A to Russian intelligence goes beyond a tainted software update from IT monitoring company SolarWinds, according to lawmakers and the heads of tech companies caught up in the hack. The hackers used a variety of legitimate software and cloud hosting services to access the systems of nine federal agencies and 100 private companies.attributed
The hackers used Amazon Web Services cloud hosting to disguise their intrusions as benign network traffic, lawmakers said Tuesday at a Senate Intelligence Committee hearing. Additionally, the hackers didn't use the malware planted in SolarWinds' Orion products to breach nearly a third of the victims. Instead they had access to other hacking techniques, all of which investigators are still unraveling, according to the lawmakers and Microsoft President Brad Smith, SolarWinds CEO Sudhakar Ramakrishna, CrowdStrike CEO George Kurtz and FireEye CEO Kevin Mandia.
Amazon was invited to testify at the hearing but didn't send a representative. The company reportedly confirmed the hackers' use of AWS systems in the malware campaign. Amazon doesn't use SolarWinds software and wasn't infected with the malware.
Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. In the attack, hackers inserted malicious code into an update of Orion, the company's software platform. Around 18,000 SolarWinds customers installed the tainted update onto their systems, the company said, and hackers chose a select number of them to infiltrate further.
Microsoft and FireEye, a cybersecurity firm, were both broad reach into impacted systems. Microsoft says the hackers didn't access any of its own critical systems, but Smith said Tuesday that the company has notified 60 of its business customers they had been targeted in the SolarWinds hacking campaign.by the hackers behind the malicious software update, which had the potential to give hackers
Still unknown is whether the hackers carried out similar attacks on software vendors other than SolarWinds, creating more than one back door for their victims to unwittingly install on their own systems. Hackers also could have used more rudimentary approaches to breach target systems, including phishing or guessing passwords for administrator accounts with high levels of access to company systems.
Smith said we may never know the exact number of attack vectors hackers used to access victims' systems. He went on to say it would make sense to create a requirement for companies to bring breaches to the attention of the federal government, which said it was investigating the breach as "significant and ongoing" in December.
More information is likely to emerge about the compromises and their aftermath. Here's what you need to know about the hacks:
How did hackers sneak malware into a software update?
Hackers managed to access a system that SolarWinds uses to put together updates to its Orion product, the company explained in a Dec. 14 filing with the SEC. From there, they inserted malicious code into otherwise legitimate software update. This is known as a supply-chain attack because it infects software as it's under assembly.
It's a big coup for hackers to pull off a supply-chain attack because it packages their malware inside a trusted piece of software. Hackers typically have to exploit unpatched software vulnerabilities on their targets' systems to gain access, or trick individual targets into downloading malicious software with a phishing campaign. With a supply chain attack, the hackers could rely on several government agencies and companies to install the Orion update at SolarWinds' prompting.
The approach is especially powerful in this case because thousands of companies and government agencies around the world reportedly use the Orion software. With the release of the tainted software update, SolarWinds' vast customer list became potential hacking targets.
Did hackers use the tainted SolarWinds update in every breach?
No. According to government investigators, the hackers used other techniques to breach target systems in 30 percent of the breaches discovered. Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency told The Wall Street Journal on Jan. 29 that hackers used a variety of creative techniques to carry out the hacking campaign.
"It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign," he said.
This followed a Jan. 27 blog post from cybersecurity firm Malwarebytes saying the same hackers had penetrated the company's systems, but not through the poisoned SolarWinds update. Instead, the hackers gained entry to Microsoft services running on Malwarebytes' systems by abusing third party apps with privileged access to Office 365 and Azure products.
At the Senate Intelligence Committee hearing on Feb. 23, Microsoft President Brad Smith said it may never be known how many attack vectors the hackers used in the series of breaches. Additionally, hackers used Amazon Web Services cloud hosting to run programs that communicated with and controlled the malicious code they installed on victimized systems.
Amazon didn't send a representative to testify at the hearing. The company confirmed that the hackers used its infrastructure, and clarified that Amazon doesn't use SolarWinds software products and wasn't infected with the malware.
What do we know about Russian involvement in the compromise of SolarWinds' systems?
US intelligence officials have publicly blamed the supply-chain attack targeting SolarWinds' internal systems on Russia. The FBI and NSA joined the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence on Jan. 5 in saying the hack was "likely Russian in origin," but stopped short of naming a specific hacking group or Russian government agency as being responsible.
The joint intelligence statement followed remarks from then-Secretary or State Mike Pompeo in a Dec. 18 interview in which he attributed the hack to Russia. Additionally, news outlets had cited government officials throughout the previous week who said a Russian hacking group is believed to be responsible for the malware campaign. This countered speculation by then-President Donald Trump that China might be behind the attack.
SolarWinds and cybersecurity firms have attributed the hack to "nation-state actors" but haven't named a country directly.
In a Dec. 13 statement on Facebook, the Russian embassy in the US denied responsibility for the SolarWinds hacking campaign. "Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations," the embassy said, adding, "Russia does not conduct offensive operations in the cyber domain."
Nicknamed APT29 or CozyBear, the hacking group pointed to by news reports has previously been blamed for targeting email systems at the State Department and White House during the administration of President Barack Obama. It was also named by US intelligence agencies as one of the groups thatof the , but the leaking of those emails isn't attributed to CozyBear. (Another Russian agency was blamed for that.)
More recently, the US, UK and Canada have identified the group as responsible for hacking efforts that tried to access.
Which government agencies were affected by hacking campaign?
According to reports from Reuters, The Washington Post and The Wall Street Journal, the update containing malware affected the US departments of Homeland Security, State, Commerce and Treasury, as well as the National Institutes of Health. Politico reported on Dec. 17 that nuclear programs run by the US Department of Energy and the National Nuclear Security Administration were also targeted.
Reuters reported on Dec. 23 that CISA has added local and state governments to the list of victims. According to CISA's website, the agency is "tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations."
It's still unclear what information, if any, was stolen from government agencies, but the amount of access appears to be broad.
Though the Energy Department and the Commerce Department and Treasury Department have acknowledged the hacks, there's no official confirmation that other specific federal agencies have been hacked. However, the Cybersecurity and Infrastructure Security Agency put out an advisory urging federal agencies to mitigate the malware, noting that it's "currently being exploited by malicious actors."
In a statement on Dec. 17, then-President-elect Joe Biden said his administration would "make dealing with this breach a top priority from the moment we take office." On Dec. 23, the Washington Post reported that the Biden administration is preparing sanctions against Russia for its alleged actions, on the basis that the hacking campaign went beyond typical espionage efforts because it was "indiscriminate" in who it hit with the tainted software update.
Why is the supply-chain hack a big deal?
In addition to gaining access to several government systems, the hackers turned a run-of-the-mill software update into a weapon. That weapon was pointed at thousands of groups, not just the agencies and companies that the hackers focused on after they installed the tainted Orion update.
On Dec. 17, Microsoft's Smith called this an "act of recklessness" in a wide-ranging blog post that explored the ramifications of the hack. He didn't directly attribute the hack to Russia but described its previous alleged hacking campaigns as proof of an increasingly fraught cyber conflict.
"This is not just an attack on specific targets," Smith said, "but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency." He went on to call for international agreements to limit the creation of hacking tools that undermine global cybersecurity.
Former Facebook cybersecurity chief Alex Stamos said Dec. 18 on Twitter that the hack could lead to supply-chain attacks becoming more common. However, he questioned whether the hack was anything out of the ordinary for a well-resourced intelligence agency.
"So far, all of the activity that has been publicly discussed has fallen into the boundaries of what the US does regularly," Stamos tweeted.
Which private companies were hit with the malware?
Microsoft confirmed on Dec. 17 that it found indicators of the malware in its systems, after confirming several days earlier that the breach was affecting its customers. A Reuters report also said that Microsoft's own systems were used to further the hacking campaign, but Microsoft denied this claim to news agencies. On Dec. 16, the company began quarantining the versions of Orion known to contain the malware, in order to cut hackers off from its customers' systems.
FireEye also confirmed that it was infected with the malware and was seeing the infection in customer systems as well.
On Dec. 21, The Wall Street Journal said it had uncovered at least 24 companies that had installed the malicious software. These include tech companies Cisco, Intel, Nvidia, VMware and Belkin, according to the Journal. The hackers also reportedly had access to the California Department of State Hospitals and Kent State University.
It's unclear which of SolarWinds' other private sector customers saw malware infections. The company's customer list includes large corporations, such as AT&T, Procter & Gamble and McDonald's. The company also counts governments and private companies around the world as customers. FireEye says many of those customers were infected.
Is this the only hacking campaign exploiting SolarWinds software?
SolarWinds has also come under scrutiny for vulnerabilities in its software. These are coding errors and aren't the result of attackers entering SolarWinds systems to implant malware. Instead, hackers must access victim systems and then exploit the flaws in Orion software running there.
In December, security researchers said forensic investigations of Orion software on systems affected by the tainted update also showed signs that a completely distinct group of attackers was also targeting organizations through Orion. On Feb. 2, Reuters reported that government officials believe a group of suspected Chinese hackers had hacked federal government agencies using a software flaw in Orion. A spokesman for the US Department of Agriculture's National Finance Center disputed Reuters' report that hackers had breached its systems.
On Feb. 3, researchers from cybersecurity firm Trustwave released information on three vulnerabilities in SolarWinds' software products. The bugs have been patched, and there's no indication they were used in any hacking attacks.
Correction, Dec. 23: This story has been updated to clarify that SolarWinds makes IT management software. An earlier version of the story misstated the purpose of its products.