In the USA, this is considered to be one of the largest espionage cases in recent years. Five ministries in Donald Trump’s administration are said to have fallen victim to the attack, including the State Department and the Department of Homeland Security. US Secretary of State Mike Pompeo is already blaming Russian intelligence. But even in Germany, it is becoming increasingly clear that some authorities are worried about their sensitive data. In this country too, the cyber attackers could have managed to break into government computers in several places.
For days, experts from the Federal Office for Information Security (BSI) have been consulting with police and intelligence experts at the National Cyber Defense Center, and some employees have been called back from vacation. The question is how many institutions in Germany have used a software called Orion from the Texan manufacturer Solar Winds. It is known that Siemens and Deutsche Telekom, for example, use this program. But individual authorities have also been Orion customers, as the BSI confirmed on Monday.
An update is infected – but who downloaded it?
The anonymous attackers seem to have succeeded in smuggling specially programmed malicious code into an update of this program. Only this update is infected. Right up to the Federal Intelligence Service, the security authorities are now checking how many government agencies downloaded this Orion update in March of this year – with the result that anonymous attackers may have been browsing their emails for months without being recognized.
“According to the current state of knowledge, the number of those affected is low,” says a spokeswoman for the BSI. But it is a “powerful new attack vector that we take seriously and analyze with high pressure”. Companies and authorities are advised not only to quickly install the repair programs offered, the so-called patches, with which security gaps can be closed. But also to analyze whether the vulnerability was actually used as a gateway by hackers.
The problem has been known for almost two weeks. On December 8, the American cybersecurity company Fire Eye first reported that unknown hackers had broken into its system. As a result, Fire Eye began to expose the hackers’ entire campaign. According to Fire Eye boss Kevin Mandia, 18,000 companies worldwide downloaded the infected Orion update in March. In other words, in all of these cases, doors would have remained open to the hackers unnoticed. Evidence that hackers really did penetrate has so far only been found in around 50 organizations.
There is much evidence of a state-sponsored attacker
Mandia told the US news broadcaster CBS that the attackers initially started a test run in October 2019. At that time they also made minor changes to an update from Solar Winds, but apparently only to see whether their plan would work. In March, the actual malicious code was finally distributed. Experts call this type of hacking a “supply chain attack” because the victims do not need to be attacked individually. Instead, the infrastructure of a single company is hijacked, which then distributes the malicious code without knowing it.
There is much evidence of a highly professional, well-equipped and state-supported attacker. Few states have shown in the past that they are capable of cyber espionage campaigns at this level. These are the US itself, Russia and China. In view of the concerns that German authorities are now worrying, opposition politicians are also criticizing the federal government’s cyber defense. Konstantin von Notz, Vice-President of the Greens in the Bundestag, speaks of a “homemade problem”: “The Federal Government has been talking about cyber threats for years, and little has been done. The legislation in Germany is not up to date.”
The FDP domestic politician Stephan Thomae points out that attacks like the Orion hack, which would “fit into Russia’s long-term strategy to destabilize Western states”, can be expected at any time. All the more incomprehensible is “the deliberate keeping open of software security gaps, as the federal government does for its state trojan”. Whether there really is a clear lead to Russia is one of the questions that must be clarified in the National Cyber Defense Center. As well as the question of what information the attackers were targeting.