This week, several major United States government agencies—including the Departments of Homeland Security, Commerce, Treasury, and State—discovered that their digital systems had been breached by Russian hackers in a months-long espionage operation. The breadth and depth of the attacks will take months, if not longer, to fully understand. But it’s already clear that they represent a moment of reckoning, both for the federal government and the IT industry that supplies it.
As far back as March, Russian hackers apparently compromised otherwise mundane software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, the attackers could distribute their malware to a vast array of customers without detection. Such “supply chain” attacks have been used in government espionage and destructive hacking before, including by Russia. But the SolarWinds incident underscores the impossibly high stakes of these incidents—and how little has been done to prevent them.
“I liken it to other types of disaster recovery and contingency planning in both the government and the private sector,” says Matt Ashburn, national security engagement lead at the web security firm Authentic8, who was formerly chief information security officer at the National Security Council. “Your whole goal is to maintain operations when there’s an unexpected event. Yet when the pandemic started this year, no one seemed prepared for it, everyone was scrambling. And supply chain attacks are similar—everyone knows about it and is aware of the risk, we know that our most advanced adversaries engage in this type of activity. But there has not been that concerted focus.”
The recriminations came soon after the attacks were revealed, with US senators Ron Wyden (D-Oregon) and Sherrod Brown (D-Ohio) directing pointed questions at Treasury Secretary Steve Mnuchin in Congress about that department’s preparedness and response. “As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects,” said Senator Mark Warner (D-Virginia), vice chair of the Senate Intelligence Committee, in a separate statement on Monday. “We should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors.”
The US has invested heavily in threat detection; a multibillion-dollar system known as Einstein patrols the federal government’s networks for malware and indications of attack. But as a 2018 Government Accountability Office report detailed, Einstein is effective at identifying known threats. It’s like a bouncer who keeps out everyone on their list, but turns a blind eye to names they don’t recognize.
That made Einstein inadequate in the face of a sophisticated attack like Russia’s. The hackers used their SolarWinds Orion backdoor to gain access to target networks. They then sat quietly for up to two weeks before very carefully and intentionally moving within victim networks to gain deeper control and exfiltrate data. Even in that potentially more visible phase of the attacks, they worked diligently to conceal their actions.
“This is a reckoning for sure,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “It’s inherently so hard to address, because supply chain attacks are ridiculously difficult to detect. It’s like the attacker teleports in there out of nowhere.”
On Tuesday, the GAO publicly released another report, one that it had distributed within the government in October: “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” By then, the Russian assault had been active for months. The agency found that none of the 23 agencies it looked at had implemented all seven fundamental best practices for cyberdefense it had identified. A majority of agencies hadn’t implemented any at all.
The supply chain problem—and Russia’s hacking spree—is not unique to the US government. SolarWinds has said that as many as 18,000 customers were vulnerable to the hackers, who managed to infiltrate even the high-profile cybersecurity firm FireEye.