Christmas 2020 was a disaster for many IT security experts in the US, and not just because of the pandemic. Instead of spending the holidays with their families, they searched their company’s computer networks for digital intruders. John Hultquist laughs heartily when asked about his complicity in the messed up Christmas. “Yes, there is something to it. It was foreseeable that this would be quite annoying for many security teams.” Hultquist is the vice president of the IT security company Fire Eye. Despite the consequences for the colleagues’ party, Fire Eye had no choice when the company upset the IT security industry in mid-December. Because what Hultquist and his colleagues had discovered was one of the largest hacker attacks in US history.
Presumed Russian hackers had smuggled themselves into widespread software. Solar Winds’ Orion program helps companies keep track of all the devices on their network. It sits deep in the system and is therefore an ideal starting point for hackers. The number of possible victims was gigantic: 300,000 customers use the software, including many ministries and large companies. The hack came as a shock to a country that believes it is the number one cyber nation.
A few days earlier, it looked like only Fire Eye had a problem. Spilled over the California company a big bucket of ridicule from the infosecurity scene when it announced on December 8th that strangers had succeeded in stealing the company’s so-called red team tools. Fire Eyes own hackers use these attack tools when they attack other companies on their behalf – to check for vulnerabilities in their digital defense. The “red team” is the attacker in hacking simulations, the “blue” one defends. Fire Eye found it embarrassing that these tools could be stolen by hackers.
The intruders were only noticed because they had tried to register new devices for two-factor authentication. Employees who log into the Fire Eye network must enter a one-time code in addition to their password, which is generated on their mobile phones. Every new device used by an employee must be approved by the security service. In this case too, IT contacted the employee for whom a new cell phone was registered. But he didn’t have a new phone. At that moment it was clear: Fire Eye had been hacked.
“A-Team” against unknown hackers
In retrospect, the attack on his company was probably a mistake by the hackers, says Hultquist. Because Fire Eye saw the honor gripped. Fire Eye is not just any company. Many in the industry consider the company’s incident response teams to be the best. These teams secure traces in companies and governments after they have been hacked. And this time her own home was attacked, which gave additional motivation: “We put together an absolute A-team that worked around the clock,” says Hultquist. Only a few days later, the team found the malware responsible in a file from the Solar Winds Orion program. The malware had arrived in Fire Eyes System months beforehand, in the simplest of all possible ways: by updating the software. Certified and downloaded via the normal Solar Winds update server.
The attack on the software supply chain gave the hackers access to thousands of companies in one fell swoop. 18,000 Solar Winds customers downloaded the infected update. However, there were apparently only a few, very prominent targets in which the hackers actually used the back door to spy: Microsoft, Intel, Cisco, Nvidia and of course Fire Eye – plus a number of US authorities. What exactly the spies discovered, what secrets they stole, is in many cases unexplained. The investigations are ongoing. However, the US Department of Justice recently announced that the hackers had access to at least three percent of the department’s email inboxes.
The fact that Joe Biden, like his predecessor Donald Trump, has to grapple with the effects of a presumed Russian hacker attack at the beginning of his term of office is not without a certain irony. Because of the experience with the Russian campaign of influence in 2016, when hackers penetrated the Democratic Party systems, the US had massively increased security for the election. Ultimately, the Democratic email hack and the subsequent posting of internals on Wikileaks were believed to be a reason for Hillary Clinton’s defeat by Trump.
Was the US distracted?
So did the US neglect other security measures during the election year? John Hultquist doesn’t think that had any impact. The attack was so ingenious that it almost slipped through the Fire Eye professionals. “The US expects private companies to fend off the best intelligence agencies in the world. This is a persistent, well-armed, well-organized, state-backed attacker.” Successfully defending themselves against this is something that can hardly be expected from companies.
IT security experts go into raptures when asked about the details of the Solar Winds hack. Even the infiltrated software code is technically interesting, says Holger Unterbrink, who researches IT security for Cisco’s Talos Research Group. What is really great, however, is how the hackers protected themselves from being discovered. To disguise themselves, they did not change the source code of the new Solar Winds files, as this might have been noticed during a review. They waited for the moment when the still raw code would be assembled into an executable file. At that very moment, they temporarily smuggled their version of the code into the compilation process. The developers hardly had a chance to discover them.
“What the attackers did there is pretty cool, if not necessarily new,” says the South African hacker “the Grugq”. Hardly anyone knows his real name. The IT security expert who lives in Bangkok is familiar with the working methods of international secret services. Up until a few years ago he sold them software vulnerabilities for a generous commission. “the Grugq” is one of the few real celebrities on the IT security scene. More than 100,000 people follow his tweets on global cyber threats on Twitter, where he shows a photo of the film samurai Kambei Shimada instead of his face. The Grugq also has a clear opinion on the Solar-Winds-Hack: “Cyber espionage is a constant competition,” he writes SZ. A competition in which the US is used to being on the winning side. “If the other side then manages to score a clear goal, it will be a bit embarrassing for the USA.”
“Wipe your mouth, carry on”
US intelligence services believe the attackers came from a branch of the Russian intelligence services. The Kremlin denies this. Some US politicians are already calling for retaliation: The Democratic Senator Richard Durbin leaned furthest out of the window. In the ranking of the US Senate, Durbin is number two behind Chuck Schumer. Durbin told CNN a few days after the hack was exposed: “This is almost a declaration of war by Russia.” The choice of words was interesting and possibly not entirely unintentional. Durbin said, “This is virtually a declaration of war “. Was it a virtual declaration of war or a near declaration of war? The Grugq waves it away.” Russia has delivered a good espionage operation and the US has lost. That happens. “His advice to the US:”Take the L and move on.“The L stands for loss. Translated one would say: wipe your mouth, carry on.
However, one thing is clear after the big hack: Cyber espionage against targets in the USA is much more widespread than assumed. Reported that in January Wall Street Journal citing the interim chief of the cybersecurity agency CISA, that the same attackers not only used the Solar Winds gap to infiltrate US networks. 30 percent of the victims were hacked in other ways, be it by guessing passwords or through other loopholes in known software. Among the companies compromised in this way was the IT security company Malwarebytes. In addition, other groups appear to have used the vulnerability in Solar Winds software. This week, Reuters reported that a Chinese group also used the vulnerability in the Orion software to crack US government departments.
Fire Eye Vice John Hultquist sees the operation less as an act of cyber war. The attack surface was potentially huge. Of the 18,000 possible targets, however, the spies only spread to a few dozen. Those Solar Winds customers to whom this happened were all classic espionage targets: Microsoft and its cloud service 365, important ministries. Hultquist does not share fears of some experts that the attackers might have wanted to gain access in order to later cause damage with a large extinguishing campaign.
A clear reaction from Joe Biden’s new administration to the espionage activities is still pending. The President had instructed the intelligence services to provide a detailed analysis of the attacks, it said from the White House. Spokeswoman Jen Psaki said: “We reserve the right to respond to cyberattacks at any time and in any way.”
That sounds threatening. Experts like “the Grugq” doubt that the reaction will be too vehement. The reason is simple: “There is no norm violated here that the US would accept as a limit for its own operations.” And these own espionage operations are numerous and often successful. Successful US hacks are rarely reported from Russia or China. This creates a distorted image in the western public, just as if the USA were only victims. However, when it came to successful cyber espionage missions, the US was still in a league of its own.