The SolarWinds Cybersecurity Attack Explained: How Did Hackers Breach the U.S. Government?
Making mistakes and taking chances are crucial steps in the endeavor towards personal growth—just not when you’re a cybersecurity analyst. “We have a saying in the cybersecurity space that hackers only need to find one way in, but we need to be perfect as defenders of our networks,” said Mark Adams, a cybersecurity analyst who helped develop the curriculum for Springboard’s upcoming Cyber Security Career Track. “The hackers can be wrong 99 times [out of 100], but if they’re right one time, they can make anybody look like they’re incompetent.”
Sometimes, that includes government entities like the U.S. Cybersecurity and Infrastructure Agency and other federal agencies responsible for establishing and protecting the nation’s cyberdefenses. In the wake of the U.S. presidential election, shortly after government officials declared the vote to be free from foreign interference, reports surfaced that SolarWinds, a major IT firm based in Texas, had sustained a massive cybersecurity attack that spread to the company’s customers.
Over 250 federal agencies have been breached, including the U.S. Treasury Department, State Department, Energy Department, and even parts of the Pentagon. Other victims include Fortune 500 corporations like Microsoft, Cisco, Intel, Deloitte, and FireEye—the cybersecurity company that first uncovered the attack. Before FireEye discovered that over 300 of its proprietary cybersecurity products had been stolen, the breach went undetected for an estimated nine months, during which hackers gained access to state secrets and intellectual property, including Black Start, a technical blueprint for how the U.S. plans to restore power in the event of a cataclysmic blackout, drawn up by the Federal Energy Regulatory Commission. Hackers also monitored the internal emails of the U.S. Treasury and Commerce departments, according to Reuters, which broke the news of the cyberattack in mid-December.
“When it comes to things like intellectual property and state secrets there’s a time value associated with those,” said Adams. “Once a threat actor has them in his possession, they’re extremely valuable in the short term but over time their value goes down because as time passes, things change.”
Government officials and cybersecurity analysts or experts say that Russia’s Foreign Intelligence Service, known as the SVR, is behind the attacks. Investigators are still piecing together the details of the breach to surmise the hackers’ intentions. Some analysts say that with a new administration entering the White House, the Russians are trying to gain leverage against the incoming president ahead of nuclear arms talks while also shaking confidence in communications within Washington, the New York Times reports.
Cyberattacks are often used as a form of signaling, a foreign policy tactic where one nation-state makes a veiled threat towards another state actor to gain political leverage, which serves as the entire rationale for nuclear armament. The cyber threats against the U.S. federal government were compounded when rioters breached the U.S. Capitol in Washington D.C. on January 6 during Congress’ official count of the electoral votes to ratify president-elect Joe Biden’s victory. Photos and videos taken by journalists and posted to social media by the rioters show members of the mob putting their feet up on desks, ransacking offices, and accessing House Speaker Nancy Pelosi’s computer. “A physical breach can be more dangerous because it often looks like an authorized connection,” said Adams. “When threat actors log into people’s computers like that, they most likely have admin privileges.”
Why is the SolarWinds hack a big deal?
When a software company is hacked, it spurs a chain of events that renders its customers vulnerable to a breach— hence why hacking the “supply chain” can have more catastrophic consequences than targeting a specific company or government entity.
For example, if the hack goes undetected and the company ships a software update that contains a virus or malware planted by the hackers, all of the company’s clients who download the update will be infected, which is what happened in the case of SolarWinds. With cloud computing enabling automatic software updates, the effect of such hacks can be immediate.
The stealth and extent of the SolarWinds cyberattack was another major cause for concern. By using an IT company as a conduit to breach the systems of other entities, hackers were able to conceal their activity and mitigate the red flags of a cyberattack, which often includes unauthorized password changes, files being deleted, or unrecognized applications being downloaded to a computer system.
When hackers first gain entry into a system, they don’t immediately make their presence known. “For the first few weeks or months they’ll just watch and harvest passwords and usernames,” said Adams. “Then, they’ll move laterally and get access to other systems on the network, where they’ll start to steal files and personally identifiable information.”
In the case of a ransomware attack—which the SolarWinds attack was not—hackers will gather as much valuable information as they can, encrypt the data, and shut down the system unless the victim pays a ransom. U.S. officials are still trying to determine whether the SolarWinds hack was “just” espionage to gain access to the inner workings of American bureaucracy, or if something more sinister was at play, such as an attempt to gain “backdoor” access to government agencies.
Get To Know Other Cybersecurity Students
Dipen Patel
Cybersecurity Analyst at Accenture
Rafael Ayala
Mergers And Acquisitions at Autodesk
Dylan Wood
Cybersecurity Career Track Student at Springboard
How is a cyberattack investigated?
In reality, identifying the origins and motivations behind a cyberattack is never easy. While an IP address represents a unique numerical identifier that can be traced to a specific device and location, it can be spoofed—just like a telephone number or email address. The most common way investigators root out the perpetrator is by examining the malware they’ve embedded in the breached system. Often, cybercriminals will leave comments or notes in the code that serve as clues.
“Programmers and hackers like to sign their work like artists—their code is a work of art,” said Adams, who has over 20 years of experience in IT governance. “So they sign that code in various ways. Often, they’ll leave their initials or they’ll try to be cute and put some sort of cryptic message.”
However, hackers can easily turn this into a subterfuge to throw investigators off their scent, or to plant fake evidence. For example, a disinformation propagandist group known as Ghostwriter hacked into the content management systems of numerous news sites in Eastern Europe to spread false stories about U.S. military aggression, all in a bid to undermine NATO.
Adams points out that in the case of the SolarWinds hack, the hackers could have easily planted comments in the code written in Russian so as to frame that country as the hacker, thereby souring relations between the victim nation and the purported attacker. “There’s a lot of cloak and dagger when it comes to this sort of thing because they know that investigators are going to look through their code and try to determine what hacker group wrote it,” said Adams. “Even if [U.S. Secretary of State] Mike Pompeo comes out and says it was the Russians—was it? We don’t know.”
Essentially, an incident response in the event of a cyberattack constitutes a forensic investigation. Before any investigation can get underway, IT experts must ensure the hackers have been purged from the compromised system. “Doing any kind of investigation when threat actors are still in there does you no good because they can go back and continue messing with you, compromising systems and deleting logs,” Adams explained. “You kick them out and they come right back in.”
Usually, a third-party consultant is called upon to inspect the entire computer network for any malware or spyware left by the hackers. Log files are instrumental in reconstructing the events of the breach to understand what really happened. These are computer-generated data files that contain information about usage patterns and activity within an operating system, server, or application.
“It really is like a CSI investigation,” said Adams. “They have to basically reconstruct the breach timeline based on all of that log information, and that can be extremely difficult because a lot of times, threat actors will either change the logs or just delete them entirely.”
Some companies and government entities store their logs offsite using a third party database administrator to avoid log tampering. If the victim of a cyberattack does not maintain log files or the files have been deleted and are unrecoverable, it’s “virtually impossible” for investigators to trace what happened and who was responsible.
“There are stories out there [about the SolarWinds hack] and just sifting through all of the noise and trying to figure out what exactly happened and how bad it was is daunting,” said Adams.
“SolarWinds is obviously being very careful about what they tell the public because the last thing they want is to say something that’s not true. Organizations that are breached like this are motivated to minimize the impact.”
Since you’re here…Interested in a career in cybersecurity? With or Cybersecurity Bootcamp, you’ll get a job in the industry, or we’ll return your tuition money. Test your skills with our free cybersecurity learning path, and check out our student reviews. We’re a safe bet. 🔒😉