A hacking campaign has gained access to private information from a number of government and industry organizations, including the U.S. Departments of Treasury, Commerce and Homeland Security. The cyberattacks, which were first reported this past weekend, were carried out by compromising a software platform produced by a vendor called SolarWinds.
“We are aware of a potential vulnerability which, if present, is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” Kevin Thompson, president and CEO of SolarWinds, explained in a prepared statement shared via e-mail. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters.”
Because thousands of clients rely on SolarWinds’ products, experts expect more breaches to be revealed in the coming days. Scientific American spoke with Ben Buchanan, a professor specializing in cybersecurity and statecraft at Georgetown University’s School of Foreign Service, about why so many organizations rely on such third-party software and how its compromise made them vulnerable to cyberattack.
[An edited transcript of the interview follows.]
How did the hackers manage to compromise so many groups?
The heart of the issue here is that for big organizations, like government agencies or corporations, their computer networks are incredibly complex. And they oftentimes turn to software to try to manage these computer networks: understand how the traffic flows, what devices are on their network, how things are configured. SolarWinds is an example of this kind of software that seems to be quite widely used throughout the government and industry. But because it’s used to manage these networks, it has a position of privilege where it can see a lot of what goes on. If you compromise SolarWinds, it then becomes possible to compromise the broader computer network.
Is that what happened here?
That’s right. We’re still learning more, but what it seems occurred is that hackers somehow gained the ability to manipulate the code of SolarWinds itself; essentially they put a backdoor into SolarWinds that let them carry out malicious activity. And the customers of SolarWinds downloaded this software update to their systems, not realizing it was in part malicious, at some point [after] March—and once they did this, they essentially gave the hackers an entry point into their network. From there the hackers began doing things like harvesting passwords and other credentials to try to get further access to each of these networks that they [had] compromised with the initial toehold given to them by compromising SolarWinds.
With the passwords that they acquired, they almost certainly used that to get access to more computers and more accounts within the target organizations. It seems their end goal was getting not just passwords, but also files and the like, and then pulling those pieces of information back out in an espionage operation. I think it probably is too soon to say how extensive that espionage was, and it’s too soon to say how many of the possible victims actually were breached in this way. SolarWinds says it was fewer than 18,000 organizations—which is not a reassuring number, because it’s big. That seems to be the upper end on the reach of the espionage operation.
Thousands of organizations use SolarWinds, but how many more rely on other, similar software?
I’m sure every large organization relies on something similar to manage a network that’s particularly complicated. This kind of enterprise management is just part of running a modern, large organization—and the challenge right now is that these organizations have to trust somebody’s software. In this case, one of the companies that they trusted turns out to have been breached. I’m sure SolarWinds is not the only organization that’s in this position of trust. And I’m sure any organization that sees itself used by so many high-profile targets is itself a target.
How do investigators figure out who is responsible for attacks like this?
Just as police investigate a string of bank robberies by looking for a method of operations, or forensic evidence that links one robbery to the next, you can do the same thing with hacking operations. Investigators—often in the private sector, sometimes in the government—will look across a series of cases to build a pattern of operations for the hackers. And they will cluster different patterns of operations to different groups. And what the reporting indicates, in this case, is that the pattern of activity suggested this was the Russian SVR intelligence service that we’ve seen carry out very sophisticated hacking operations against the United States and worldwide targets before—never a destructive attack, but always these intricate espionage operations that hit high-value targets.
What do you predict is going to happen next?
The next step is definitely going to be a very thorough investigation that is one of the most significant cyber investigations we’ve seen, just because the scope of this breach is so big. We’re talking about potentially hundreds or thousands of organizations—likely hundreds I would say—that could have been compromised in this breach. Once an agency as sophisticated as the SVR gets access to a network, they’re very hard to get out. So, remediating this breach is going to be difficult. We’re going to start to realize, in the weeks to come, some degree of the information that was taken, some degree of who the victims are. [With] every single one of those, I think it’s going to be another blow and raise the level of concern about this operation.
How can the cybersecurity community defend against this type of attack?
This is a scenario, because the intrusions were so well done, when it’s hard to come up with a list of easy fixes. Because these are sophisticated adversaries, they compromised a system, SolarWinds, that was incredibly widely used and widely trusted. They essentially exploited that trust to carry out their operations, and that is something that’s really hard to defend against. This is not the same thing as just fixing a single software vulnerability and applying a patch—it’s a lot more difficult to combat this kind of threat.
This sheds some light on just how fierce the competition is between nations in cyberspace. We spend a lot of time talking about things like deterrence, norms and signaling between nations. But my view is that this kind of activity—competition, espionage, well below the threshold of conflict, what I call shaping the international environment to suit one’s ends—that’s par for the course in cybersecurity. So, while this is certainly a high-water mark, the daily competition that leads to events like this is par for the course. And I think we probably need to spend more time in the policy world thinking about the implications of that. It’s pretty clear right now [that] the status quo, both in policy and in technology, does not let us deter this activity, and does not let us technically block this activity.