initial findings: More than 40 of its customers were the victims of advanced compromise by Russia. (Microsoft itself was also hacked as part of the campaign.) Of those 40, nearly half were companies in the IT sector, while another 18 percent were government targets. Eighty percent were based in the US. This isn’t meant to be a comprehensive look at the victims; there are likely plenty more than what Microsoft has found so far. But it does give at least a hint at geography and category, neither of which is especially comforting.
Don’t take our word for how serious all this hacking is. Read Tom Bossert’s New York Times op-ed, in which the former homeland security adviser makes a convincing case that “the magnitude of this ongoing attack is hard to overstate,” and demands a swift, decisive response in which “all elements of national power must be placed on the table.” (This is also a good time to mention that President Donald Trump hasn’t mentioned the SolarWinds hack at all, not once, not even a whisper. President-elect Joe Biden released a statement, vowing to impose “substantial costs on those responsible for such malicious attacks.”)